Description
The REVOKE command is used to:
- Revoke specified privileges from a user or role.
- Revoke specified roles previously granted to a user.
Syntax
REVOKE privilege_list ON priv_level FROM user_identity [ROLE role_name]
REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE role_name]
REVOKE privilege_list ON WORKLOAD GROUP workload_group_name FROM user_identity [ROLE role_name]
REVOKE privilege_list ON COMPUTE GROUP compute_group_name FROM user_identity [ROLE role_name]
REVOKE privilege_list ON STORAGE VAULT storage_vault_name FROM user_identity [ROLE role_name]
REVOKE role_list FROM user_identity
Parameters
privilege_list
A comma-separated list of privileges to be revoked. Supported privileges include:
- NODE_PRIV: Cluster node operation permissions
- ADMIN_PRIV: Administrator privileges
- GRANT_PRIV: Authorization privileges
- SELECT_PRIV: Query privileges
- LOAD_PRIV: Data import privileges
- ALTER_PRIV: Modification privileges
- CREATE_PRIV: Creation privileges
- DROP_PRIV: Deletion privileges
- USAGE_PRIV: Usage privileges
- SHOW_VIEW_PRIV: Privileges to view view definitions
priv_level
Specifies the scope of the privileges. Supported formats:
- ..*: All catalogs, databases, and tables
- catalog_name..: All databases and tables in the specified catalog
- catalog_name.db.*: All tables in the specified database
- catalog_name.db.tbl: Specific table in the specified database
resource_name
Specifies the resource scope. Supports % (matches any string) and _ (matches any single character) wildcards.
workload_group_name
Specifies the workload group name. Supports % (matches any string) and _ (matches any single character) wildcards.
compute_group_name
Specifies the compute group name. Supports % (matches any string) and _ (matches any single character) wildcards.
storage_vault_name
Specifies the storage vault name. Supports % (matches any string) and _ (matches any single character) wildcards.
user_identity
Specifies the user from whom privileges are being revoked. Must be a user created with CREATE USER. The host in user_identity can be a domain name. If it's a domain name, the revocation of privileges may be delayed by about 1 minute.
role_name
Specifies the role from which privileges are being revoked. The role must exist.
role_list
A comma-separated list of roles to be revoked. All specified roles must exist.
Examples
-
Revoke SELECT privilege on a specific database from a user:
REVOKE SELECT_PRIV ON db1.* FROM 'jack'@'192.%';
-
Revoke usage privilege on a resource from a user:
REVOKE USAGE_PRIV ON RESOURCE 'spark_resource' FROM 'jack'@'192.%';
-
Revoke roles from a user:
REVOKE 'role1','role2' FROM 'jack'@'192.%';
-
Revoke usage privilege on a workload group from a user:
REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM 'jack'@'%';
-
Revoke usage privilege on all workload groups from a user:
REVOKE USAGE_PRIV ON WORKLOAD GROUP '%' FROM 'jack'@'%';
-
Revoke usage privilege on a workload group from a role:
REVOKE USAGE_PRIV ON WORKLOAD GROUP 'g1' FROM ROLE 'test_role';
-
Revoke usage privilege on a compute group from a user:
REVOKE USAGE_PRIV ON COMPUTE GROUP 'group1' FROM 'jack'@'%';
-
Revoke usage privilege on a compute group from a role:
REVOKE USAGE_PRIV ON COMPUTE GROUP 'group1' FROM ROLE 'my_role';
-
Revoke usage privilege on a storage vault from a user:
REVOKE USAGE_PRIV ON STORAGE VAULT 'vault1' FROM 'jack'@'%';
-
Revoke usage privilege on a storage vault from a role:
REVOKE USAGE_PRIV ON STORAGE VAULT 'vault1' FROM ROLE 'my_role';
Related Commands
- GRANT
- SHOW GRANTS
- CREATE ROLE
- CREATE WORKLOAD GROUP
- CREATE COMPUTE GROUP
- CREATE RESOURCE
- CREATE STORAGE VAULT
Keywords
REVOKE, WORKLOAD GROUP, COMPUTE GROUP, RESOURCE, STORAGE VAULT