| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
| <concept rev="2.0.0" id="revoke"> |
| |
| <title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title> |
| |
| <titlealts audience="PDF"> |
| |
| <navtitle>REVOKE</navtitle> |
| |
| </titlealts> |
| |
| <prolog> |
| <metadata> |
| <data name="Category" value="Impala"/> |
| <data name="Category" value="DDL"/> |
| <data name="Category" value="SQL"/> |
| <data name="Category" value="Security"/> |
| <data name="Category" value="Sentry"/> |
| <data name="Category" value="Roles"/> |
| <data name="Category" value="Administrators"/> |
| <data name="Category" value="Developers"/> |
| <data name="Category" value="Data Analysts"/> |
| <!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. --> |
| </metadata> |
| </prolog> |
| |
| <conbody> |
| |
| <p rev="2.0.0"> |
| The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object |
| from groups, roles, or users. |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/syntax_blurb"/> |
| |
| <p> |
| The following syntax is supported when Impala is using Senty to manage authorization. |
| </p> |
| |
| <codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname> |
| |
| REVOKE [GRANT OPTION FOR] <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname> |
| FROM [ROLE] <varname>role_name</varname> |
| |
| <ph rev="3.0"> |
| <varname>privilege</varname> ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>) |
| </ph> |
| <ph id="priv_objs" rev="3.0"><varname>object_type</varname> ::= SERVER | URI | DATABASE | TABLE</ph></codeblock> |
| |
| <p> |
| The following syntax is supported when Impala is using Ranger to manage authorization. |
| </p> |
| |
| <codeblock>REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname> |
| FROM USER <varname>user_name</varname> |
| |
| REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname> |
| FROM GROUP <varname>group_name</varname> |
| <ph rev="3.0"> |
| |
| privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(<varname>column_name</varname>) |
| </ph> |
| <ph rev="3.0">object_type ::= SERVER | URI | DATABASE | TABLE</ph></codeblock> |
| |
| <p> |
| <b>Usage notes:</b> |
| </p> |
| |
| <p> |
| See <keyword keyref="grant"/> for the required privileges and the scope for SQL |
| operations. |
| </p> |
| |
| <p> |
| The <codeph>ALL</codeph> privilege is a distinct privilege and not a union of all other |
| privileges. Revoking <codeph>SELECT</codeph>, <codeph>INSERT</codeph>, etc. from a role |
| that only has the <codeph>ALL</codeph> privilege has no effect. To reduce the privileges |
| of that role you must <codeph>REVOKE ALL</codeph> and <codeph>GRANT</codeph> the desired |
| privileges. |
| </p> |
| |
| <p> |
| You cannot revoke a privilege granted with the <codeph>WITH GRANT OPTION</codeph>. If a |
| privilege is granted with the <codeph>WITH GRANT OPTION</codeph>, first revoke the grant |
| option, and then revoke the privilege. |
| </p> |
| |
| <p> |
| For example: |
| <codeblock>GRANT ALL ON SERVER TO ROLE foo_role; |
| ... |
| REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role; |
| REVOKE ALL ON SERVER FROM ROLE foo_role;</codeblock> |
| </p> |
| |
| <p> |
| Typically, the object name is an identifier. For URIs, it is a string literal. |
| </p> |
| |
| <p rev="2.3.0 collevelauth"> |
| The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is |
| available in <keyword keyref="impala23_full"/> and higher. See |
| <xref keyref="sg_hive_sql"/> for details. |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/privileges_blurb"/> |
| |
| <p> |
| Only administrative users (those with <codeph>ALL</codeph> privileges on the server, |
| defined in the Sentry policy file) can use this statement. |
| </p> |
| |
| <p> |
| Only Sentry administrative users can revoke the role from a group. |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/compatibility_blurb"/> |
| |
| <p> |
| <ul> |
| <li> |
| The <codeph>REVOKE</codeph> statements are available in |
| <keyword |
| keyref="impala20_full"/> and higher. |
| </li> |
| |
| <li> |
| In <keyword keyref="impala14_full"/> and higher, Impala makes use of any roles and |
| privileges specified by the <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> |
| statements in Hive, when your system is configured to use the Sentry service instead |
| of the file-based policy mechanism. |
| </li> |
| |
| <li> |
| The Impala <codeph>REVOKE</codeph> statements do not require the <codeph>ROLE</codeph> |
| keyword to be repeated before each role name, unlike the equivalent Hive statements. |
| </li> |
| |
| <li conref="../shared/impala_common.xml#common/grant_revoke_single"/> |
| </ul> |
| </p> |
| |
| <p conref="../shared/impala_common.xml#common/cancel_blurb_no"/> |
| |
| <p conref="../shared/impala_common.xml#common/permissions_blurb_no"/> |
| |
| <p rev="2.8.0" conref="../shared/impala_common.xml#common/kudu_blurb"/> |
| |
| <p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/> |
| |
| <p conref="../shared/impala_common.xml#common/related_info"/> |
| |
| <p> |
| <xref href="impala_authorization.xml#authorization"/>, |
| <xref href="impala_grant.xml#grant"/> <xref href="impala_create_role.xml#create_role"/>, |
| <xref href="impala_drop_role.xml#drop_role"/>, <xref href="impala_show.xml#show"/> |
| </p> |
| |
| </conbody> |
| |
| </concept> |