lunar (1) pt-show-grants.1p.gz

Provided by: percona-toolkit_3.2.1-1_all bug

NAME

       pt-show-grants - Canonicalize and print MySQL grants so you can effectively replicate,
       compare and version-control them.

SYNOPSIS

       Usage: pt-show-grants [OPTIONS] [DSN]

       pt-show-grants shows grants (user privileges) from a MySQL server.

       Examples:

          pt-show-grants

          pt-show-grants --separate --revoke | diff othergrants.sql -

RISKS

       Percona Toolkit is mature, proven in the real world, and well tested, but all database
       tools can pose a risk to the system and the database server.  Before using this tool,
       please:

       •   Read the tool's documentation

       •   Review the tool's known "BUGS"

       •   Test the tool on a non-production server

       •   Backup your production server and verify the backups

DESCRIPTION

       pt-show-grants extracts, orders, and then prints grants for MySQL user accounts.

       Why would you want this?  There are several reasons.

       The first is to easily replicate users from one server to another; you can simply extract
       the grants from the first server and pipe the output directly into another server.

       The second use is to place your grants into version control.  If you do a daily automated
       grant dump into version control, you'll get lots of spurious changesets for grants that
       don't change, because MySQL prints the actual grants out in a seemingly random order.  For
       instance, one day it'll say

         GRANT DELETE, INSERT, UPDATE ON `test`.* TO 'foo'@'%';

       And then another day it'll say

         GRANT INSERT, DELETE, UPDATE ON `test`.* TO 'foo'@'%';

       The grants haven't changed, but the order has.  This script sorts the grants within the
       line, between 'GRANT' and 'ON'.  If there are multiple rows from SHOW GRANTS, it sorts the
       rows too, except that it always prints the row with the user's password first, if it
       exists.  This removes three kinds of inconsistency you'll get from running SHOW GRANTS,
       and avoids spurious changesets in version control.

       Third, if you want to diff grants across servers, it will be hard without "canonicalizing"
       them, which pt-show-grants does.  The output is fully diff-able.

       With the "--revoke", "--separate" and other options, pt-show-grants also makes it easy to
       revoke specific privileges from users.  This is tedious otherwise.

OPTIONS

       This tool accepts additional command-line arguments.  Refer to the "SYNOPSIS" and usage
       information for details.

       --ask-pass
           Prompt for a password when connecting to MySQL.

       --charset
           short form: -A; type: string

           Default character set.  If the value is utf8, sets Perl's binmode on STDOUT to utf8,
           passes the mysql_enable_utf8 option to DBD::mysql, and runs SET NAMES UTF8 after
           connecting to MySQL.  Any other value sets binmode on STDOUT without the utf8 layer,
           and runs SET NAMES after connecting to MySQL.

       --config
           type: Array

           Read this comma-separated list of config files; if specified, this must be the first
           option on the command line.

       --database
           short form: -D; type: string

           The database to use for the connection.

       --defaults-file
           short form: -F; type: string

           Only read mysql options from the given file.  You must give an absolute pathname.

       --drop
           Add DROP USER before each user in the output.

       --flush
           Add FLUSH PRIVILEGES after output.

           You might need this on pre-4.1.1 servers if you want to drop a user completely.

       --[no]header
           default: yes

           Print dump header.

           The header precedes the dumped grants.  It looks like:

             -- Grants dumped by pt-show-grants 1.0.19
             -- Dumped from server Localhost via UNIX socket, MySQL 5.0.82-log at 2009-10-26 10:01:04

           See also "--[no]timestamp".

       --help
           Show help and exit.

       --host
           short form: -h; type: string

           Connect to host.

       --ignore
           type: array

           Ignore this comma-separated list of users.

       --only
           type: array

           Only show grants for this comma-separated list of users.

       --password
           short form: -p; type: string

           Password to use when connecting.  If password contains commas they must be escaped
           with a backslash: "exam\,ple"

       --pid
           type: string

           Create the given PID file.  The tool won't start if the PID file already exists and
           the PID it contains is different than the current PID.  However, if the PID file
           exists and the PID it contains is no longer running, the tool will overwrite the PID
           file with the current PID.  The PID file is removed automatically when the tool exits.

       --port
           short form: -P; type: int

           Port number to use for connection.

       --revoke
           Add REVOKE statements for each GRANT statement.

       --separate
           List each GRANT or REVOKE separately.

