REVOKE Statement (Impala 2.0 or higher only)

The REVOKE statement revokes roles or privileges on a specified object from groups.

Syntax:

REVOKE ROLE role_name FROM GROUP group_name

REVOKE [GRANT OPTION FOR] privilege ON object_type object_name
  FROM [ROLE] role_name


  privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)

object_type ::= SERVER | URI | DATABASE | TABLE

Usage notes:

See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.

The ALL privilege is a distinct privilege and not a union of all other privileges. Revoking SELECT, INSERT, etc. from a role that only has the ALL privilege has no effect. To reduce the privileges of that role you must REVOKE ALL and GRANT the desired privileges.

You cannot revoke a privilege granted with the WITH GRANT OPTION. If a privilege is granted with the WITH GRANT OPTION, first revoke the grant option, and then revoke the privilege.

For example:
GRANT ALL ON SERVER TO ROLE foo_role;
...
REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role;
REVOKE ALL ON SERVER FROM ROLE foo_role;

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.

Required privileges:

Only administrative users (those with ALL privileges on the server, defined in the Sentry policy file) can use this statement.

Only Sentry administrative users can revoke the role from a group.

Compatibility:

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.

Kudu considerations:

Access to Kudu tables must be granted to and revoked from roles with the following considerations: Because non-SQL APIs can access Kudu data without going through Sentry authorization, currently the Sentry support is considered preliminary and subject to change.

Related information:

Enabling Sentry Authorization for Impala, GRANT Statement (Impala 2.0 or higher only) CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement