Partial revokes with MariaDB

I want to use MySQL partial revokes in MariaDB, but there does not seem to be any reference of it in the docs, so is there are workaround?

I grant user foo privileges on *.*, and I want to partially revoke its permission to select column password on table users - how can I do this?

CREATE USER 'foo'@'%' IDENTIFIED BY 'password';
GRANT SELECT, INSERT, DELETE, UPDATE ON *.* TO 'foo'@'%';
REVOKE SELECT (password) ON production.users FROM 'foo'@'%';

Such thing results in:

ERROR 1147 (42000): There is no such grant defined for user 'foo' on host '%' on table 'user'

Version: 10.3.31-MariaDB-0+deb10u1-log

Perhaps I could do something like this easily with roles? If so, can you give examples to do so?


Solution 1:

MDEV-14443 negative grants is actively being worked on so hopefully 10.9.

At the moment creating the grants excluding your password is one option.

The other is putting the password (by which I hope you mean a uniquely salted hash or KDF) in a different table.