This is an automated email from the ASF dual-hosted git repository.
luzhijing pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new bc48cbff83 [doc](auth)auth doc (#17358)
bc48cbff83 is described below
commit bc48cbff8321e6aade5c9bfc4b506431fea25c52
Author: zhangdong <493738...@qq.com>
AuthorDate: Tue Mar 7 08:05:09 2023 +0800
[doc](auth)auth doc (#17358)
* auth doc
* auth en doc
* add note
---
.../admin-manual/privilege-ldap/user-privilege.md | 64 +++++++++++++++++----
.../Account-Management-Statements/ALTER-USER.md | 66 ++++++++--------------
.../Account-Management-Statements/GRANT.md | 19 ++++++-
.../Account-Management-Statements/REVOKE.md | 18 +++++-
.../admin-manual/privilege-ldap/user-privilege.md | 64 +++++++++++++++++----
.../Account-Management-Statements/ALTER-USER.md | 62 +++++++-------------
.../Account-Management-Statements/GRANT.md | 19 ++++++-
.../Account-Management-Statements/REVOKE.md | 19 ++++++-
8 files changed, 223 insertions(+), 108 deletions(-)
diff --git a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
index 097ccd413c..6409d792b5 100644
--- a/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/en/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -50,18 +50,62 @@ Doris's new privilege management system refers to Mysql's
privilege management m
User attributes include, but are not limited to, the maximum number of
user connections, import cluster configuration, and so on.
+## Permission framework
+
+Doris permission design is based on RBAC (Role-Based Access Control)
permission management model. Users are associated with roles, roles and
permissions, and users are associated with permissions indirectly through roles.
+
+When a role is deleted, the user automatically loses all permissions of the
role.
+
+When a user and a role are disassociated, the user automatically loses all
permissions of the role.
+
+When the role's permissions are added or deleted, the user's permissions will
also change.
+
+```
+┌────────┐ ┌────────┐ ┌────────┐
+│ user1 ├────┬───► role1 ├────┬────► priv1 │
+└────────┘ │ └────────┘ │ └────────┘
+ │ │
+ │ │
+ │ ┌────────┐ │
+ │ │ role2 ├────┤
+┌────────┐ │ └────────┘ │ ┌────────┐
+│ user2 ├────┘ │ ┌─► priv2 │
+└────────┘ │ │ └────────┘
+ ┌────────┐ │ │
+ ┌──────► role3 ├────┘ │
+ │ └────────┘ │
+ │ │
+ │ │
+┌────────┐ │ ┌────────┐ │ ┌────────┐
+│ userN ├─┴──────► roleN ├───────┴─► privN │
+└────────┘ └────────┘ └────────┘
+```
+
+As shown in the figure above:
+
+Both user1 and user2 have priv1 permissions through role1.
+
+UserN has priv1 permissions through role3, priv2 and privN permissions through
roleN, so userN has priv1, priv2 and privN permissions at the same time.
+
+In order to facilitate user operation, users can be authorized directly. In
the underlying implementation, a default role dedicated to the user is created
for each user. When authorizing a user, it is actually authorizing the user's
default role.
+
+The default role cannot be deleted or assigned to others. When a user is
deleted, the default role will also be deleted automatically.
+
## Supported operations
-1. Create users: CREATE USER
-2. Delete users: DROP USER
-3. Authorization: GRANT
-4. Withdrawal: REVOKE
-5. Create role: CREATE ROLE
-6. Delete Roles: DROP ROLE
-7. View current user privileges: SHOW GRANTS
-8. View all user privilegesSHOW ALL GRANTS;
-9. View the created roles: SHOW ROLES
-10. View user attributes: SHOW PROPERTY
+1. Create users: [CREATE
USER](../../sql-manual/sql-reference/Account-Management-Statements/CREATE-USER.md)
+2. Alter users: [ALTER
USER](../../sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md)
+3. Delete users: [DROP
USER](../../sql-manual/sql-reference/Account-Management-Statements/DROP-USER.md)
+4. Authorization/Assign roles:
[GRANT](../../sql-manual/sql-reference/Account-Management-Statements/GRANT.md)
+5. Withdrawal/REVOKE roles:
[REVOKE](../../sql-manual/sql-reference/Account-Management-Statements/REVOKE.md)
+6. Create role: [CREATE
ROLE](../../sql-manual/sql-reference/Account-Management-Statements/CREATE-ROLE.md)
+7. Delete roles: [DROP
ROLE](../../sql-manual/sql-reference/Account-Management-Statements/DROP-ROLE.md)
+8. View current user privileges: [SHOW
GRANTS](../../sql-manual/sql-reference/Show-Statements/SHOW-GRANTS.md)
+9. View all user privileges: [SHOW ALL
GRANTS](../../sql-manual/sql-reference/Show-Statements/SHOW-GRANTS.md)
+10. View the created roles: [SHOW
ROLES](../../sql-manual/sql-reference/Show-Statements/SHOW-ROLES.md)
+11. Set user properties: [SET
PROPERTY](../../sql-manual/sql-reference/Account-Management-Statements/SET-PROPERTY.md)
+12. View user properties: [SHOW
PROPERTY](../../sql-manual/sql-reference/Show-Statements/SHOW-PROPERTY.md)
+13. Change password :[SET
PASSWORD](../../sql-manual/sql-reference/Account-Management-Statements/SET-PASSWORD.md)
For detailed help with the above commands, you can use help + command to get
help after connecting Doris through the MySQL client. For example `HELP CREATE
USER`.
