撤銷Revoke

REVOKE
  privilege_type [, privilege_type ] ...
  ON (CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE)
  FROM principal

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

principal
  : `<user>@<domain-name>` | <group-name>

對使用者或主體中的物件撤銷 明確 授與或拒絕的許可權。Revoke an explicitly granted or denied privilege on an object from a user or principal. REVOKE會嚴格限定為命令中指定的物件,而且不會串聯至包含的物件。A REVOKE is strictly scoped to the object specified in the command and does not cascade to contained objects.

若要撤銷所有使用者的許可權,請 users 在之後指定關鍵字 FROMTo revoke a privilege from all users, specify the keyword users after FROM.

例如,假設有一個資料庫 db 具有資料表 t1t2For example, suppose there is a database db with tables t1 and t2. 最初會授與使用者 SELECTdb 上的許可權 t1A user is initially granted SELECT privileges on db and on t1. t2由於資料庫上的,使用者可以存取 GRANT dbThe user can access t2 due to the GRANT on the database db.

如果系統管理員撤銷的 SELECT 許可權 db ,使用者將無法再存取 t2 ,但是仍然可以存取, t1 因為 GRANT 資料表上有明確的資料表 t1If the administrator revokes the SELECT privilege on db, the user will no longer be able to access t2, but will still be able to access t1 since there is an explicit GRANT on table t1.

如果系統管理員改為撤銷 SELECT 資料表 t1 ,但仍然保留 SELECT on 資料庫 db ,則使用者仍然可以存取, t1 因為 SELECT 資料庫上的資料庫 db 隱含授了資料表的許可權 t1If the administrator instead revokes the SELECT on table t1 but still keeps the SELECT on database db, the user can still access t1 because the SELECT on the database db implicitly confers privileges on the table t1.

範例Examples

REVOKE ALL PRIVILEGES ON DATABASE default FROM `<user>@<domain-name>`
REVOKE SELECT ON <table-name> FROM `<user>@<domain-name>`