Purpose
This statement is used to revoke privileges granted to a user or role, or revoke a role from a user or role.
Limitations and considerations
- An object privilege revocation operation does not cascade. For example, if user
user1grants some privileges to useruser2, revoking the privileges fromuser1does not revoke the corresponding privileges fromuser2. - The user or role to be revoked must exist. Otherwise, an error is returned.
- Roles in the
mandatory_rolessystem variable cannot be revoked. - The
REVOKEstatement takes effect immediately for the current user.
Privilege requirements
Revoke privileges at a specific privilege level: The user must have the privileges to be revoked (for example,
user1must have theSELECTprivilege on tablet1to revoke theSELECTprivilege on tablet1fromuser2), and must have theGRANT OPTIONprivilege.Revoke all privileges and grant options: To revoke all privileges and grant options, the user must have the global
GRANT OPTIONprivilege or theUPDATEandDELETEprivileges on the privilege table.Revoke privileges from a user or role: To revoke a role from a user or role, the user must have the revoked role and the
ADMIN OPTIONprivilege.
For more information about privileges in OceanBase Database, see Privilege types in MySQL mode.
Syntax
Revoke object privileges from a user or role
revoke_stmt1:
REVOKE grant_privileges ON priv_level FROM user_or_role_list;
revoke_stmt2:
REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user_or_role_list;
revoke_stmt3:
REVOKE [IF EXISTS] role_name_list FROM user_or_role_list [IGNORE UNKNOWN USER];
grant_privileges:
priv_type_list
| ALL [PRIVILEGES]
priv_type_list:
priv_type[(column_name_list)] [, priv_type[(column_name_list)] ...]
column_name_list:
column_name [, column_name ...]
priv_level:
*.*
| db_name.*
| db_name.table_name
| CATALOG external_catalog_name
user_or_role_list:
user_or_role [, user_or_role ...]
user_or_role:
user_name | role_name
role_name_list:
role_name [, role_name ...]
Parameters
| Parameter | Description |
|---|---|
| revoke_stmt1 | An SQL statement to revoke privileges at a specific privilege level from a user or role. |
| revoke_stmt2 | An SQL statement to revoke all privileges and grant options from a user or role. |
| revoke_stmt3 | An SQL statement to revoke a role from a user or role. |
| grant_privileges | The type of privileges to be revoked. It can be a list of specific privilege types or all privileges (excluding GRANT OPTION). |
| priv_type_list | A list of specific privilege types. Separate multiple privileges with commas. |
| priv_type | The specific type of privilege. For more information about the different privilege types, see Privileges in MySQL mode. Note: In the current version, the PROXY parameter is only supported as a keyword in the syntax and does not take effect. |
| column_name_list | Optional. A list of columns from which to revoke column-level privileges. If this parameter is not specified, privileges on the entire table or object are revoked. |
| ALL [PRIVILEGES] | All privileges except GRANT OPTION. |
| priv_level | The privilege level. For more information, see priv_level. |
| user_or_role_list | A list of users or roles from which to revoke privileges. Separate multiple users and roles with commas. |
| user_name | The name of a user. |
| role_name | The name of a role. |
| IF EXISTS | If this option is specified, a warning is returned when the revoked role does not exist. Otherwise, an error is returned. |
| role_name_list | A list of roles from which to revoke privileges. Separate multiple roles with commas. |
| IGNORE UNKNOWN USER | If this option is specified, a warning is returned when the grantee (user or role) does not exist. Otherwise, an error is returned. |
| proxy | In the current version, this keyword is only supported in the syntax and does not take effect. |
priv_level
*.*: all tables in all databases.Here is an example:
Revoke the
SELECTandINSERTprivileges from usersuser001anduser002.REVOKE SELECT, INSERT ON *.* FROM user001, user002;db_name.*: all tables in a specified database.db_nameis the name of the specified database.Here is an example:
Revoke the
INSERTprivilege on all tables in thetestdatabase from useruser003.REVOKE INSERT ON test.* FROM user003;db_name.table_name: a specific table in a specified database.Here is an example:
Revoke the
SELECTprivilege on thetbl2table in thetestdatabase from useruser003.REVOKE SELECT ON test.tbl2 FROM user003;CATALOG external_catalog_name: the directory in the catalog.Here is an example:
Revoke the
USE CATALOGprivilege on the Catalog objecttest_odps_catalogfrom the useruser004.REVOKE USE CATALOG ON CATALOG test_odps_catalog FROM user004;
Examples
Example 1: Revoke object privileges
Revoke the SELECT privilege from user test_user001 and view the privileges granted to ALL PRIVILEGES.
Grant the
ALL PRIVILEGESprivilege to usertest_user001.GRANT ALL PRIVILEGES ON *.* TO test_user001;View the privileges granted to user
test_user001.SHOW GRANTS FOR test_user001;The return result is as follows:
+-----------------------------------------------+ | Grants for test_user001@% | +-----------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'test_user001' | +-----------------------------------------------+ 1 row in setRevoke the
SELECTprivilege from usertest_user001.REVOKE SELECT ON *.* FROM test_user001;View the privileges granted to user
test_user001again.SHOW GRANTS FOR test_user001;The return result is as follows:
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for test_user001@% | +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALTER, CREATE, CREATE USER, DELETE, DROP, INSERT, UPDATE, INDEX, CREATE VIEW, SHOW VIEW, SHOW DATABASES, SUPER, PROCESS, CREATE_SYNONYM, REFERENCES, FILE, ALTER TENANT, ALTER SYSTEM, CREATE RESOURCE POOL, CREATE RESOURCE UNIT, REPLICATION SLAVE, REPLICATION CLIENT, DROP DATABASE LINK, CREATE DATABASE LINK, EXECUTE, ALTER ROUTINE, CREATE ROUTINE, CREATE TABLESPACE, SHUTDOWN, RELOAD, CREATE ROLE, DROP ROLE, TRIGGER ON *.* TO 'test_user001' | +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set
Example 2: Revoke all privileges from a user
Revoke all privileges from user test_user002.
REVOKE ALL PRIVILEGES, GRANT OPTION FROM test_user002;
Example 3: Revoke a role from a user or role
Revoke role
role001from rolerole002.REVOKE role001 FROM role002;Revoke role
role001from useruser001.REVOKE role001 FROM user001;