REVOKE

Removes privileges on database objects from a role.

REVOKE does not automatically invalidate cached permissions. Permissions are invalidated the next time they are refreshed.

Synopsis

REVOKE <permission>
  ON <resource_name>
  FROM <role_name> ;
Syntax legend
Legend
Syntax conventions Description

UPPERCASE

Literal keyword.

Lowercase

Not literal.

< >

Variable value. Replace with a user-defined value.

[]

Optional. Square brackets ([]) surround optional command arguments. Do not type the square brackets.

( )

Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.

|

Or. A vertical bar (|) separates alternative elements. Type any one of the elements. Do not type the vertical bar.

...

Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.

'<Literal string>'

Single quotation (') marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.

{ <key> : <value> }

Map collection. Braces ({ }) enclose map collections or key value pairs. A colon separates the key and the value.

<datatype2

Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.

<cql_statement>;

End CQL statement. A semicolon (;) terminates all CQL statements.

[--]

Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.

' <<schema\> ... </schema\>> '

Search CQL only: Single quotation marks (') surround an entire XML schema declaration.

@<xml_entity>='<xml_entity_type>'

Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

privilege

For DSE 5.1 only. Permissions granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:

  • ALL PERMISSIONS

  • ALTER

  • AUTHORIZE

  • CREATE

  • DESCRIBE

  • DROP

  • EXECUTE

  • MODIFY

  • PROXY.EXECUTE

  • PROXY.LOGIN

  • SEARCH.ALTER

  • SEARCH.COMMIT

  • SEARCH.CREATE

  • SEARCH.DROP

  • SEARCH.REBUILD

  • SEARCH.RELOAD

  • SELECT

<permission>

Type of access a role has on a database resource. Use ALL PERMISSIONS or a comma separated list of permissions.

Permissions are resource-specific as follows:

  • Data - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, DESCRIBE, DROP, MODIFY (deprecated), SELECT, TRUNCATE, or UPDATE (allows INSERT, UPDATE, or DELETE)

  • Functions (and aggregates) - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, and DROP

  • Search indexes - AUTHORIZE [FOR <permission_list>], SEARCH.ALTER, SEARCH.COMMIT, SEARCH.CREATE, SEARCH.DROP, SEARCH.REBUILD, and SEARCH.RELOAD

  • Roles - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR <permission_list>], CREATE, DESCRIBE, DROP, PROXY.EXECUTE, and PROXY.LOGIN

  • JMX (MBeans) - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], DESCRIBE, EXECUTE, MODIFY, and SELECT

  • Remote procedure calls (RPC) - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], EXECUTE, MODIFY, and SELECT

  • Authentication schemes - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>] and EXECUTE

  • Spark workpools - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], CREATE, and DESCRIBE

  • Spark submissions - ALL PERMISSIONS or AUTHORIZE [FOR <permission_list>], DESCRIBE, and MODIFY

To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifying FOR <permission>, the role can manage all permissions on the object.

MODIFY is deprecated and replaced with TRUNCATE and UPDATE. Migration from MODIFY permission is recommended, but not strictly necessary. This should be tested thoroughly and implemented with care in cases where a role needs the new TRUNCATE permission.

<resource_name>

Apache Cassandra® database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:

  • Data - ALL KEYSPACES > KEYSPACE <keyspace_name> >ALL TABLES IN KEYSPACE <keyspace_name> > TABLE <table_name> > '<filtering_data>' ROWS IN <table_name>

  • Function (including aggegrates) - ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE <keyspace_name>, and FUNCTION <keyspace_name.function_name>(<argument_types>)

  • Search indexes - ALL SEARCH INDICES > SEARCH KEYSPACE <keyspace_name> > SEARCH INDICES [<keyspace_name>.]<table_name>

  • JMX MBeans - ALL MBEANS > MBEAN <mbean_name> and MBEANS <pattern>

  • Remote procedure calls (RPC) - ALL REMOTE CALLS > REMOTE METHOD <name> | REMOTE OBJECT <name>

  • Roles - ALL ROLES > ROLE <role_name>

  • Authentication schemes - ALL SCHEMES > LDAP | KERBEROS | INTERNAL

  • Analytic applications

    • Workpools - ANY WORKPOOL > WORKPOOL '<dc_name>.*' > WORKPOOL '<dc_name>.<workpool_name>'

    • Submissions - ANY SUBMISSION > ANY SUBMISSION IN WORKPOOL '<datacenter_name>.*' > '<datacenter_name>.<workpool_name>' > SUBMISSION <ID> endif::[]

Example

The role couch can no longer perform queries or modify data in the cycling keyspace.

REVOKE SELECT, MODIFY
ON KEYSPACE cycling 
FROM coach;

Restriction:

Because of inheritance, the user can perform SELECT queries on cycling.name if one of these conditions is met:

  • The user is a superuser.

  • The user has SELECT on ALL KEYSPACES permissions.

  • The user has SELECT on the cycling keyspace.

The role coach can no longer perform ALTER commands in the cycling keyspace:

REVOKE ALTER
ON KEYSPACE cycling 
FROM coach;

Was this helpful?

Give Feedback

How can we improve the documentation?

┬ę 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com