DENY

Denies a privilege on a securable object to a principal. Denying a privilege takes precedent over any explicit or implicit grant.

Denying a privilege on a schema (for example a SELECT privilege) has the effect of implicitly denying that privilege on all objects in that schema. Denying a specific privilege on the catalog implicitly denies that privilege on all schemas in the catalog.

…note:: This statement applies only to the hive_metastore catalog and its objects.

…important:: To undo a DENY you REVOKE the same privilege from the principal.

Syntax

DENY privilege_types ON securable_object TO principal

privilege_types
   { ALL PRIVLEGES |
     privilege_type [, ...] }

Parameters

  • privilege_types

    This identifies one or more privileges the principal is denied.

    • ALL PRIVILEGES

      Deny all privileges applicable to the securable_object.

    • privilege_type

      A specific privilege to deny the principal on this securable_object

  • securable_object

    The object on which the privileges are denied to the principal.

  • principal

    The user or group whose privileges are denied.

Example

-- Deny Alf the right to query `t`.
> DENY SELECT ON TABLE t TO `alf@melmak.et`;

-- Undo the the `DENY`.
> REVOKE SELECT ON TABLE t FROM `alf@melmak.et`;