jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2025-12-30 03:01:44 -05:00
Code Issues Projects Releases Wiki Activity
Files
eaefbb90cefc65fc7a0520b8a18f8bf4d03d99ad
impala/docs/topics/impala_revoke.xml
John Russell 8377b9949c Global search/replace: audience="Cloudera" -> audience="hidden". 
For this change to land in master, the audience="hidden" code review
needs to be completed first. Otherwise, the doc build would still work
but the audience="hidden" content would be visible rather than hidden as
desired.

Some work happening in parallel might introduce additional instances of
audience="Cloudera". I suggest addressing those in a followup CR so this
global change can land quickly.

Since the changes apply across so many different files, but are so
narrow in scope, I suggest that the way to validate (check that no
extraneous changes were introduced accidentally) is to diff just the
changed lines:

git diff -U0 HEAD^ HEAD

In patch set 2, I updated other topics marked audience="Cloudera"
by CRs that were pushed in the meantime.

Change-Id: Ic93d89da77e1f51bbf548a522d98d0c4e2fb31c8
Reviewed-on: http://gerrit.cloudera.org:8080/5613
Reviewed-by: John Russell <jrussell@cloudera.com>
Tested-by: Impala Public Jenkins
2017-01-18 19:31:57 +00:00

120 lines
4.9 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd">
<concept rev="2.0.0" id="revoke">
<title>REVOKE Statement (<keyword keyref="impala20"/> or higher only)</title>
<titlealts audience="PDF"><navtitle>REVOKE</navtitle></titlealts>
<prolog>
<metadata>
<data name="Category" value="Impala"/>
<data name="Category" value="DDL"/>
<data name="Category" value="SQL"/>
<data name="Category" value="Security"/>
<data name="Category" value="Sentry"/>
<data name="Category" value="Roles"/>
<data name="Category" value="Administrators"/>
<data name="Category" value="Developers"/>
<data name="Category" value="Data Analysts"/>
<!-- Consider whether to go deeper into categories like Security for the Sentry-related statements. -->
</metadata>
</prolog>
<conbody>
<p rev="2.0.0">
<indexterm audience="hidden">REVOKE statement</indexterm>
<!-- Copied from Sentry docs. Turn into conref. I did some rewording for clarity. -->
The <codeph>REVOKE</codeph> statement revokes roles or privileges on a specified object from groups. Only
Sentry administrative users can revoke the role from a group. The revocation has a cascading effect. For
example, revoking the <codeph>ALL</codeph> privilege on a database also revokes the same privilege for all
the tables in that database.
</p>
<p conref="../shared/impala_common.xml#common/syntax_blurb"/>
<codeblock rev="2.3.0 collevelauth">REVOKE ROLE <varname>role_name</varname> FROM GROUP <varname>group_name</varname>
REVOKE <varname>privilege</varname> ON <varname>object_type</varname> <varname>object_name</varname>
FROM [ROLE] <varname>role_name</varname>
<ph rev="2.3.0">privilege ::= SELECT | SELECT(<varname>column_name</varname>) | INSERT | ALL</ph>
object_type ::= TABLE | DATABASE | SERVER | URI
</codeblock>
<p>
Typically, the object name is an identifier. For URIs, it is a string literal.
</p>
<p rev="2.3.0 collevelauth">
The ability to grant or revoke <codeph>SELECT</codeph> privilege on specific columns is available
in <keyword keyref="impala23_full"/> and higher. See
<xref audience="integrated" href="sg_hive_sql.xml#concept_c2q_4qx_p4/col_level_auth_sentry"/><xref audience="standalone" href="https://www.cloudera.com/documentation/enterprise/latest/topics/sg_hive_sql.html" format="html" scope="external"/>
for details.
</p>
<p conref="../shared/impala_common.xml#common/privileges_blurb"/>
<p>
Only administrative users (those with <codeph>ALL</codeph> privileges on the server, defined in the Sentry
policy file) can use this statement.
</p>
<!-- Turn compatibility info into a conref or series of conrefs. (In both GRANT and REVOKE.) -->
<p conref="../shared/impala_common.xml#common/compatibility_blurb"/>
<p>
<ul>
<li>
The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements are available in CDH 5.2 and
higher.
</li>
<li>
In <ph rev="upstream">CDH 5.1</ph> and higher, Impala makes use of any roles and privileges specified by the
<codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements in Hive, when your system is configured to
use the Sentry service instead of the file-based policy mechanism.
</li>
<li>
The Impala <codeph>GRANT</codeph> and <codeph>REVOKE</codeph> statements do not require the
<codeph>ROLE</codeph> keyword to be repeated before each role name, unlike the equivalent Hive
statements.
</li>
<li conref="../shared/impala_common.xml#common/grant_revoke_single"/>
</ul>
</p>
<p conref="../shared/impala_common.xml#common/cancel_blurb_no"/>
<p conref="../shared/impala_common.xml#common/permissions_blurb_no"/>
<p conref="../shared/impala_common.xml#common/related_info"/>
<p>
<xref href="impala_authorization.xml#authorization"/>, <xref href="impala_grant.xml#grant"/>
<xref href="impala_create_role.xml#create_role"/>, <xref href="impala_drop_role.xml#drop_role"/>,
<xref href="impala_show.xml#show"/>
</p>
</conbody>
</concept>
Reference in New Issue View Git Blame Copy Permalink