docs/topics/impala_revoke.xml - impala - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
 <!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
 <concept rev="2.0.0" id="revoke">

   <title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title>
   <titlealts audience="PDF"><navtitle>REVOKE</navtitle></titlealts>
   <prolog>
     <metadata>
       <data name="Category" value="Impala"/>
       <data name="Category" value="DDL"/>
       <data name="Category" value="SQL"/>
       <data name="Category" value="Security"/>
       <data name="Category" value="Sentry"/>
       <data name="Category" value="Roles"/>
       <data name="Category" value="Administrators"/>
       <data name="Category" value="Developers"/>
       <data name="Category" value="Data Analysts"/>
       <!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. -->
     </metadata>
   </prolog>

   <conbody>

     <p rev="2.0.0">
       <indexterm audience="hidden">REVOKE statement</indexterm>
 <!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
       The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object from groups. Only
       Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For
       example, revoking the <codeph>ALL</codeph> privilege on a database also revokes the same privilege for all
       the tables in that database.
     </p>

     <p conref="../shared/impala_common.xml#common/syntax_blurb"/>

 <codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>

 REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
   FROM [ROLE] <varname>role_name</varname>

 <ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph>
 object_type ::= TABLE | DATABASE | SERVER | URI
 </codeblock>

     <p>
       Typically, the object name is an identifier. For URIs, it is a string literal.
     </p>

     <p rev="2.3.0 collevelauth">
       The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
       in <keyword keyref="impala23_full"/> and higher. See
       <xref keyref="sg_hive_sql"/> for details.
     </p>

     <p conref="../shared/impala_common.xml#common/privileges_blurb"/>

     <p>
       Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
       policy file) can use this statement.
     </p>

 <!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) -->

     <p conref="../shared/impala_common.xml#common/compatibility_blurb"/>

     <p>
       <ul>
         <li>
           The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in <keyword keyref="impala20_full"/> and
           higher.
         </li>

         <li>
           In <keyword keyref="impala14_full"/> and higher, Impala makes use of any roles and privileges specified by the
           <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to
           use the Sentry service instead of the file-based policy mechanism.
         </li>

         <li>
           The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements do not require the
           <codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive
           statements.
         </li>

         <li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
       </ul>
     </p>

     <p conref="../shared/impala_common.xml#common/cancel_blurb_no"/>

     <p conref="../shared/impala_common.xml#common/permissions_blurb_no"/>

     <p rev="2.8.0" conref="../shared/impala_common.xml#common/kudu_blurb"/>
     <p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/>

     <p conref="../shared/impala_common.xml#common/related_info"/>

     <p>
       <xref href="impala_authorization.xml#authorization"/>, <xref href="impala_grant.xml#grant"/>
       <xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>,
       <xref href="impala_show.xml#show"/>
     </p>
   </conbody>
 </concept>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->
	<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
	<concept rev="2.0.0" id="revoke">

	<title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title>
	<titlealts audience="PDF"><navtitle>REVOKE</navtitle></titlealts>
	<prolog>
	<metadata>
	<data name="Category" value="Impala"/>
	<data name="Category" value="DDL"/>
	<data name="Category" value="SQL"/>
	<data name="Category" value="Security"/>
	<data name="Category" value="Sentry"/>
	<data name="Category" value="Roles"/>
	<data name="Category" value="Administrators"/>
	<data name="Category" value="Developers"/>
	<data name="Category" value="Data Analysts"/>
	<!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. -->
	</metadata>
	</prolog>

	<conbody>

	<p rev="2.0.0">
	<indexterm audience="hidden">REVOKE statement</indexterm>
	<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
	The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object from groups. Only
	Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For
	example, revoking the <codeph>ALL</codeph> privilege on a database also revokes the same privilege for all
	the tables in that database.
	</p>

	<p conref="../shared/impala_common.xml#common/syntax_blurb"/>

	<codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>

	REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
	FROM [ROLE] <varname>role_name</varname>

	<ph rev="2.3.0">privilege ::= SELECT \| SELECT(<varname>column_name</varname>) \| INSERT \| ALL</ph>
	object_type ::= TABLE \| DATABASE \| SERVER \| URI
	</codeblock>

	<p>
	Typically, the object name is an identifier. For URIs, it is a string literal.
	</p>

	<p rev="2.3.0 collevelauth">
	The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
	in <keyword keyref="impala23_full"/> and higher. See
	<xref keyref="sg_hive_sql"/> for details.
	</p>

	<p conref="../shared/impala_common.xml#common/privileges_blurb"/>

	<p>
	Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
	policy file) can use this statement.
	</p>

	<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) -->

	<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>

	<p>
	<ul>
	<li>
	The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in <keyword keyref="impala20_full"/> and
	higher.
	</li>

	<li>
	In <keyword keyref="impala14_full"/> and higher, Impala makes use of any roles and privileges specified by the
	<codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to
	use the Sentry service instead of the file-based policy mechanism.
	</li>

	<li>
	The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements do not require the
	<codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive
	statements.
	</li>

	<li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
	</ul>
	</p>

	<p conref="../shared/impala_common.xml#common/cancel_blurb_no"/>

	<p conref="../shared/impala_common.xml#common/permissions_blurb_no"/>

	<p rev="2.8.0" conref="../shared/impala_common.xml#common/kudu_blurb"/>
	<p conref="../shared/impala_common.xml#common/kudu_sentry_limitations"/>

	<p conref="../shared/impala_common.xml#common/related_info"/>

	<p>
	<xref href="impala_authorization.xml#authorization"/>, <xref href="impala_grant.xml#grant"/>
	<xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>,
	<xref href="impala_show.xml#show"/>
	</p>
	</conbody>
	</concept>