拒绝Deny

DENY
  privilege_type [, privilege_type ] ...
  ON [CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE]
  TO principal

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

principal
  : `<user>@<domain-name>` | <group-name>

拒绝用户或主体对对象的权限。Deny a privilege on an object to a user or principal. 拒绝对数据库的权限(例如 SELECT 权限)会隐式拒绝对该数据库中所有对象的该权限。Denying a privilege on a database (for example a SELECT privilege) has the effect of implicitly denying that privilege on all objects in that database. 拒绝对目录的特定权限会隐式拒绝对目录中所有数据库的该权限。Denying a specific privilege on the catalog has the effect of implicitly denying that privilege on all databases in the catalog.

若要拒绝所有用户的某个权限,请在 TO 之后指定关键字 usersTo deny a privilege to all users, specify the keyword users after TO.

DENY 可用于确保用户或主体不能访问指定对象,即使存在任何隐式或显式的 GRANTsDENY can be used to ensure that a user or principal cannot access the specified object, despite any implicit or explicit GRANTs. 访问对象时,Databricks 首先检查对象上是否存在任何显式或隐式的 DENYs,然后再检查是否存在任何显式或隐式的 GRANTsWhen an object is accessed, Databricks first checks if there are any explicit or implicit DENYs on the object before checking if there are any explicit or implicit GRANTs.

例如,假设存在一个具有 t1t2 表的数据库 dbFor example, suppose there is a database db with tables t1 and t2. 用户最初被授予对 dbSELECT 权限。A user is initially granted SELECT privileges on db. 由于数据库 db 上存在 GRANT,用户可以访问 t1t2The user can access t1 and t2 due to the GRANT on the database db.

如果管理员对表 t1 发出 DENY,用户将无法再访问 t1If the administrator issues a DENY on table t1, the user will no longer be able to access t1. 如果管理员对数据库 db 发出 DENY,用户将无法访问 db 中的任何表,即使这些表上存在显式的 GRANTIf the administrator issues a DENY on database db, the user will not be able to access any tables in db even if there is an explicit GRANT on these tables. 也就是说,DENY 始终会取代 GRANTThat is, the DENY always supersedes the GRANT.

示例Example

DENY SELECT ON <table-name> TO `<user>@<domain-name>`;