撤销Revoke

REVOKE
  privilege_type [, privilege_type ] ...
  ON (CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE)
  FROM principal

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

principal
  : `<user>@<domain-name>` | <group-name>

从用户或主体撤销显式授予或拒绝的对某个对象的权限。Revoke an explicitly granted or denied privilege on an object from a user or principal. REVOKE 会严格将范围限定为命令中指定的对象,而不会级联到包含的对象。A REVOKE is strictly scoped to the object specified in the command and does not cascade to contained objects.

若要撤销所有用户的权限,请在 FROM 之后指定关键字 usersTo revoke a privilege from all users, specify the keyword users after FROM.

例如,假设存在一个具有 t1t2 表的数据库 dbFor example, suppose there is a database db with tables t1 and t2. 用户最初被授予对 dbt1SELECT 权限。A user is initially granted SELECT privileges on db and on t1. 由于数据库 db 上存在 GRANT,用户可以访问 t2The user can access t2 due to the GRANT on the database db.

如果管理员撤销对 dbSELECT 权限,则用户将无法再访问 t2,但仍将能够访问 t1,因为表 t1 上有显式的 GRANTIf the administrator revokes the SELECT privilege on db, the user will no longer be able to access t2, but will still be able to access t1 since there is an explicit GRANT on table t1.

如果管理员改为撤销了表 t1 上的 SELECT,但仍将 SELECT 保留在数据库 db 上,则用户仍然可以访问 t1,因为数据库 db 上的 SELECT 隐式授予了对表 t1 的权限。If the administrator instead revokes the SELECT on table t1 but still keeps the SELECT on database db, the user can still access t1 because the SELECT on the database db implicitly confers privileges on the table t1.

示例Examples

REVOKE ALL PRIVILEGES ON DATABASE default FROM `<user>@<domain-name>`
REVOKE SELECT ON <table-name> FROM `<user>@<domain-name>`