diff --git
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
index 56a7ab3035..8fa227897f 100644
---
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
+++
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
@@ -32,11 +32,14 @@ ALTER USER
### Description
-The ALTER USER command is used to modify a user's account attributes,
including roles, passwords, and password policies, etc.
+The ALTER USER command is used to modify a user's account attributes,
including passwords, and password policies, etc.
+
+>Note that.
+>
+>This command give over supports modifying user roles. Please use
[GRANT](./GRANT.md) and [REVOKE](./REVOKE.md) for related operations
```sql
ALTER USER [IF EXISTS] user_identity [IDENTIFIED BY 'password']
-[DEFAULT ROLE 'role_name']
[password_policy]
user_identity:
@@ -58,37 +61,30 @@ About `user_identity` and `password_policy`, Please refer
to `CREATE USER`.
In an ALTER USER command, only one of the following account attributes can be
modified at the same time:
1. Change password
-2. Modify the role
-3. Modify `PASSWORD_HISTORY`
-4. Modify `PASSWORD_EXPIRE`
-5. Modify `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME`
-6. Unlock users
+2. Modify `PASSWORD_HISTORY`
+3. Modify `PASSWORD_EXPIRE`
+4. Modify `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME`
+5. Unlock users
### Example
1. Change the user's password
- ```
- ALTER USER jack@‘%’ IDENTIFIED BY "12345";
- ```
-
-2. Modify the role of the user
-
- ```
- ALTER USER jack@'192.168.%' DEFAULT ROLE "role2";
- ```
+ ```
+ ALTER USER jack@‘%’ IDENTIFIED BY "12345";
+ ```
-3. Modify the user's password policy
+2. Modify the user's password policy
- ```
- ALTER USER jack@'%' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY;
- ```
+ ```
+ ALTER USER jack@'%' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY;
+ ```
-4. Unlock a user
+3. Unlock a user
- ```
- ALTER USER jack@'%' ACCOUNT_UNLOCK
- ```
+ ```
+ ALTER USER jack@'%' ACCOUNT_UNLOCK
+ ```
### Keywords
@@ -96,24 +92,8 @@ In an ALTER USER command, only one of the following account
attributes can be mo
### Best Practice
-1. Modify the role
-
- If the user previously belonged to role A, when the user role is
modified, all permissions corresponding to role A on the user will be revoked
first, and then all permissions corresponding to the new role will be granted.
-
- Note that if the user has been granted a certain permission before, and
role A also includes this permission, after modifying the role, the
individually granted permission will also be revoked.
-
- for example:
-
- Suppose roleA has the privilege: `select_priv on db1.*`, create user
user1 and set the role to roleA.
-
- Then give the user this privilege separately: `GRANT select_priv,
load_priv on db1.* to user1`
-
- roleB has the privilege `alter_priv on db1.tbl1`. At this time, modify
the role of user1 to B.
-
- Then finally user1 has `alter_priv on db1.tbl1` and `load_priv on db1.*`
permissions.
-
-2. Modify the password policy
+1. Modify the password policy
- 1. Modify `PASSWORD_EXPIRE` will reset the timing of password
expiration time.
+ 1. Modify `PASSWORD_EXPIRE` will reset the timing of password expiration
time.
- 2. Modify `FAILED_LOGIN_ATTEMPTS` or `PASSWORD_LOCK_TIME` will unlock
the user.
\ No newline at end of file
+ 2. Modify `FAILED_LOGIN_ATTEMPTS` or `PASSWORD_LOCK_TIME` will unlock the
user.
