REVOKE Statement (Impala 2.0 or higher only)

The REVOKE statement revokes roles or privileges on a specified object from groups, roles, or users.

Syntax:

The following syntax is supported when Impala is using Ranger to manage authorization.

REVOKE ROLE role_name FROM GROUP group_name

REVOKE privilege ON object_type object_name
  FROM USER user_name

REVOKE privilege ON object_type object_name
  FROM GROUP group_name

REVOKE [GRANT OPTION FOR] privilege ON object_type object_name
  FROM [ROLE] role_name


  privilege ::= ALL | ALTER | CREATE | DROP | INSERT | REFRESH | SELECT | SELECT(column_name)

object_type ::= SERVER | URI | DATABASE | TABLE

Usage notes:

See GRANT Statement (Impala 2.0 or higher only) for the required privileges and the scope for SQL operations.

The ALL privilege is a distinct privilege and not a union of all other privileges. Revoking SELECT, INSERT, etc. from a role that only has the ALL privilege has no effect. To reduce the privileges of that role you must REVOKE ALL and GRANT the desired privileges.

You cannot revoke a privilege granted with the WITH GRANT OPTION. If a privilege is granted with the WITH GRANT OPTION, first revoke the grant option, and then revoke the privilege.

For example:
GRANT ALL ON SERVER TO ROLE foo_role;
...
REVOKE GRANT OPTION FOR ALL ON SERVER FROM ROLE foo_role;
REVOKE ALL ON SERVER FROM ROLE foo_role;

Typically, the object name is an identifier. For URIs, it is a string literal.

The ability to grant or revoke SELECT privilege on specific columns is available in Impala 2.3 and higher. See the documentation for Apache Sentry for details.

Required privileges:

Only administrative users for Ranger can use this statement.

Only Ranger administrative users can revoke the role from a group.

Compatibility:

Cancellation: Cannot be cancelled.

HDFS permissions: This statement does not touch any HDFS files or directories, therefore no HDFS permissions are required.

Kudu considerations:

Access to Kudu tables must be granted to and revoked from principal with the following considerations:

Related information:

Impala Authorization, GRANT Statement (Impala 2.0 or higher only) CREATE ROLE Statement (Impala 2.0 or higher only), DROP ROLE Statement (Impala 2.0 or higher only), SHOW Statement