.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "PT-SHOW-GRANTS 1" .TH PT-SHOW-GRANTS 1 2025-01-01 "perl v5.40.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME pt\-show\-grants \- Canonicalize and print MySQL grants so you can effectively replicate, compare and version\-control them. .SH SYNOPSIS .IX Header "SYNOPSIS" Usage: pt-show-grants [OPTIONS] [DSN] .PP pt-show-grants shows grants (user privileges) from a MySQL server. .PP Examples: .PP .Vb 1 \& pt\-show\-grants \& \& pt\-show\-grants \-\-separate \-\-revoke | diff othergrants.sql \- .Ve .SH RISKS .IX Header "RISKS" Percona Toolkit is mature, proven in the real world, and well tested, but all database tools can pose a risk to the system and the database server. Before using this tool, please: .IP \(bu 4 Read the tool's documentation .IP \(bu 4 Review the tool's known "BUGS" .IP \(bu 4 Test the tool on a non-production server .IP \(bu 4 Backup your production server and verify the backups .SH DESCRIPTION .IX Header "DESCRIPTION" pt-show-grants extracts, orders, and then prints grants for MySQL user accounts. .PP Why would you want this? There are several reasons. .PP The first is to easily replicate users from one server to another; you can simply extract the grants from the first server and pipe the output directly into another server. .PP The second use is to place your grants into version control. If you do a daily automated grant dump into version control, you'll get lots of spurious changesets for grants that don't change, because MySQL prints the actual grants out in a seemingly random order. For instance, one day it'll say .PP .Vb 1 \& GRANT DELETE, INSERT, UPDATE ON \`test\`.* TO \*(Aqfoo\*(Aq@\*(Aq%\*(Aq; .Ve .PP And then another day it'll say .PP .Vb 1 \& GRANT INSERT, DELETE, UPDATE ON \`test\`.* TO \*(Aqfoo\*(Aq@\*(Aq%\*(Aq; .Ve .PP The grants haven't changed, but the order has. This script sorts the grants within the line, between 'GRANT' and 'ON'. If there are multiple rows from SHOW GRANTS, it sorts the rows too, except that it always prints the row with the user's password first, if it exists. This removes three kinds of inconsistency you'll get from running SHOW GRANTS, and avoids spurious changesets in version control. .PP Third, if you want to diff grants across servers, it will be hard without "canonicalizing" them, which pt-show-grants does. The output is fully diff-able. .PP With the "\-\-revoke", "\-\-separate" and other options, pt-show-grants also makes it easy to revoke specific privileges from users. This is tedious otherwise. .SH OPTIONS .IX Header "OPTIONS" This tool accepts additional command-line arguments. Refer to the "SYNOPSIS" and usage information for details. .IP \-\-ask\-pass 4 .IX Item "--ask-pass" Prompt for a password when connecting to MySQL. .IP \-\-charset 4 .IX Item "--charset" short form: \-A; type: string .Sp Default character set. If the value is utf8, sets Perl's binmode on STDOUT to utf8, passes the mysql_enable_utf8 option to DBD::mysql, and runs SET NAMES UTF8 after connecting to MySQL. Any other value sets binmode on STDOUT without the utf8 layer, and runs SET NAMES after connecting to MySQL. .IP \-\-config 4 .IX Item "--config" type: Array .Sp Read this comma-separated list of config files; if specified, this must be the first option on the command line. .IP \-\-database 4 .IX Item "--database" short form: \-D; type: string .Sp The database to use for the connection. .IP \-\-defaults\-file 4 .IX Item "--defaults-file" short form: \-F; type: string .Sp Only read mysql options from the given file. You must give an absolute pathname. .IP \-\-drop 4 .IX Item "--drop" Add DROP USER before each user in the output. .IP \-\-flush 4 .IX Item "--flush" Add FLUSH PRIVILEGES after output. .Sp You might need this on pre\-4.1.1 servers if you want to drop a user completely. .IP \-\-[no]header 4 .IX Item "--[no]header" default: yes .Sp Print dump header. .Sp The header precedes the dumped grants. It looks like: .Sp .Vb 2 \& \-\- Grants dumped by pt\-show\-grants 1.0.19 \& \-\- Dumped from server Localhost via UNIX socket, MySQL 5.0.82\-log at 2009\-10\-26 10:01:04 .Ve .Sp See also "\-\-[no]timestamp". .IP \-\-help 4 .IX Item "--help" Show help and exit. .IP \-\-host 4 .IX Item "--host" short form: \-h; type: string .Sp Connect to host. .IP \-\-ignore 4 .IX Item "--ignore" type: array .Sp Ignore this comma-separated list of users. .IP \-\-only 4 .IX Item "--only" type: array .Sp Only show grants for this comma-separated list of users. .IP \-\-convert\-MariaDB 4 .IX Item "--convert-MariaDB" Convert proprietary MariaDB syntax into valid MySQL form .IP \-\-password 4 .IX Item "--password" short form: \-p; type: string .Sp Password to use when connecting. If password contains commas they must be escaped with a backslash: "exam\e,ple" .IP \-\-pid 4 .IX Item "--pid" type: string .Sp Create the given PID file. The tool won't start if the PID file already exists and the PID it contains is different than the current PID. However, if the PID file exists and the PID it contains is no longer running, the tool will overwrite the PID file with the current PID. The PID file is removed automatically when the tool exits. .IP \-\-port 4 .IX Item "--port" short form: \-P; type: int .Sp Port