\ No newline at end of file
diff --git
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
index 05dff1c354..859cf18057 100644
---
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
+++
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
@@ -32,12 +32,21 @@ GRANT
### Description
-The GRANT command is used to grant the specified user or role specified
permissions
+The GRANT command has the following functions:
+
+1. Grant the specified permissions to a user or role.
+2. Grant the specified role to a user.
+
+>Note that.
+>
+>"Grant the specified role to the user" is not supported in the current version
```sql
GRANT privilege_list ON priv_level TO user_identity [ROLE role_name]
GRANT privilege_list ON RESOURCE resource_name TO user_identity [ROLE
role_name]
+
+GRANT role_list TO user_identity
````
privilege_list is a list of privileges to be granted, separated by commas.
Currently Doris supports the following permissions:
@@ -83,6 +92,8 @@ user_identity:
You can also assign permissions to the specified ROLE, if the specified
ROLE does not exist, it will be created automatically.
+role_list is the list of roles to be assigned, separated by commas,the
specified role must exist.
+
### Example
1. Grant permissions to all catalog and databases and tables to the user
@@ -121,6 +132,12 @@ user_identity:
GRANT USAGE_PRIV ON RESOURCE 'spark_resource' TO ROLE 'my_role';
````
+7. Grant the specified role to a user
+
+ ```sql
+ GRANT 'role1','role2' TO 'jack'@'%';
+ ```
+
### Keywords
GRANT
diff --git
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
index 1b80161cf8..a17f28e906 100644
---
a/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
+++
b/docs/en/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
@@ -32,12 +32,21 @@ REVOKE
### Description
-The REVOKE command is used to revoke the privileges assigned by the specified
user or role.
+The REVOKE command has the following functions:
+
+1. Revoke the specified permission of a user or a role.
+2. Revoke the specified role previously granted to a user.
+
+>Note that.
+>
+>"Revoke the specified role previously granted to a user" is not supported in
the current version
```sql
REVOKE privilege_list ON db_name[.tbl_name] FROM user_identity [ROLE role_name]
REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE
role_name]
+
+REVOKE role_list FROM user_identity
````
user_identity:
@@ -46,6 +55,8 @@ The user_identity syntax here is the same as CREATE USER. And
must be a user_ide
It is also possible to revoke the permissions of the specified ROLE, the
executed ROLE must exist.
+role_list is the list of roles to be revoked, separated by commas. The
specified roles must exist.
+
### Example
1. Revoke the permission of user jack database testDb
@@ -59,6 +70,11 @@ It is also possible to revoke the permissions of the
specified ROLE, the execute
```sql
REVOKE USAGE_PRIV ON RESOURCE 'spark_resource' FROM 'jack'@'192.%';
````
+3. Revoke the roles role1 and role2 previously granted to jack
+
+ ```sql
+ REVOKE 'role1','role2' FROM 'jack'@'192.%';
+ ```
### Keywords
diff --git a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
index 82ea81be46..67d18654fc 100644
--- a/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
+++ b/docs/zh-CN/docs/admin-manual/privilege-ldap/user-privilege.md
@@ -50,18 +50,62 @@ Doris 新的权限管理系统参照了 Mysql 的权限管理机制,做到了
用户属性包括但不限于: 用户最大连接数、导入集群配置等等。
+## 权限框架
+
+Doris权限设计基于RBAC(Role-Based Access
Control)的权限管理模型,用户和角色关联,角色和权限关联,用户通过角色间接和权限关联。
+
+当角色被删除时,用户自动失去该角色的所有权限。
+
+当用户和角色取消关联,用户自动失去角色的所有权限。
+
+当角色的权限被增加或删除,用户的权限也会随之变更。
+
+```
+┌────────┐ ┌────────┐ ┌────────┐
+│ user1 ├────┬───► role1 ├────┬────► priv1 │
+└────────┘ │ └────────┘ │ └────────┘
+ │ │
+ │ │
+ │ ┌────────┐ │
+ │ │ role2 ├────┤
+┌────────┐ │ └────────┘ │ ┌────────┐
+│ user2 ├────┘ │ ┌─► priv2 │
+└────────┘ │ │ └────────┘
+ ┌────────┐ │ │
+ ┌──────► role3 ├────┘ │
+ │ └────────┘ │
+ │ │
+ │ │
+┌────────┐ │ ┌────────┐ │ ┌────────┐
+│ userN ├─┴──────► roleN ├───────┴─► privN │
+└────────┘ └────────┘ └────────┘
+```
+
+如上图所示:
+
+user1和user2都是通过role1拥有了priv1的权限。
+
+userN通过role3拥有了priv1的权限,通过roleN拥有了priv2和privN的权限,因此userN同时拥有priv1,priv2和privN的权限。
+
+为了方便用户操作,是可以直接给用户授权的,底层实现上,是为每个用户创建了一个专属于该用户的默认角色,当给用户授权时,实际上是在给该用户的默认角色授权。
+
+默认角色不能被删除,不能被分配给其他人,删除用户时,默认角色也自动删除。
+
## 支持的操作
-1. 创建用户:CREATE USER
-2. 删除用户:DROP USER
-3. 授权:GRANT
-4. 撤权:REVOKE
-5. 创建角色:CREATE ROLE
-6. 删除角色:DROP ROLE
-7. 查看当前用户权限:SHOW GRANTS
-8. 查看所有用户权限:SHOW ALL GRANTS
-9. 查看已创建的角色:SHOW ROLES
-10. 查看用户属性:SHOW PROPERTY
+1. 创建用户:[CREATE
USER](../../sql-manual/sql-reference/Account-Management-Statements/CREATE-USER.md)
+2. 修改用户:[ALTER
USER](../../sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md)
+3. 删除用户:[DROP
USER](../../sql-manual/sql-reference/Account-Management-Statements/DROP-USER.md)
+4.
