mk-show-grants.1p - Man Page
Canonicalize and print MySQL grants so you can effectively replicate, compare and version-control them.
Synopsis
Usage: mk-show-grants [OPTION...] [DSN]
mk-show-grants shows grants (user privileges) from a MySQL server.
Examples:
mk-show-grants mk-show-grants --separate --revoke | diff othergrants.sql -
Risks
The following section is included to inform users about the potential risks, whether known or unknown, of using this tool. The two main categories of risks are those created by the nature of the tool (e.g. read-only tools vs. read-write tools) and those created by bugs.
mk-show-grants is read-only by default, and very low-risk. If you specify "--flush", it will execute FLUSH PRIVILEGES.
At the time of this release, we know of no bugs that could cause serious harm to users.
The authoritative source for updated information is always the online issue tracking system. Issues that affect this tool will be marked as such. You can see a list of such issues at the following URL: <http://www.maatkit.org/bugs/mk-show-grants>.
See also "Bugs" for more information on filing bugs and getting help.
Description
mk-show-grants extracts, orders, and then prints grants for MySQL user accounts.
Why would you want this? There are several reasons.
The first is to easily replicate users from one server to another; you can simply extract the grants from the first server and pipe the output directly into another server.
The second use is to place your grants into version control. If you do a daily automated grant dump into version control, you'll get lots of spurious changesets for grants that don't change, because MySQL prints the actual grants out in a seemingly random order. For instance, one day it'll say
GRANT DELETE, INSERT, UPDATE ON `test`.* TO 'foo'@'%';
And then another day it'll say
GRANT INSERT, DELETE, UPDATE ON `test`.* TO 'foo'@'%';
The grants haven't changed, but the order has. This script sorts the grants within the line, between 'GRANT' and 'ON'. If there are multiple rows from SHOW GRANTS, it sorts the rows too, except that it always prints the row with the user's password first, if it exists. This removes three kinds of inconsistency you'll get from running SHOW GRANTS, and avoids spurious changesets in version control.
Third, if you want to diff grants across servers, it will be hard without "canonicalizing" them, which mk-show-grants does. The output is fully diff-able.
With the "--revoke", "--separate" and other options, mk-show-grants also makes it easy to revoke specific privileges from users. This is tedious otherwise.
Options
This tool accepts additional command-line arguments. Refer to the "Synopsis" and usage information for details.
- --ask-pass
Prompt for a password when connecting to MySQL.
- --charset
short form: -A; type: string
Default character set. If the value is utf8, sets Perl's binmode on STDOUT to utf8, passes the mysql_enable_utf8 option to DBD::mysql, and runs SET NAMES UTF8 after connecting to MySQL. Any other value sets binmode on STDOUT without the utf8 layer, and runs SET NAMES after connecting to MySQL.
- --config
type: Array
Read this comma-separated list of config files; if specified, this must be the first option on the command line.
- --database
short form: -D; type: string
The database to use for the connection.
- --defaults-file
short form: -F; type: string
Only read mysql options from the given file. You must give an absolute pathname.
- --drop
Add DROP USER before each user in the output.
- --flush
Add FLUSH PRIVILEGES after output.
You might need this on pre-4.1.1 servers if you want to drop a user completely.
- --[no]header
default: yes
Print dump header.
The header precedes the dumped grants. It looks like:
-- Grants dumped by mk-show-grants 1.0.19 -- Dumped from server Localhost via UNIX socket, MySQL 5.0.82-log at 2009-10-26 10:01:04
See also "--[no]timestamp".
- --help
Show help and exit.
- --host
short form: -h; type: string
Connect to host.
- --ignore
type: array
Ignore this comma-separated list of users.
- --only
type: array
Only show grants for this comma-separated list of users.
- --password
short form: -p; type: string
Password to use when connecting.
