REVOKE Statement (Impala 2.0 or higher only)
REVOKE statement revokes roles or privileges on a specified object
from groups, roles, or users.
The following syntax is supported when Impala is using Ranger to manage authorization.
REVOKE ROLE role_name FROM GROUP group_name REVOKE privilege ON object_type object_name FROM USER user_name REVOKE privilege ON object_type object_name FROM GROUP group_name REVOKE [GRANT OPTION FOR] privilege ON object_type object_name FROM [ROLE] role_name privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name) object_type ::= SERVER | URI | DATABASE | TABLE
See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.
ALL privilege is a distinct privilege and not a union of all other
INSERT, etc. from a role
that only has the
ALL privilege has no effect. To reduce the privileges
of that role you must
REVOKE ALL and
GRANT the desired
You cannot revoke a privilege granted with the
WITH GRANT OPTION. If a
privilege is granted with the
WITH GRANT OPTION, first revoke the grant
option, and then revoke the privilege.
GRANT ALL ON SERVER TO ROLE foo_role; ... REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role; REVOKE ALL ON SERVER FROM ROLE foo_role;
Typically, the object name is an identifier. For URIs, it is a string literal.
The ability to grant or revoke
SELECT privilege on specific columns is
available in Impala 2.3 and higher. See
the documentation for Apache Sentry for details.
Only administrative users for Ranger can use this statement.
Only Ranger administrative users can revoke the role from a group.
REVOKEstatements are available in Impala 2.0 and higher.
Impala makes use of any roles and privileges specified by the
REVOKEstatements in Hive, when your system is configured to use the Ranger service instead of the file-based policy mechanism.
REVOKEstatements do not require the
ROLEkeyword to be repeated before each role name, unlike the equivalent Hive statements.
Currently, each Impala
REVOKEstatement can only grant or revoke a single privilege to or from a single role.
Cancellation: Cannot be cancelled.
HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.
- Only users with the
SERVERcan create external Kudu tables.
SERVERis required to specify the
kudu.master_addressesproperty in the
CREATE TABLEstatements for managed tables as well as external tables.
- Access to Kudu tables is enforced at the table level and at the column level.
INSERT-specific permissions are supported.
UPSERToperations require the