授权/分配角色:[GRANT](../../sql-manual/sql-reference/Account-Management-Statements/GRANT.md)
+5.
撤权/撤销角色:[REVOKE](../../sql-manual/sql-reference/Account-Management-Statements/REVOKE.md)
+6. 创建角色:[CREATE
ROLE](../../sql-manual/sql-reference/Account-Management-Statements/CREATE-ROLE.md)
+7. 删除角色:[DROP
ROLE](../../sql-manual/sql-reference/Account-Management-Statements/DROP-ROLE.md)
+8. 查看当前用户权限和角色:[SHOW
GRANTS](../../sql-manual/sql-reference/Show-Statements/SHOW-GRANTS.md)
+9. 查看所有用户权限和角色:[SHOW ALL
GRANTS](../../sql-manual/sql-reference/Show-Statements/SHOW-GRANTS.md)
+10. 查看已创建的角色:[SHOW
ROLES](../../sql-manual/sql-reference/Show-Statements/SHOW-ROLES.md)
+11. 设置用户属性: [SET
PROPERTY](../../sql-manual/sql-reference/Account-Management-Statements/SET-PROPERTY.md)
+12. 查看用户属性:[SHOW
PROPERTY](../../sql-manual/sql-reference/Show-Statements/SHOW-PROPERTY.md)
+13. 修改密码:[SET
PASSWORD](../../sql-manual/sql-reference/Account-Management-Statements/SET-PASSWORD.md)
关于以上命令的详细帮助,可以通过 mysql 客户端连接 Doris 后,使用 help + command 获取帮助。如 `HELP CREATE
USER`。
diff --git
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
index 313a6eb678..199246ec0a 100644
---
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
+++
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/ALTER-USER.md
@@ -32,11 +32,14 @@ ALTER USER
### Description
-ALTER USER 命令用于修改一个用户的账户属性,包括角色、密码、和密码策略等
+ALTER USER 命令用于修改一个用户的账户属性,包括密码、和密码策略等
+
+>注意:
+>
+>此命令不再支持修改用户角色,相关操作请使用[GRANT](./GRANT.md)和[REVOKE](./REVOKE.md)
```sql
ALTER USER [IF EXISTS] user_identity [IDENTIFIED BY 'password']
-[DEFAULT ROLE 'role_name']
[password_policy]
user_identity:
@@ -58,37 +61,30 @@ password_policy:
在一个 ALTER USER 命令中,只能同时对以下账户属性中的一项进行修改:
1. 修改密码
-2. 修改角色
-3. 修改 `PASSWORD_HISTORY`
-4. 修改 `PASSWORD_EXPIRE`
-5. 修改 `FAILED_LOGIN_ATTEMPTS` 和 `PASSWORD_LOCK_TIME`
-6. 解锁用户
+2. 修改 `PASSWORD_HISTORY`
+3. 修改 `PASSWORD_EXPIRE`
+4. 修改 `FAILED_LOGIN_ATTEMPTS` 和 `PASSWORD_LOCK_TIME`
+5. 解锁用户
### Example
1. 修改用户的密码
- ```
- ALTER USER jack@‘%’ IDENTIFIED BY "12345";
- ```
-
-2. 修改用户的角色
-
- ```
- ALTER USER jack@'192.168.%' DEFAULT ROLE "role2";
- ```
+ ```
+ ALTER USER jack@‘%’ IDENTIFIED BY "12345";
+ ```
-3. 修改用户的密码策略
+2. 修改用户的密码策略
- ```
- ALTER USER jack@'%' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY;
- ```
+ ```
+ ALTER USER jack@'%' FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 1 DAY;
+ ```
-4. 解锁一个用户
+3. 解锁一个用户
- ```
- ALTER USER jack@'%' ACCOUNT_UNLOCK
- ```
+ ```
+ ALTER USER jack@'%' ACCOUNT_UNLOCK
+ ```
### Keywords
@@ -96,23 +92,7 @@ password_policy:
