REVOKE
Removes privileges on database objects from a role.
|
Synopsis
REVOKE <permission> ON <resource_name> FROM <role_name> ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- privilege
-
For DSE 5.1 only. Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:
-
ALL PERMISSIONS
-
ALTER
-
AUTHORIZE
-
CREATE
-
DESCRIBE
-
DROP
-
EXECUTE
-
MODIFY
-
PROXY.EXECUTE
-
PROXY.LOGIN
-
SEARCH.ALTER
-
SEARCH.COMMIT
-
SEARCH.CREATE
-
SEARCH.DROP
-
SEARCH.REBUILD
-
SEARCH.RELOAD
-
SELECT
-
- <permission>
-
Type of access a role has on a database resource. Use
ALL PERMISSIONS
or a comma separated list of permissions.Permissions are resource-specific as follows:
-
Data -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,MODIFY
(deprecated),SELECT
,TRUNCATE
, orUPDATE
(allowsINSERT
,UPDATE
, orDELETE
) -
Functions (and aggregates) -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
, andDROP
-
Search indexes -
AUTHORIZE [FOR <permission_list>]
,SEARCH.ALTER
,SEARCH.COMMIT
,SEARCH.CREATE
,SEARCH.DROP
,SEARCH.REBUILD
, andSEARCH.RELOAD
-
Roles -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR <permission_list>]
,CREATE
,DESCRIBE
,DROP
,PROXY.EXECUTE
, andPROXY.LOGIN
-
JMX (MBeans) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
,EXECUTE
,MODIFY
, andSELECT
-
Remote procedure calls (RPC) -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,EXECUTE
,MODIFY
, andSELECT
-
Authentication schemes -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
andEXECUTE
-
Spark workpools -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,CREATE
, andDESCRIBE
-
Spark submissions -
ALL PERMISSIONS
orAUTHORIZE [FOR <permission_list>]
,DESCRIBE
, andMODIFY
-
To manage access control the role must have authorize permission on the resource for the type of permission.
When |
|
- <resource_name>
-
Apache Cassandra® database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
-
Data -
ALL KEYSPACES
>KEYSPACE
<keyspace_name> >ALL TABLES IN KEYSPACE
<keyspace_name> >TABLE <table_name>
>'<filtering_data>' ROWS IN <table_name>
-
Function (including aggegrates) -
ALL FUNCTIONS
,ALL FUNCTIONS IN KEYSPACE <keyspace_name>
, andFUNCTION <keyspace_name.function_name>(<argument_types>)
-
Search indexes -
ALL SEARCH INDICES
> SEARCH KEYSPACE <keyspace_name> >SEARCH INDICES [<keyspace_name>.]<table_name>
-
JMX MBeans -
ALL MBEANS > MBEAN <mbean_name>
andMBEANS <pattern>
-
Remote procedure calls (RPC) -
ALL REMOTE CALLS
>REMOTE METHOD <name>
|REMOTE OBJECT <name>
-
Roles -
ALL ROLES
>ROLE <role_name>
-
Authentication schemes -
ALL SCHEMES
>LDAP
|KERBEROS
|INTERNAL
-
Analytic applications
-
Workpools -
ANY WORKPOOL
>WORKPOOL '<dc_name>.*'
>WORKPOOL '<dc_name>.<workpool_name>'
-
Submissions -
ANY SUBMISSION
>ANY SUBMISSION IN WORKPOOL '<datacenter_name>.*' > '<datacenter_name>.<workpool_name>' > SUBMISSION <ID>
endif::[]
-
-
Example
The role couch can no longer perform queries or modify data in the cycling keyspace.
REVOKE SELECT, MODIFY
ON KEYSPACE cycling
FROM coach;
Restriction:
Because of inheritance, the user can perform SELECT
queries on cycling.name if one of these conditions is met:
-
The user is a superuser.
-
The user has
SELECT
onALL KEYSPACES
permissions. -
The user has
SELECT
on the cycling keyspace.
The role coach can no longer perform ALTER
commands in the cycling keyspace:
REVOKE ALTER
ON KEYSPACE cycling
FROM coach;