REVOKE
Removes privileges on database objects from roles.
Removes privileges on database objects from a role.
CAUTION:
REVOKE
does not automatically invalidate cached permissions. Permissions
are invalidated the next time they are refreshed. Synopsis
REVOKE permission ON resource_name FROM role_name ;
Syntax conventions | Description |
---|---|
UPPERCASE | Literal keyword. |
Lowercase | Not literal. |
Italics |
Variable value. Replace with a user-defined value. |
[] |
Optional. Square brackets ( [] ) surround
optional command arguments. Do not type the square brackets. |
( ) |
Group. Parentheses ( ( ) ) identify a group to
choose from. Do not type the parentheses. |
| |
Or. A vertical bar ( | ) separates alternative
elements. Type any one of the elements. Do not type the vertical
bar. |
... |
Repeatable. An ellipsis ( ... ) indicates that
you can repeat the syntax element as often as required. |
'Literal string' |
Single quotation ( ' ) marks must surround
literal strings in CQL statements. Use single quotation marks to
preserve upper case. |
{ key : value
} |
Map collection. Braces ( { } ) enclose map
collections or key value pairs. A colon separates the key and the
value. |
<datatype1,datatype2> |
Set, list, map, or tuple. Angle brackets ( <
> ) enclose data types in a set, list, map, or tuple.
Separate the data types with a comma. |
cql_statement; |
End CQL statement. A semicolon ( ; ) terminates
all CQL statements. |
[--] |
Separate the command line options from the command arguments with
two hyphens ( -- ). This syntax is useful when
arguments might be mistaken for command line options. |
' <schema> ... </schema>
' |
Search CQL only: Single quotation marks ( ' )
surround an entire XML schema declaration. |
@xml_entity='xml_entity_type' |
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- permission
-
Type of access a role has on a database resource. Use
ALL PERMISSIONS
or a comma separated list of permissions.Permissions are resource specific as follows:
- Data -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,MODIFY
, andSELECT
- Functions (and aggregates) -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
, andDROP
- Search indexes -
AUTHORIZE [FOR permission_list]
,SEARCH.ALTER
,SEARCH.COMMIT
,SEARCH.CREATE
,SEARCH.DROP
,SEARCH.REBUILD
, andSEARCH.RELOAD
- Roles -
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,PROXY.EXECUTE
, andPROXY.LOGIN
- JMX (MBeans) -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,DESCRIBE
,EXECUTE
,MODIFY
, andSELECT
- Remote procedure calls (RPC) -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,EXECUTE
,MODIFY
, andSELECT
- Authentication schemes -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
andEXECUTE
- Spark workpools -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,CREATE
, andDESCRIBE
- Spark submissions -
ALL PERMISSIONS
orAUTHORIZE [FOR permission_list]
,DESCRIBE
, andMODIFY
Note: To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifyingFOR permission
, the role can manage all permissions on the object. - Data -
- resource_name
-
DataStax Enterprise database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:
- Data -
ALL KEYSPACES
>KEYSPACE
keyspace_name >TABLE table_name
>'filtering_data' ROWS IN table_name
- Function (including
aggegrates) -
ALL FUNCTIONS
,ALL FUNCTIONS IN KEYSPACE keyspace_name
, andFUNCTION keyspace_name.function_name( argument_types)
- Search indexes -
ALL SEARCH INDICES
> SEARCH KEYSPACE keyspace_name >SEARCH INDICES [keyspace_name.]table_name
- JMX MBeans -
ALL MBEANS > MBEAN mbean_name
andMBEANS pattern
- Remote procedure calls (RPC) -
ALL REMOTE CALLS
>REMOTE METHOD name
|REMOTE OBJECT name
- Roles -
ALL ROLES
>ROLE role_name
- Authentication schemes
-
ALL SCHEMES
>LDAP
|KERBEROS
|INTERNAL
- Analytic applications
- Workpools -
ANY WORKPOOL
>WORKPOOL 'dc_name.*'
>WORKPOOL 'dc_name.workpool_name'
- Submissions -
ANY SUBMISSION
>ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' > 'datacenter_name.workpool_name' > SUBMISSION ID
- Workpools -
- Data -
Example
The role couch can no longer perform queries or modify data in the
cycling keyspace.
REVOKE SELECT, MODIFY ON KEYSPACE cycling FROM coach;
Restriction:
Because of inheritance, the user can perform SELECT
queries on
cycling.name if one of these conditions is met:
- The user is a superuser.
- The user has
SELECT
onALL KEYSPACES
permissions. - The user has
SELECT
on the cycling keyspace.
The role coach can no longer perform
ALTER
commands
in the cycling
keyspace:REVOKE ALTER ON KEYSPACE cycling FROM coach;