REVOKE PERMISSION

Removes privileges on database objects from a role. Privilege removal is immediate, even to active client sessions.

Syntax

REVOKE <permission> ON <resource_name> FROM <role_name> ;
Syntax legend
Legend
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

< >

Variable value. Replace with a user-defined value.

[]

Optional. Square brackets ([]) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar (|) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'<Literal string>'

Single quotation (') marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ <key> : <value> }

Map collection. Braces ({ }) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype2

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

<cql_statement>;

End CQL statement. A semicolon (;) terminates all CQL statements.

[--]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <<schema\> ... </schema\>> '

Search CQL only: Single quotation marks (') surround an entire XML schema declaration.

@<xml_entity>='<xml_entity_type>'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

Access control matrix tables

In the following tables, the hierarchy of permissions is shown for each resource type, as well as the permissions that can be granted on each resource.

Data resources

Cassandra database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors.

Resource permissions

Type of access a role has to a database resource.

The following hierarchy is true for data: ALL KEYSPACES > KEYSPACE <keyspace_name> > ALL TABLES IN KEYSPACE <keyspace_name> > TABLE <table_name> > '<filtering_data>' ROWS IN <table_name>

Resource type: Data
Privilege Resource Permissions

ALL PERMISSIONS

resource_name

All operations that are applicable to the resource and its ancestors, where resource name is listed below.

ALTER

ALL KEYSPACES

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace.

ALTER

KEYSPACE keyspace_name

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace.

ALTER

TABLE table_name

ALTER TABLE and RESTRICT ROW of specified table.

CREATE

ALL KEYSPACES

CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace.

CREATE

KEYSPACE keyspace_name

CREATE TABLE and CREATE TYPE in specified keyspace.

DROP

ALL KEYSPACES

DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace

DROP

KEYSPACE keyspace_name

DROP TABLE and DROP TYPE in specified keyspace

DROP

TABLE table_name

DROP TABLE specified.

MODIFY

filtering_data ROWS IN table_name

MODIFY on rows that exactly match the filtering_data in specified table.

MODIFY

ALL KEYSPACES

INSERT, UPDATE, DELETE, and TRUNCATE on any table.

MODIFY

KEYSPACE keyspace_name

INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace.

MODIFY

TABLE table_name

INSERT, UPDATE, DELETE, and TRUNCATE on specified table.

SELECT

filtering_data ROWS IN table_name

SELECT on rows that exactly match the filtering_data in specified table.

SELECT

ALL KEYSPACES

SELECT on any table.

SELECT

KEYSPACE keyspace_name

SELECT on any table in specified keyspace.

SELECT

TABLE table_name

SELECT on specified table.

The following hierarchy is true for JMX resources: ALL MBEANS > MBEAN <mbean_name> and MBEANS <pattern>

Resource type: JMX
Privilege Resource Permissions

DESCRIBE

ALL MBEANS

Retrieve metadata about any mbean from the platform’s MBeanServer.

DESCRIBE

MBEAN mbean_name

Retrieve metadata about a named mbean from the platform’s MBeanServer.

DESCRIBE

MBEANS pattern

Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer.

EXECUTE

ALL MBEANS

Execute operations on any mbean.

EXECUTE

MBEAN mbean_name

Execute operations on named mbean.

EXECUTE

MBEANS pattern

Execute operations on any mbean matching a wildcard pattern.

MODIFY

ALL MBEANS

Call setter methods on any mbean.

MODIFY

MBEAN mbean_name

Call setter methods on named mbean.

MODIFY

MBEANS pattern

Call setter methods on any mbean matching a wildcard pattern.

SELECT

ALL MBEANS

Call getter methods on any mbean.

SELECT

MBEAN mbean_name

Call getter methods on named mbean.

SELECT

MBEANS pattern

Call getter methods on any mbean matching a wildcard pattern.

Example

Revoke simple permission on a resource to a role

  • Revoke the ALTER permission on the keyspace cycling to the coach role:

# REVOKE ALTER ON KEYSPACE cycling FROM coach;

Revoke all permissions on a resource to a role

  • Revoke all permissions on the keyspace cycling to the cycling_admin role:

REVOKE ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;

Revoke multiple permissions on a resource to a role

Revoke AUTHORIZE permission on a resource to a role

  • Revoke the AUTHORIZE permission on the keyspace cycling to the cycling_admin role:

REVOKE AUTHORIZE ON KEYSPACE cycling FROM cycling_admin;

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com