# 撤销
REVOKE — 删除访问权限
# 概要
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
REVOKE [ ADMIN OPTION FOR ]
role_name [, ...] FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
where role_specification can be:
[ GROUP ] role_name
| PUBLIC
| CURRENT_ROLE
| CURRENT_USER
| SESSION_USER
# 描述
这撤销
命令从一个或多个角色撤销先前授予的权限。关键词民众
指隐含定义的所有角色组。
见说明授予
命令为特权类型的含义。
请注意,任何特定角色都将拥有直接授予它的权限、授予其当前成员的任何角色的权限以及授予的权限的总和民众
.因此,例如,撤销选择
特权来自民众
并不一定意味着所有角色都失去了选择
对象的特权:直接或通过其他角色授予它的人仍然拥有它。同样,撤销选择
来自用户可能不会阻止该用户使用选择
如果民众
或其他成员角色仍有选择
权利。
如果授予选项
被指定时,只有权限的授予选项被撤销,而不是权限本身。否则,特权和授予选项都被撤销。
如果用户拥有具有授予选项的权限并将其授予其他用户,则其他用户拥有的权限称为依赖权限。如果第一个用户持有的特权或授予选项被撤销并且存在依赖特权,则这些依赖特权也会被撤销,如果级联
已指明;如果不是,撤销操作将失败。此递归撤销仅影响通过用户链授予的权限,该用户链可追溯到作为此主题的用户撤销
命令。因此,如果该权限也通过其他用户授予,受影响的用户可能会有效地保留该权限。
撤销表的权限时,相应的列权限(如果有)也会自动撤销表的每一列。另一方面,如果角色已被授予对表的特权,那么从各个列撤销相同的特权将无效。
撤销角色的成员资格时,授予选项
而是称为管理选项
,但行为相似。这种形式的命令还允许授予者
选项,但该选项当前被忽略(除了检查命名角色的存在)。另请注意,这种形式的命令不允许干扰词团体
在*角色规范
*.
# 笔记
用户只能撤销该用户直接授予的权限。例如,如果用户 A 已向用户 B 授予了具有授予选项的权限,而用户 B 又将其授予用户 C,则用户 A 不能直接从 C 撤消该权限。相反,用户 A 可以撤消授予选项来自用户 B 并使用级联
option so that the privilege is in turn revoked from user C. For another example, if both A and B have granted the same privilege to C, A can revoke their own grant but not B's grant, so C will still effectively have the privilege.
When a non-owner of an object attempts toREVOKE
privileges on the object, the command will fail outright if the user has no privileges whatsoever on the object. As long as some privilege is available, the command will proceed, but it will revoke only those privileges for which the user has grant options. TheREVOKE ALL PRIVILEGES
forms will issue a warning message if no grant options are held, while the other forms will issue a warning if grant options for any of the privileges specifically named in the command are not held. (In principle these statements apply to the object owner as well, but since the owner is always treated as holding all grant options, the cases can never occur.)
If a superuser chooses to issue aGRANT
orREVOKE
command, the command is performed as though it were issued by the owner of the affected object. Since all privileges ultimately come from the object owner (possibly indirectly via chains of grant options), it is possible for a superuser to revoke all privileges, but this might require use ofCASCADE
as stated above.
REVOKE
can also be done by a role that is not the owner of the affected object, but is a member of the role that owns the object, or is a member of a role that holds privilegesWITH GRANT OPTION
on the object. In this case the command is performed as though it were issued by the containing role that actually owns the object or holds the privilegesWITH GRANT OPTION
. For example, if tablet1
is owned by roleg1
, of which roleu1
is a member, thenu1
可以撤销权限t1
被记录为由g1
.这将包括由u1
以及其他角色成员g1
.
如果角色执行撤销
通过多个角色成员路径间接持有特权,未指定哪个包含角色将用于执行命令。在这种情况下,最好使用设定角色
成为你想做的特定角色撤销
作为。不这样做可能会导致撤销您想要的特权之外的特权,或者根本不撤销任何东西。
看第 5.7 节有关特定权限类型的更多信息,以及如何检查对象的权限。
# 例子
撤销公众对表的插入权限电影
:
REVOKE INSERT ON films FROM PUBLIC;
撤销用户的所有权限曼纽尔
正在查看种类
:
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
请注意,这实际上意味着“撤销我授予的所有权限”。
撤销角色成员资格管理员
来自用户乔
:
REVOKE admins FROM joe;
# 兼容性
兼容性说明授予
命令类似地适用于撤销
.关键字严格
或者级联
根据标准是必需的,但 PostgreSQL 假定严格
默认情况下。