Difference between REVOKE and RESTRICT in Datastax Cassandra

Question

What is the difference between REVOKE and RESTRICT CQLSH command in DSE.

Example: Keyspace Cycling has 2 tables - cycled and peddled respectively. and a role Jane exist Jane is granted SELECT permission to all the keyspaces using below command grant select on keyspace Cycling to 'jane';

But while revoking access for table cycled , it gives a warning and the permission is not revoed. REVOKE select on cycling.cycled from 'jane';

Warning: Role jane was not granted SELECT on

Though the above revoke command gave a warning and not an error, still the role jane was able to access the data on table cycled, which means the select permission was not revoked.

The below restrict command worked as expected RESTRICT select on cycling.cycled TO 'jane' ;

I would like to understand why the revoke command did not work at the table level.

DSE version : 6.8.23

Answer 1

Did you find if there is any corresponding warnings/errors at [debug|system].log file?

It is important to understand what each command's role are here.

RESTRICT

Use RESTRICT to deny access to a role on a data resource, that is a keyspace or table. Restrict denies access even if permission to access the resource has been granted or inherited. RESTRICT permission always take precedence over GRANT permissions.

REVOKE

Removes privileges on database objects from a role.

Concept

When the role jane was granted SELECT permissions on ALL KEYSPACES via the below grant,

GRANT SELECT ON ALL KEYSPACES TO jane;

via inheritance, jane got SELECT access to all tables under all keyspaces.

When you did add the restriction, it takes precedence and prevented the role jane to select/read from cycling table.