@@ -85,14 +85,34 @@ You can find the full example here: `credentials <https://github.com/tarantool/d
8585Revoking privileges from a user
8686~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
8787
88- To take a previously granted privilege away, specify the ``permission `` field without the
89- previously allowed privilege, or with an empty ``privileges `` array. Further options may retain commented-out, if necessary:
88+ To revoke a previously granted privilege, remove it from the configuration.
9089
91- .. literalinclude :: /code_snippets/snippets/config/instances.enabled/credentials/revoke.yaml
90+ For example, here is how to to grant privileges to a space and how to revoke one of the privileges:
91+
92+ .. literalinclude :: /code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml
9293 :language: yaml
9394 :start-at: # grant privileges
9495 :dedent:
9596
97+ If you want to revoke the remaining privilege to from a space, you can remove it, too, thus making ``permissions `` an empty array:
98+
99+ .. literalinclude :: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
100+ :language: yaml
101+ :start-at: # empty permissions array
102+ :end-at: [ books ]
103+ :dedent:
104+
105+ You can revoke all privileges by making the ``privileges `` an empty array:
106+
107+ .. literalinclude :: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
108+ :language: yaml
109+ :start-at: # empty privileges array
110+ :dedent:
111+
112+ .. warning ::
113+ Do not remove a user or a role from configuration in order to revoke that user's or role's privileges. If a user or a role is entirely
114+ removed from the configuration, it is not tracked by configuration machinery anymore. The user/role is not removed and its privileges are not revoked.
115+
96116.. _configuration_credentials_loading_secrets :
97117
98118Loading secrets from safe storage
0 commit comments