- --pid
type: string
Create the given PID file. The file contains the process ID of the script. The PID file is removed when the script exits. Before starting, the script checks if the PID file already exists. If it does not, then the script creates and writes its own PID to it. If it does, then the script checks the following: if the file contains a PID and a process is running with that PID, then the script dies; or, if there is no process running with that PID, then the script overwrites the file with its own PID and starts; else, if the file contains no PID, then the script dies.
- --port
short form: -P; type: int
Port number to use for connection.
- --revoke
Add REVOKE statements for each GRANT statement.
- --separate
List each GRANT or REVOKE separately.
The default output from MySQL's SHOW GRANTS command lists many privileges on a single line. With "--flush", places a FLUSH PRIVILEGES after each user, instead of once at the end of all the output.
- --set-vars
type: string; default: wait_timeout=10000
Set these MySQL variables. Immediately after connecting to MySQL, this string will be appended to SET and executed.
- --socket
short form: -S; type: string
Socket file to use for connection.
- --[no]timestamp
default: yes
Add timestamp to the dump header.
See also "--[no]header".
- --user
short form: -u; type: string
User for login if not current user.
- --version
Show version and exit.
DSN Options
These DSN options are used to create a DSN. Each option is given like option=value. The options are case-sensitive, so P and p are not the same option. There cannot be whitespace before or after the = and if the value contains whitespace it must be quoted. DSN options are comma-separated. See the maatkit manpage for full details.
A
dsn: charset; copy: yes
Default character set.
D
dsn: database; copy: yes
Default database.
F
dsn: mysql_read_default_file; copy: yes
Only read default options from the given file
h
dsn: host; copy: yes
Connect to host.
p
dsn: password; copy: yes
Password to use when connecting.
P
dsn: port; copy: yes
Port number to use for connection.
S
dsn: mysql_socket; copy: yes
Socket file to use for connection.
u
dsn: user; copy: yes
User for login if not current user.
Downloading
You can download Maatkit from Google Code at <http://code.google.com/p/maatkit/>, or you can get any of the tools easily with a command like the following:
wget http://www.maatkit.org/get/toolname or wget http://www.maatkit.org/trunk/toolname
Where toolname can be replaced with the name (or fragment of a name) of any of the Maatkit tools. Once downloaded, they're ready to run; no installation is needed. The first URL gets the latest released version of the tool, and the second gets the latest trunk code from Subversion.
Environment
The environment variable MKDEBUG enables verbose debugging output in all of the Maatkit tools:
MKDEBUG=1 mk-....
System Requirements
You need the following Perl modules: DBI and DBD::mysql.
Bugs
For a list of known bugs see <http://www.maatkit.org/bugs/mk-show-grants>.
Please use Google Code Issues and Groups to report bugs or request support: <http://code.google.com/p/maatkit/>. You can also join #maatkit on Freenode to discuss Maatkit.
Please include the complete command-line used to reproduce the problem you are seeing, the version of all MySQL servers involved, the complete output of the tool when run with "--version", and if possible, debugging output produced by running with the MKDEBUG=1 environment variable.
Copyright, License and Warranty
This program is copyright 2007-2011 Baron Schwartz. Feedback and improvements are welcome.
THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2; OR the Perl Artistic License. On UNIX and similar systems, you can issue `man perlgpl' or `man perlartistic' to read these licenses.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
See Also
Someone pointed out that this has been done before (not surprising, as it's not all that complicated). Visit <http://www.futhark.ch/mysql/139.html> for a simpler implementation of the same general concept, though without the canonicalization. I borrowed the idea of adding DROP USER from that script, and it inspired me to add the REVOKE functionality too.
Author
Baron Schwartz
About Maatkit
This tool is part of Maatkit, a toolkit for power users of MySQL. Maatkit was created by Baron Schwartz; Baron and Daniel Nichter are the primary code contributors. Both are employed by Percona. Financial support for Maatkit development is primarily provided by Percona and its clients.
Version
This manual page documents Ver 1.0.23 Distrib 7540 $Revision: 7477 $.