REVOKE PERMISSION

This page documents the preview version (v2.23). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.

Synopsis

Use the REVOKE PERMISSION statement to revoke a permission (or all the granted permissions) from a role.

When a database object is deleted (keyspace, table, or role), all the permissions on that object are automatically deleted.

This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication to true.

Syntax

Diagram

revoke_permission

REVOKEall_permissionspermissionONresourceFROMrole_name

all_permissions

ALLPERMISSIONS

permission

CREATEALTERDROPSELECTMODIFYAUTHORIZEDESCRIBEEXECUTEPERMISSION

resource

ALLKEYSPACESROLESKEYSPACEkeyspace_nameTABLEtable_nameROLErole_name

Grammar

revoke_permission := REVOKE all_permission | permission ON resource FROM role_name;
all_permissions := ALL [ PERMISSIONS ]
permission :=  ( CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESCRIBE | EXECUTE ) [ PERMISSION ]
resource := ALL ( KEYSPACES | ROLES ) | KEYSPACE keyspace_name | [ TABLE ] table_name | ROLE role_name;

Where

  • keyspace_name, table_name, and role_name are text identifiers (table_name may be qualified with a keyspace name).

Semantics

Permission AUTHORIZE on ALL ROLES or on the role being used in the statement is necessary. Otherwise, an unauthorized error will be returned.

Examples

ycqlsh:example> REVOKE CREATE ON KEYSPACE qa FROM fred;

See also