You can use the REVOKE syntax to revoke the specified permissions from a user. You can execute the SHOW PRIVILEGES statement to view the permissions granted to all users. Then, you can execute the REVOKE statement to revoke inappropriate permissions from a specific user.
Applicable engines and versions
The REVOKE syntax is applicable to all versions of LindormTable and LindormTSDB.
Syntax
revoke_permission_statement ::= REVOKE privilege_definition ON resource_definition FROM user_identifier
privilege_definition ::= ALL | ALL PRIVILEGE| READ | WRITE | ADMIN | TRASH | SYSTEM
resource_definition ::= GLOBAL | DATABASE identifier | SCHEMA identifier | TABLE identifierParameters
Whether a REVOKE statement can be executed successfully depends on the permissions that are granted to the user who executes the statement.
Permission (privilege_definition)
The following table describes the permissions that can be revoked.
Permission | Description |
ALL or ALL PRIVILEGE | Revoke all permissions on the resources from the user, including READ, WRITE, ADMIN, and TRASH. |
READ | Revoke the read permission on the resources from the user. |
WRITE | Revoke the write permission on the resources from the user. |
ADMIN | Revoke the administrator permission on the resources from the user. |
TRASH | Revoke the delete permission on the resources from the user. |
SYSTEM | Revoke the cluster management permissions on the resources from the user. The SYSTEM permission includes the ADMIN permission on the GLOBAL level. |
Resource level (resource_definition)
The following table describes the different levels of resources on which you can use the REVOKE statement to revoke permissions in LindormTable and LindormTSDB.
Permission | Supported by LindormTable | Supported by LindormTSDB | Description |
GLOBAL | 〇 | 〇 | Revoke the permissions on global resources from the user. |
DATABASE | 〇 | 〇 | Revoke the permissions on the specified database from the user. The DATABASE level is equivalent to the SCHEMA level. Note LindormTable 2.5.3.3 and later versions support the |
TABLE | 〇 | ️️️️️️✖️ | Revoke the permissions on the specified table from the user. |
The following permission levels from high to low are supported: GLOBAL, DATABASE (SCHEMA), and TABLE.
When you use the DATABASE, SCHEMA, or TABLE keyword, you must specify the identifier of the permission level. For example, DATABASE default and SCHEMA default indicates the database named default, and TABLE test indicates the table named test.
User from which permissions are revoked (user_identifier)
The user_identifier parameter indicates the user from which permissions are revoked.
Examples
Revoke all permissions from a user
Revoke all permissions on the database db1 from a user named user1.
REVOKE ALL ON DATABASE db1 FROM user1;
-- or
REVOKE ALL ON SCHEMA db1 FROM user1;Revoke the specified permissions from a user
Revoke the ADMIN permission on
table2in the databasedb2from a user nameduser2.REVOKE ADMIN ON TABLE db2.table2 FROM user2;Revoke the WRITE permission on
table3from a user nameduser3.REVOKE WRITE ON TABLE table3 FROM user3;Revoke the READ permission on the GLOBAL level from a user named
user4.REVOKE READ ON GLOBAL FROM user4;