1MK-SHOW-GRANTS(1) User Contributed Perl Documentation MK-SHOW-GRANTS(1)
2
6 mk-show-grants - Canonicalize and print MySQL grants so you can
7 effectively replicate, compare and version-control them.
8
10 mk-show-grants
11 mk-show-grants --separate --revoke | diff othergrants.sql -
12
14 The following section is included to inform users about the potential
15 risks, whether known or unknown, of using this tool. The two main
16 categories of risks are those created by the nature of the tool (e.g.
17 read-only tools vs. read-write tools) and those created by bugs.
18 mk-show-grants is read-only by default, and very low-risk. If you
20 specify "--flush", it will execute "FLUSH PRIVILEGES".
21 At the time of this release, we know of no bugs that could cause
23 serious harm to users.
24 The authoritative source for updated information is always the online
26 issue tracking system. Issues that affect this tool will be marked as
27 such. You can see a list of such issues at the following URL:
28 http://www.maatkit.org/bugs/mk-show-grants
29 <http://www.maatkit.org/bugs/mk-show-grants>.
30 See also "BUGS" for more information on filing bugs and getting help.
32
34 mk-show-grants extracts, orders, and then prints grants for MySQL user
35 accounts.
36 Why would you want this? There are several reasons.
38 The first is to easily replicate users from one server to another; you
40 can simply extract the grants from the first server and pipe the output
41 directly into another server.
42 The second use is to place your grants into version control. If you do
44 a daily automated grant dump into version control, you'll get lots of
45 spurious changesets for grants that don't change, because MySQL prints
46 the actual grants out in a seemingly random order. For instance, one
47 day it'll say
48 GRANT DELETE, INSERT, UPDATE ON `test`.* TO 'foo'@'%';
50 And then another day it'll say
52 GRANT INSERT, DELETE, UPDATE ON `test`.* TO 'foo'@'%';
54 The grants haven't changed, but the order has. This script sorts the
56 grants within the line, between 'GRANT' and 'ON'. If there are
57 multiple rows from SHOW GRANTS, it sorts the rows too, except that it
58 always prints the row with the user's password first, if it exists.
59 This removes three kinds of inconsistency you'll get from running SHOW
60 GRANTS, and avoids spurious changesets in version control.
61 Third, if you want to diff grants across servers, it will be hard
63 without "canonicalizing" them, which mk-show-grants does. The output
64 is fully diff-able.
65 With the "--revoke", "--separate" and other options, mk-show-grants
67 also makes it easy to revoke specific privileges from users. This is
68 tedious otherwise.
69
71 --ask-pass
72 Prompt for a password when connecting to MySQL.
73 --charset
75 short form: -A; type: string
76 Default character set. If the value is utf8, sets Perl's binmode
78 on STDOUT to utf8, passes the mysql_enable_utf8 option to
79 DBD::mysql, and runs SET NAMES UTF8 after connecting to MySQL. Any
80 other value sets binmode on STDOUT without the utf8 layer, and runs
81 SET NAMES after connecting to MySQL.
82 --config
84 type: Array
85 Read this comma-separated list of config files; if specified, this
87 must be the first option on the command line.
88 --database
90 short form: -D; type: string
91 The database to use for the connection.
93 --defaults-file
95 short form: -F; type: string
96 Only read mysql options from the given file. You must give an
98 absolute pathname.
99 --drop
101 Add DROP USER before each user in the output.
102 --flush
104 Add FLUSH PRIVILEGES after output.
105 You might need this on pre-4.1.1 servers if you want to drop a user
107 completely.
108 --[no]header
110 default: yes
111 Print dump header.
113 The header precedes the dumped grants. It looks like:
115 -- Grants dumped by mk-show-grants 1.0.19
117 -- Dumped from server Localhost via UNIX socket, MySQL 5.0.82-log at 2009-10-26 10:01:04
118 See also "--[no]timestamp".
120 --help
122 Show help and exit.
123 --host
125 short form: -h; type: string
126 Connect to host.
128 --ignore
130 type: array
131 Ignore this comma-separated list of users.
133 --only
135 type: array
136 Only show grants for this comma-separated list of users.
138 --password
140 short form: -p; type: string
141 Password to use when connecting.
143 --pid
145 type: string
146 Create the given PID file. The file contains the process ID of the
148 script. The PID file is removed when the script exits. Before
149 starting, the script checks if the PID file already exists. If it
150 does not, then the script creates and writes its own PID to it. If
151 it does, then the script checks the following: if the file contains
152 a PID and a process is running with that PID, then the script dies;
153 or, if there is no process running with that PID, then the script
154 overwrites the file with its own PID and starts; else, if the file
155 contains no PID, then the script dies.
