Synopsis

Use the REVOKE PERMISSION statement to revoke a permission (or all the granted permissions) from a role.

When a database object is deleted (keyspace, table, or role), all the permissions on that object are automatically deleted.

This statement is enabled by setting the YB-TServer flag --use_cassandra_authentication to true.

Syntax

Diagram

revoke_permission

REVOKEall_permissionspermissionONresourceFROMrole_name

all_permissions

ALLPERMISSIONS

permission

CREATEALTERDROPSELECTMODIFYAUTHORIZEDESCRIBEEXECUTEPERMISSION

resource

ALLKEYSPACESROLESKEYSPACEkeyspace_nameTABLEtable_nameROLErole_name

Grammar

revoke_permission := REVOKE all_permission | permission ON resource FROM role_name;
all_permissions := ALL [ PERMISSIONS ]
permission :=  ( CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESCRIBE | EXECUTE ) [ PERMISSION ]
resource := ALL ( KEYSPACES | ROLES ) | KEYSPACE keyspace_name | [ TABLE ] table_name | ROLE role_name;

Where

  • keyspace_name, table_name, and role_name are text identifiers (table_name may be qualified with a keyspace name).

Semantics

Permission AUTHORIZE on ALL ROLES or on the role being used in the statement is necessary. Otherwise, an unauthorized error will be returned.

Examples

ycqlsh:example> REVOKE CREATE ON KEYSPACE qa FROM fred;

See also