docs/topics/impala_revoke.xml - impala - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
 <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 <concept rev="2.0.0" id="revoke">

   <title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title>
   <titlealts audience="PDF"><navtitle>REVOKE</navtitle></titlealts>
   <prolog>
     <metadata>
       <data name="Category" value="Impala"/>
       <data name="Category" value="DDL"/>
       <data name="Category" value="SQL"/>
       <data name="Category" value="Security"/>
       <data name="Category" value="Sentry"/>
       <data name="Category" value="Roles"/>
       <data name="Category" value="Administrators"/>
       <data name="Category" value="Developers"/>
       <data name="Category" value="Data Analysts"/>
       <!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. -->
     </metadata>
   </prolog>

   <conbody>

     <p rev="2.0.0">
       The <codeph>REVOKE</codeph> statement revokes roles or
       privileges on a specified object from groups.
     </p>

     <p conref="../shared/impala_common.xml#common/syntax_blurb"/>

 <codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>

 REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
   FROM [ROLE] <varname>role_name</varname>

 <ph rev="3.0">
   privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>)
 </ph>
 <ph rev="3.0">
   object_type ::= TABLE | DATABASE | SERVER | URI
 </ph>
 </codeblock>

     <p>
       See <keyword keyref="grant"/> for the required privileges and the scope
       for SQL operations.
     </p>

     <p>
       The <codeph>ALL</codeph> privilege is a distinct privilege and not a
       union of all other privileges. Revoking <codeph>SELECT</codeph>,
         <codeph>INSERT</codeph>, etc. from a role that only has the
         <codeph>ALL</codeph> privilege has no effect. To reduce the privileges
       of that role you must <codeph>REVOKE ALL</codeph> and
         <codeph>GRANT</codeph> the desired privileges.
     </p>

     <p>
       Typically, the object name is an identifier. For URIs, it is a string literal.
     </p>

     <p rev="2.3.0 collevelauth">
       The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
       in <keyword keyref="impala23_full"/> and higher. See
       <xref keyref="sg_hive_sql"/> for details.
     </p>

     <p conref="../shared/impala_common.xml#common/privileges_blurb"/>

     <p>
       Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
       policy file) can use this statement.
     </p>
     <p>Only Sentry administrative users can revoke the role from a group.</p>

     <p conref="../shared/impala_common.xml#common/compatibility_blurb"/>

     <p>
       <ul>
         <li>
           The <codeph>REVOKE</codeph> statements are available in <keyword
             keyref="impala20_full"/> and higher.
         </li>

         <li>
           In <keyword keyref="impala14_full"/> and higher, Impala makes use of any roles and privileges specified by the
           <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to
           use the Sentry service instead of the file-based policy mechanism.
         </li>

         <li>
           The Impala <codeph>REVOKE</codeph> statements do not require the
             <codeph>ROLE</codeph> keyword to be repeated before each role name,
           unlike the equivalent Hive statements.
         </li>

         <li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
       </ul>
     </p>

     <p conref="../shared/impala_common.xml#common/cancel_blurb_no"/>

     <p conref="../shared/impala_common.xml#common/permissions_blurb_no"/>

     <p rev="2.8.0" conref="../shared/impala_common.xml#common/kudu_blurb"/>
     <p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/>

     <p conref="../shared/impala_common.xml#common/related_info"/>

     <p>
       <xref href="impala_authorization.xml#authorization"/>, <xref href="impala_grant.xml#grant"/>
       <xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>,
       <xref href="impala_show.xml#show"/>
     </p>
   </conbody>
 </concept>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
	<concept rev="2.0.0" id="revoke">

	<title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title>
	<titlealts audience="PDF"><navtitle>REVOKE</navtitle></titlealts>
	<prolog>
	<metadata>
	<data name="Category" value="Impala"/>
	<data name="Category" value="DDL"/>
	<data name="Category" value="SQL"/>
	<data name="Category" value="Security"/>
	<data name="Category" value="Sentry"/>
	<data name="Category" value="Roles"/>
	<data name="Category" value="Administrators"/>
	<data name="Category" value="Developers"/>
	<data name="Category" value="Data Analysts"/>
	<!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. -->
	</metadata>
	</prolog>

	<conbody>

	<p rev="2.0.0">
	The <codeph>REVOKE</codeph> statement revokes roles or
	privileges on a specified object from groups.
	</p>

	<p conref="../shared/impala_common.xml#common/syntax_blurb"/>

	<codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>

	REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
	FROM [ROLE] <varname>role_name</varname>

	<ph rev="3.0">
	privilege ::= ALL \| ALTER \| CREATE \| DROP \| INSERT \| REFRESH \| SELECT \| SELECT(<varname>column_name</varname>)
	</ph>
	<ph rev="3.0">
	object_type ::= TABLE \| DATABASE \| SERVER \| URI
	</ph>
	</codeblock>

	<p>
	See <keyword keyref="grant"/> for the required privileges and the scope
	for SQL operations.
	</p>

	<p>
	The <codeph>ALL</codeph> privilege is a distinct privilege and not a
	union of all other privileges. Revoking <codeph>SELECT</codeph>,
	<codeph>INSERT</codeph>, etc. from a role that only has the
	<codeph>ALL</codeph> privilege has no effect. To reduce the privileges
	of that role you must <codeph>REVOKE ALL</codeph> and
	<codeph>GRANT</codeph> the desired privileges.
	</p>

	<p>
	Typically, the object name is an identifier. For URIs, it is a string literal.
	</p>

	<p rev="2.3.0 collevelauth">
	The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
	in <keyword keyref="impala23_full"/> and higher. See
	<xref keyref="sg_hive_sql"/> for details.
	</p>

	<p conref="../shared/impala_common.xml#common/privileges_blurb"/>

	<p>
	Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
	policy file) can use this statement.
	</p>
	<p>Only Sentry administrative users can revoke the role from a group.</p>

	<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>

	<p>
	<ul>
	<li>
	The <codeph>REVOKE</codeph> statements are available in <keyword
	keyref="impala20_full"/> and higher.
	</li>

	<li>
	In <keyword keyref="impala14_full"/> and higher, Impala makes use of any roles and privileges specified by the
	<codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to
	use the Sentry service instead of the file-based policy mechanism.
	</li>

	<li>
	The Impala <codeph>REVOKE</codeph> statements do not require the
	<codeph>ROLE</codeph> keyword to be repeated before each role name,
	unlike the equivalent Hive statements.
	</li>

	<li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
	</ul>
	</p>

	<p conref="../shared/impala_common.xml#common/cancel_blurb_no"/>

	<p conref="../shared/impala_common.xml#common/permissions_blurb_no"/>

	<p rev="2.8.0" conref="../shared/impala_common.xml#common/kudu_blurb"/>
	<p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/>

	<p conref="../shared/impala_common.xml#common/related_info"/>

	<p>
	<xref href="impala_authorization.xml#authorization"/>, <xref href="impala_grant.xml#grant"/>
	<xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>,
	<xref href="impala_show.xml#show"/>
	</p>
	</conbody>
	</concept>