### Best Practice
-1. 修改角色
-
- 如果用户之前属于角色A,则在修改用户角色时,会首先撤销该用户上,角色A对应的所有权限,然后再赋予新角色对应的所有权限。
-
- 注意,如果之前单独赋予过该用户某个权限,而角色A也包含这个权限,则在修改角色后,单独赋予的权限也会被撤销。
-
- 举例说明:
-
- 假设 roleA 拥有权限:`select_priv on db1.*`,同时创建用户 user1 并设置角色为 roleA。
-
- 之后单独赋予用户该权限:`GRANT select_priv, load_priv on db1.* to user1`
-
- roleB 拥有权限 `alter_priv on db1.tbl1`。此时修改 user1 的角色为 B。
-
- 则最终 user1 拥有 `alter_priv on db1.tbl1` 和 `load_priv on db1.*` 的权限。
-
-2. 修改密码策略
+1. 修改密码策略
1. 修改 `PASSWORD_EXPIRE` 会重置密码过期时间的计时。
diff --git
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
index bc9167db51..bc3ed108d6 100644
---
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
+++
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/GRANT.md
@@ -32,12 +32,21 @@ GRANT
### Description
-GRANT 命令用于赋予指定用户或角色指定的权限
+GRANT 命令有如下功能:
+
+1. 将指定的权限授予某用户或角色。
+2. 将指定角色授予某用户。
+
+>注意:
+>
+>当前版本尚未支持"将指定角色授予用户"
```sql
GRANT privilege_list ON priv_level TO user_identity [ROLE role_name]
GRANT privilege_list ON RESOURCE resource_name TO user_identity [ROLE
role_name]
+
+GRANT role_list TO user_identity
```
privilege_list 是需要赋予的权限列表,以逗号分隔。当前 Doris 支持如下权限:
@@ -83,6 +92,8 @@ user_identity:
也可以将权限赋予指定的 ROLE,如果指定的 ROLE 不存在,则会自动创建。
+role_list 是需要赋予的角色列表,以逗号分隔,指定的角色必须存在。
+
### Example
1. 授予所有catalog和库表的权限给用户
@@ -121,6 +132,12 @@ user_identity:
GRANT USAGE_PRIV ON RESOURCE 'spark_resource' TO ROLE 'my_role';
```
+7. 将指定角色授予某用户
+
+ ```sql
+ GRANT 'role1','role2' TO 'jack'@'%';
+ ```
+
### Keywords
```
diff --git
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
index 26fb4e824e..2a3f93984e 100644
---
a/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
+++
b/docs/zh-CN/docs/sql-manual/sql-reference/Account-Management-Statements/REVOKE.md
@@ -32,12 +32,21 @@ REVOKE
### Description
-REVOKE 命令用于撤销指定用户或角色指定的权限。
+REVOKE 命令有如下功能:
+
+1. 撤销某用户或某角色的指定权限。
+2. 撤销先前授予某用户的指定角色。
+
+>注意:
+>
+>当前版本尚未支持"撤销先前授予某用户的指定角色"
```sql
REVOKE privilege_list ON db_name[.tbl_name] FROM user_identity [ROLE role_name]
REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE
role_name]
+
+REVOKE role_list FROM user_identity
```
user_identity:
@@ -46,6 +55,8 @@ user_identity:
也可以撤销指定的 ROLE 的权限,执行的 ROLE 必须存在。
+role_list 是需要撤销的角色列表,以逗号分隔,指定的角色必须存在。
+
### Example
1. 撤销用户 jack 数据库 testDb 的权限
@@ -60,6 +71,12 @@ user_identity:
REVOKE USAGE_PRIV ON RESOURCE 'spark_resource' FROM 'jack'@'192.%';
```
+3. 撤销先前授予jack的角色role1和role2
+
+ ```sql
+ REVOKE 'role1','role2' FROM 'jack'@'192.%';
+ ```
+
### Keywords
REVOKE
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
