---

{ “title”: “REVOKE”, “language”: “en” }

Description

The REVOKE command is used to:

1. Revoke specified privileges from a user or role.
2. Revoke specified roles previously granted to a user.

Syntax

REVOKE privilege_list ON priv_level FROM user_identity [ROLE role_name]

REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE role_name]

REVOKE privilege_list ON WORKLOAD GROUP workload_group_name FROM user_identity [ROLE role_name]

REVOKE privilege_list ON COMPUTE GROUP compute_group_name FROM user_identity [ROLE role_name]

REVOKE privilege_list ON STORAGE VAULT storage_vault_name FROM user_identity [ROLE role_name]

REVOKE role_list FROM user_identity

Parameters

privilege_list

A comma-separated list of privileges to be revoked. Supported privileges include:

• NODE_PRIV: Cluster node operation permissions
• ADMIN_PRIV: Administrator privileges
• GRANT_PRIV: Authorization privileges
• SELECT_PRIV: Query privileges
• LOAD_PRIV: Data import privileges
• ALTER_PRIV: Modification privileges
• CREATE_PRIV: Creation privileges
• DROP_PRIV: Deletion privileges
• USAGE_PRIV: Usage privileges
• SHOW_VIEW_PRIV: Privileges to view view definitions

priv_level

Specifies the scope of the privileges. Supported formats:

• ..*: All catalogs, databases, and tables
• catalog_name..: All databases and tables in the specified catalog
• catalog_name.db.*: All tables in the specified database
• catalog_name.db.tbl: Specific table in the specified database

resource_name

Specifies the resource scope. Supports % (matches any string) and _ (matches any single character) wildcards.

workload_group_name

Specifies the workload group name. Supports % (matches any string) and _ (matches any single character) wildcards.

compute_group_name

Specifies the compute group name. Supports % (matches any string) and _ (matches any single character) wildcards.

storage_vault_name

Specifies the storage vault name. Supports % (matches any string) and _ (matches any single character) wildcards.

user_identity

Specifies the user from whom privileges are being revoked. Must be a user created with CREATE USER. The host in user_identity can be a domain name. If it's a domain name, the revocation of privileges may be delayed by about 1 minute.

role_name

Specifies the role from which privileges are being revoked. The role must exist.

role_list

A comma-separated list of roles to be revoked. All specified roles must exist.

Examples

1. Revoke SELECT privilege on a specific database from a user:

   REVOKE SELECT_PRIV ON db1.* FROM ‘jack’@‘192.%’;

2. Revoke usage privilege on a resource from a user:

   REVOKE USAGE_PRIV ON RESOURCE ‘spark_resource’ FROM ‘jack’@‘192.%’;

3. Revoke roles from a user:

   REVOKE ‘role1’,‘role2’ FROM ‘jack’@‘192.%’;

4. Revoke usage privilege on a workload group from a user:

   REVOKE USAGE_PRIV ON WORKLOAD GROUP ‘g1’ FROM ‘jack’@‘%’;

5. Revoke usage privilege on all workload groups from a user:

   REVOKE USAGE_PRIV ON WORKLOAD GROUP ‘%’ FROM ‘jack’@‘%’;

6. Revoke usage privilege on a workload group from a role:

   REVOKE USAGE_PRIV ON WORKLOAD GROUP ‘g1’ FROM ROLE ‘test_role’;

7. Revoke usage privilege on a compute group from a user:

   REVOKE USAGE_PRIV ON COMPUTE GROUP ‘group1’ FROM ‘jack’@‘%’;

8. Revoke usage privilege on a compute group from a role:

   REVOKE USAGE_PRIV ON COMPUTE GROUP ‘group1’ FROM ROLE ‘my_role’;

9. Revoke usage privilege on a storage vault from a user:

   REVOKE USAGE_PRIV ON STORAGE VAULT ‘vault1’ FROM ‘jack’@‘%’;

10. Revoke usage privilege on a storage vault from a role:

REVOKE USAGE_PRIV ON STORAGE VAULT ‘vault1’ FROM ROLE ‘my_role’;

Related Commands

• GRANT
• SHOW GRANTS
• CREATE ROLE
• CREATE WORKLOAD GROUP
• CREATE COMPUTE GROUP
• CREATE RESOURCE
• CREATE STORAGE VAULT

Keywords

REVOKE, WORKLOAD GROUP, COMPUTE GROUP, RESOURCE, STORAGE VAULT