           The default output from MySQL's SHOW GRANTS command lists many privileges on a single
           line.  With "--flush", places a FLUSH PRIVILEGES after each user, instead of once at
           the end of all the output.

       --set-vars
           type: Array

           Set the MySQL variables in this comma-separated list of "variable=value" pairs.

           By default, the tool sets:

              wait_timeout=10000

           Variables specified on the command line override these defaults.  For example,
           specifying "--set-vars wait_timeout=500" overrides the defaultvalue of 10000.

           The tool prints a warning and continues if a variable cannot be set.

       --[no]include-unused-roles
           When dumping MySQL 8+ roles, include unused roles.

       --socket
           short form: -S; type: string

           Socket file to use for connection.

       --[no]timestamp
           default: yes

           Add timestamp to the dump header.

           See also "--[no]header".

       --user
           short form: -u; type: string

           User for login if not current user.

       --version
           Show version and exit.

DSN OPTIONS

       These DSN options are used to create a DSN.  Each option is given like "option=value".
       The options are case-sensitive, so P and p are not the same option.  There cannot be
       whitespace before or after the "=" and if the value contains whitespace it must be quoted.
       DSN options are comma-separated.  See the percona-toolkit manpage for full details.

       •   A

           dsn: charset; copy: yes

           Default character set.

       •   D

           dsn: database; copy: yes

           Default database.

       •   F

           dsn: mysql_read_default_file; copy: yes

           Only read default options from the given file

       •   h

           dsn: host; copy: yes

           Connect to host.

       •   p

           dsn: password; copy: yes

           Password to use when connecting.  If password contains commas they must be escaped
           with a backslash: "exam\,ple"

       •   P

           dsn: port; copy: yes

           Port number to use for connection.

       •   S

           dsn: mysql_socket; copy: yes

           Socket file to use for connection.

       •   u

           dsn: user; copy: yes

           User for login if not current user.

ENVIRONMENT

       The environment variable "PTDEBUG" enables verbose debugging output to STDERR.  To enable
       debugging and capture all output to a file, run the tool like:

          PTDEBUG=1 pt-show-grants ... > FILE 2>&1

       Be careful: debugging output is voluminous and can generate several megabytes of output.

SYSTEM REQUIREMENTS

       You need Perl, DBI, DBD::mysql, and some core packages that ought to be installed in any
       reasonably new version of Perl.

BUGS

       For a list of known bugs, see <http://www.percona.com/bugs/pt-show-grants>.

       Please report bugs at <https://bugs.launchpad.net/percona-toolkit>.  Include the following
       information in your bug report:

       •   Complete command-line used to run the tool

       •   Tool "--version"

       •   MySQL version of all servers involved

       •   Output from the tool including STDERR

       •   Input files (log/dump/config files, etc.)

       If possible, include debugging output by running the tool with "PTDEBUG"; see
       "ENVIRONMENT".

DOWNLOADING

       Visit <http://www.percona.com/software/percona-toolkit/> to download the latest release of
       Percona Toolkit.  Or, get the latest release from the command line:

          wget percona.com/get/percona-toolkit.tar.gz

          wget percona.com/get/percona-toolkit.rpm

          wget percona.com/get/percona-toolkit.deb

       You can also get individual tools from the latest release:

          wget percona.com/get/TOOL

       Replace "TOOL" with the name of any tool.

AUTHORS

       Baron Schwartz

ABOUT PERCONA TOOLKIT

       This tool is part of Percona Toolkit, a collection of advanced command-line tools for
       MySQL developed by Percona.  Percona Toolkit was forked from two projects in June, 2011:
       Maatkit and Aspersa.  Those projects were created by Baron Schwartz and primarily
       developed by him and Daniel Nichter.  Visit <http://www.percona.com/software/> to learn
       about other free, open-source software from Percona.

COPYRIGHT, LICENSE, AND WARRANTY

       This program is copyright 2011-2018 Percona LLC and/or its affiliates, 2007-2011 Baron
       Schwartz.

       THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
       WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
       PURPOSE.

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation, version 2; OR
       the Perl Artistic License.  On UNIX and similar systems, you can issue `man perlgpl' or
       `man perlartistic' to read these licenses.

       You should have received a copy of the GNU General Public License along with this program;
       if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
       MA  02111-1307  USA.

VERSION

       pt-show-grants 3.2.1