number to use for connection. .IP \-\-revoke 4 .IX Item "--revoke" Add REVOKE statements for each GRANT statement. .IP \-\-separate 4 .IX Item "--separate" List each GRANT or REVOKE separately. .Sp The default output from MySQL's SHOW GRANTS command lists many privileges on a single line. With "\-\-flush", places a FLUSH PRIVILEGES after each user, instead of once at the end of all the output. .IP \-\-set\-vars 4 .IX Item "--set-vars" type: Array .Sp Set the MySQL variables in this comma-separated list of \f(CW\*(C`variable=value\*(C'\fR pairs. .Sp By default, the tool sets: .Sp .Vb 1 \& wait_timeout=10000 .Ve .Sp Variables specified on the command line override these defaults. For example, specifying \f(CW\*(C`\-\-set\-vars wait_timeout=500\*(C'\fR overrides the defaultvalue of \f(CW10000\fR. .Sp The tool prints a warning and continues if a variable cannot be set. .IP \-\-[no]include\-unused\-roles 4 .IX Item "--[no]include-unused-roles" When dumping MySQL 8+ roles, include unused roles. .IP \-\-socket 4 .IX Item "--socket" short form: \-S; type: string .Sp Socket file to use for connection. .IP \-\-[no]timestamp 4 .IX Item "--[no]timestamp" default: yes .Sp Add timestamp to the dump header. .Sp See also "\-\-[no]header". .IP \-\-user 4 .IX Item "--user" short form: \-u; type: string .Sp User for login if not current user. .IP \-\-version 4 .IX Item "--version" Show version and exit. .SH "DSN OPTIONS" .IX Header "DSN OPTIONS" These DSN options are used to create a DSN. Each option is given like \&\f(CW\*(C`option=value\*(C'\fR. The options are case-sensitive, so P and p are not the same option. There cannot be whitespace before or after the \f(CW\*(C`=\*(C'\fR and if the value contains whitespace it must be quoted. DSN options are comma-separated. See the percona-toolkit manpage for full details. .IP \(bu 4 A .Sp dsn: charset; copy: yes .Sp Default character set. .IP \(bu 4 D .Sp dsn: database; copy: yes .Sp Default database. .IP \(bu 4 F .Sp dsn: mysql_read_default_file; copy: yes .Sp Only read default options from the given file .IP \(bu 4 h .Sp dsn: host; copy: yes .Sp Connect to host. .IP \(bu 4 p .Sp dsn: password; copy: yes .Sp Password to use when connecting. If password contains commas they must be escaped with a backslash: "exam\e,ple" .IP \(bu 4 P .Sp dsn: port; copy: yes .Sp Port number to use for connection. .IP \(bu 4 S .Sp dsn: mysql_socket; copy: yes .Sp Socket file to use for connection. .IP \(bu 4 u .Sp dsn: user; copy: yes .Sp User for login if not current user. .IP \(bu 4 s .Sp dsn: mysql_ssl; copy: yes .Sp Create SSL connection .SH ENVIRONMENT .IX Header "ENVIRONMENT" The environment variable \f(CW\*(C`PTDEBUG\*(C'\fR enables verbose debugging output to STDERR. To enable debugging and capture all output to a file, run the tool like: .PP .Vb 1 \& PTDEBUG=1 pt\-show\-grants ... > FILE 2>&1 .Ve .PP Be careful: debugging output is voluminous and can generate several megabytes of output. .SH ATTENTION .IX Header "ATTENTION" Using might expose passwords. When debug is enabled, all command line parameters are shown in the output. .SH "SYSTEM REQUIREMENTS" .IX Header "SYSTEM REQUIREMENTS" You need Perl, DBI, DBD::mysql, and some core packages that ought to be installed in any reasonably new version of Perl. .SH BUGS .IX Header "BUGS" For a list of known bugs, see . .PP Please report bugs at . Include the following information in your bug report: .IP \(bu 4 Complete command-line used to run the tool .IP \(bu 4 Tool "\-\-version" .IP \(bu 4 MySQL version of all servers involved .IP \(bu 4 Output from the tool including STDERR .IP \(bu 4 Input files (log/dump/config files, etc.) .PP If possible, include debugging output by running the tool with \f(CW\*(C`PTDEBUG\*(C'\fR; see "ENVIRONMENT". .SH DOWNLOADING .IX Header "DOWNLOADING" Visit to download the latest release of Percona Toolkit. Or, get the latest release from the command line: .PP .Vb 1 \& wget percona.com/get/percona\-toolkit.tar.gz \& \& wget percona.com/get/percona\-toolkit.rpm \& \& wget percona.com/get/percona\-toolkit.deb .Ve .PP You can also get individual tools from the latest release: .PP .Vb 1 \& wget percona.com/get/TOOL .Ve .PP Replace \f(CW\*(C`TOOL\*(C'\fR with the name of any tool. .SH AUTHORS .IX Header "AUTHORS" Baron Schwartz .SH "ABOUT PERCONA TOOLKIT" .IX Header "ABOUT PERCONA TOOLKIT" This tool is part of Percona Toolkit, a collection of advanced command-line tools for MySQL developed by Percona. Percona Toolkit was forked from two projects in June, 2011: Maatkit and Aspersa. Those projects were created by Baron Schwartz and primarily developed by him and Daniel Nichter. Visit to learn about other free, open-source software from Percona. .SH "COPYRIGHT, LICENSE, AND WARRANTY" .IX Header "COPYRIGHT, LICENSE, AND WARRANTY" This program is copyright 2011\-2024 Percona LLC and/or its affiliates, 2007\-2011 Baron Schwartz. .PP THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .PP This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2; OR the Perl Artistic License. On UNIX and similar systems, you can issue `man perlgpl' or `man perlartistic' to read these licenses. .PP You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111\-1307 USA. .SH VERSION .IX Header "VERSION" pt-show-grants 3.7.0