You can use the REVOKE syntax to revoke the specified permissions from a user. You can use the SHOW PRIVILEGES syntax to view the permissions granted to all users first. Then, you can use the REVOKE syntax to revoke improper permissions from the specified user.
Applicable engines and versions
The REVOKE syntax is applicable to all versions of LindormTable and LindormTSDB.
Syntax
revoke_permission_statement ::= REVOKE privilege_definition ON resource_definition FROM user_identifier
privilege_definition ::= ALL | ALL PRIVILEGE| READ | WRITE | ADMIN | TRASH | SYSTEM
resource_definition ::= GLOBAL | DATABASE identifier | SCHEMA identifier | TABLE identifier
Parameters
Whether a REVOKE statement can be executed successfully depends on the permissions that are granted to the user who executes the statement. For more information, see User and permission management.
Permission (privilege_definition)
The following table describes the permissions that can be revoked.
Permission | Description |
ALL or ALL PRIVILEGE | Revoke all permissions on the resources from the user, including READ, WRITE, ADMIN, and TRASH. |
READ | Revoke the read permission on the resources from the user. |
WRITE | Revoke the write permission on the resources from the user. |
ADMIN | Revoke the administrator permission on the resources from the user. |
TRASH | Revoke the delete permission on the resources from the user. |
SYSTEM | Revoke the cluster management permissions on the resources from the user. The SYSTEM permission includes the ADMIN permission on the GLOBAL level. |
Resource level (resource_definition)
You can revoke permissions on the following levels of resources:
GLOBAL: Revoke the permissions on global resources from the user.
DATABASE: Revoke the permissions on the specified database from the user. The DATABASE level is equivalent to the SCHEMA level.
NoteLindormTable 2.5.3.3 and later versions support the
DATABASE
level. LindormTable versions earlier than 2.5.3.3 support only theSCHEMA
level.TABLE: Revoke the permissions on the specified table from the user.
The following permission levels from high to low are supported: GLOBAL, DATABASE (SCHEMA), and TABLE.
When you use the DATABASE, SCHEMA, or TABLE keyword, you must specify the identifier of the permission level. For example,
DATABASE default
andSCHEMA default
indicates the database named default, andTABLE test
indicates the table named test.
User from which permissions are revoked (user_identifier)
The user_identifier parameter indicates the user from which permissions are revoked.
Examples
Revoke all permissions from a user
Revoke all permissions on the database db1
from a user named user1
.
REVOKE ALL ON DATABASE db1 FROM user1;
-- or
REVOKE ALL ON SCHEMA db1 FROM user1;
Revoke the specified permissions from a user
Revoke the ADMIN permission on
table2
in the databasedb2
from a user nameduser2
.REVOKE ADMIN ON TABLE db2.table2 FROM user2;
Revoke the WRITE permission on
table3
from a user nameduser3
.REVOKE WRITE ON TABLE table3 FROM user3;
Revoke the READ permission on the GLOBAL level from a user named
user4
.REVOKE READ ON GLOBAL FROM user4;