156 --port
158 short form: -P; type: int
159 Port number to use for connection.
161 --revoke
163 Add REVOKE statements for each GRANT statement.
164 --separate
166 List each GRANT or REVOKE separately.
167 The default output from MySQL's SHOW GRANTS command lists many
169 privileges on a single line. With "--flush", places a FLUSH
170 PRIVILEGES after each user, instead of once at the end of all the
171 output.
172 --set-vars
174 type: string; default: wait_timeout=10000
175 Set these MySQL variables. Immediately after connecting to MySQL,
177 this string will be appended to SET and executed.
178 --socket
180 short form: -S; type: string
181 Socket file to use for connection.
183 --[no]timestamp
185 default: yes
186 Add timestamp to the dump header.
188 See also "--[no]header".
190 --user
192 short form: -u; type: string
193 User for login if not current user.
195 --version
197 Show version and exit.
198
200 These DSN options are used to create a DSN. Each option is given like
201 "option=value". The options are case-sensitive, so P and p are not the
202 same option. There cannot be whitespace before or after the "=" and if
203 the value contains whitespace it must be quoted. DSN options are
204 comma-separated. See the maatkit manpage for full details.
205 · A
207 dsn: charset; copy: yes
209 Default character set.
211 · D
213 dsn: database; copy: yes
215 Default database.
217 · F
219 dsn: mysql_read_default_file; copy: yes
221 Only read default options from the given file
223 · h
225 dsn: host; copy: yes
227 Connect to host.
229 · p
231 dsn: password; copy: yes
233 Password to use when connecting.
235 · P
237 dsn: port; copy: yes
239 Port number to use for connection.
241 · S
243 dsn: mysql_socket; copy: yes
245 Socket file to use for connection.
247 · u
249 dsn: user; copy: yes
251 User for login if not current user.
253
255 You can download Maatkit from Google Code at
256 <http://code.google.com/p/maatkit/>, or you can get any of the tools
257 easily with a command like the following:
258 wget http://www.maatkit.org/get/toolname
260 or
261 wget http://www.maatkit.org/trunk/toolname
262 Where "toolname" can be replaced with the name (or fragment of a name)
264 of any of the Maatkit tools. Once downloaded, they're ready to run; no
265 installation is needed. The first URL gets the latest released version
266 of the tool, and the second gets the latest trunk code from Subversion.
267
269 The environment variable "MKDEBUG" enables verbose debugging output in
270 all of the Maatkit tools:
271 MKDEBUG=1 mk-....
273
275 You need the following Perl modules: DBI and DBD::mysql.
276
278 For list of known bugs see http://www.maatkit.org/bugs/mk-show-grants
279 <http://www.maatkit.org/bugs/mk-show-grants>.
280 Please use Google Code Issues and Groups to report bugs or request
282 support: <http://code.google.com/p/maatkit/>. You can also join
283 #maatkit on Freenode to discuss Maatkit.
284 Please include the complete command-line used to reproduce the problem
286 you are seeing, the version of all MySQL servers involved, the complete
287 output of the tool when run with "--version", and if possible,
288 debugging output produced by running with the "MKDEBUG=1" environment
289 variable.
290
292 This program is copyright 2007-2010 Baron Schwartz. Feedback and
293 improvements are welcome.
294 THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
296 WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
297 MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
298 This program is free software; you can redistribute it and/or modify it
300 under the terms of the GNU General Public License as published by the
301 Free Software Foundation, version 2; OR the Perl Artistic License. On
302 UNIX and similar systems, you can issue `man perlgpl' or `man
303 perlartistic' to read these licenses.
304 You should have received a copy of the GNU General Public License along
306 with this program; if not, write to the Free Software Foundation, Inc.,
307 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
308
310 Someone pointed out that this has been done before (not surprising, as
311 it's not all that complicated). Visit
312 <http://www.futhark.ch/mysql/139.html> for a simpler implementation of
313 the same general concept, though without the canonicalization. I
314 borrowed the idea of adding DROP USER from that script, and it inspired
315 me to add the REVOKE functionality too.
316
318 Baron Schwartz
319
321 This tool is part of Maatkit, a toolkit for power users of MySQL.
322 Maatkit was created by Baron Schwartz; Baron and Daniel Nichter are the
323 primary code contributors. Both are employed by Percona. Financial
324 support for Maatkit development is primarily provided by Percona and
325 its clients.
326
328 This manual page documents Ver 1.0.23 Distrib 6839 $Revision: 6831 $.
329perl v5.12.1 2010-08-01 MK-SHOW-GRANTS(1)