Preface
 
    User privileges regulation is pretty important in DBAs routine job.As we all know,it's the less the better to reduce risks when someone who has no privileges manipulates data by malevolence.On the other hand,when we implement HA,replication or the other tools,it's significant and efficient to grant proper privileges to specific users.
 
Introduce
 
    pt-show-grants is the right tool which can directly provide an overview of grants to all users on connected MySQL db server what is rather convenient for us.There're also several advartages of using it.At first,you can dump user grants from one server to another one simply. Secondly,you can organize version control by placing the user grants with it since it will sort the grant statements in order what "show grants;" may not do.Thirdly,now that it provide a normalized format than "show grants;" does,you can distinguish the different user grants between two servers efficiently.
 
Procedure
 
Usage
  1.  pt-show-grants [OPTIONS] [DSN]
Parameters
  1.  //Regular parameters.
  2.  --drop //Add "DROP USER" before each user of output,which can be used to get a ddl of droping user.
  3.  --flush //Add "FLUSH PRIVILEGES" after output(version ahead 4.1.1 need).
  4.  --ignore //Speicify the ignore user.
  5.  --only //on the contrary of "--ignore" does,specify the only user you want.
  6.  --include-unused-roles //This options merely for MySQL 8.0 + version which support roles.
  7.  --seperate //List the grant and revoke statement respectively.
  8.  
  9.  //Dump hearder relevant.
  10.  --no-header //Don't print head information of dump.
  11.  --no-timestamp //Don't add timestam to the head of dump.
Examples
 
Execute without  any parameters.(it will read connection options in defatul my.cnf )
  1.  [root@zlm1 :: ~]
  2.  #pt-show-grants
  3.  -- Grants dumped by pt-show-grants
  4.  -- Dumped from server Localhost via UNIX socket, MySQL 5.7.-log at -- ::
  5.  -- Grants for 'bkuser'@'localhost'
  6.  CREATE USER IF NOT EXISTS 'bkuser'@'localhost';
  7.  ALTER USER 'bkuser'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*3DE5D9E4FBC1E464DA1B1172D6333CE89FDE5C61' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  8.  GRANT LOCK TABLES, PROCESS, RELOAD, REPLICATION CLIENT ON *.* TO 'bkuser'@'localhost';
  9.  -- Grants for 'mysql.session'@'localhost'
  10.  CREATE USER IF NOT EXISTS 'mysql.session'@'localhost';
  11.  ALTER USER 'mysql.session'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT LOCK;
  12.  GRANT SELECT ON `mysql`.`user` TO 'mysql.session'@'localhost';
  13.  GRANT SELECT ON `performance_schema`.* TO 'mysql.session'@'localhost';
  14.  GRANT SUPER ON *.* TO 'mysql.session'@'localhost';
  15.  -- Grants for 'mysql.sys'@'localhost'
  16.  CREATE USER IF NOT EXISTS 'mysql.sys'@'localhost';
  17.  ALTER USER 'mysql.sys'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT LOCK;
  18.  GRANT SELECT ON `sys`.`sys_config` TO 'mysql.sys'@'localhost';
  19.  GRANT TRIGGER ON `sys`.* TO 'mysql.sys'@'localhost';
  20.  GRANT USAGE ON *.* TO 'mysql.sys'@'localhost';
  21.  -- Grants for 'repl'@'192.168.56.%'
  22.  CREATE USER IF NOT EXISTS 'repl'@'192.168.56.%';
  23.  ALTER USER 'repl'@'192.168.56.%' IDENTIFIED WITH 'mysql_native_password' AS '*872ECE72A7EBAC6A183C90D7043D5F359BD85A9E' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  24.  GRANT ALL PRIVILEGES ON *.* TO 'repl'@'192.168.56.%';
  25.  -- Grants for 'root'@'localhost'
  26.  CREATE USER IF NOT EXISTS 'root'@'localhost';
  27.  ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*DDFB542AA0BD1D251995D81AEBEB96DEEAD1132F' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  28.  GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;
  29.  GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;
Specify the only user "root".
  1.  [root@zlm1 :: ~]
  2.  #pt-show-grants -hlocalhost -P3306 -uroot -pPassw0rd --only=root
  3.  -- Grants dumped by pt-show-grants
  4.  -- Dumped from server Localhost via UNIX socket, MySQL 5.7.-log at -- ::
  5.  -- Grants for 'root'@'localhost'
  6.  CREATE USER IF NOT EXISTS 'root'@'localhost';
  7.  ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*DDFB542AA0BD1D251995D81AEBEB96DEEAD1132F' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  8.  GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;
  9.  GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;
Specify the only user "root" with revoke statement separated with grant statement.
  1.  [root@zlm1 :: ~]
  2.  #pt-show-grants -hlocalhost -P3306 -uroot -pPassw0rd --only=root --separate --revoke
  3.  -- Grants dumped by pt-show-grants
  4.  -- Dumped from server Localhost via UNIX socket, MySQL 5.7.-log at -- ::
  5.  -- Revoke statements for 'root'@'localhost'
  6.  REVOKE ALL PRIVILEGES ON *.* FROM 'root'@'localhost';
  7.  REVOKE GRANT OPTION ON *.* FROM 'root'@'localhost';
  8.  REVOKE PROXY ON ''@'' FROM 'root'@'localhost';
  9.  REVOKE GRANT OPTION ON *.* FROM 'root'@'localhost';
  10.  -- Grants for 'root'@'localhost'
  11.  CREATE USER IF NOT EXISTS 'root'@'localhost';
  12.  ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*DDFB542AA0BD1D251995D81AEBEB96DEEAD1132F' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  13.  GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;
  14.  GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;
Specify the only user "root" with drop statement.
  1.  [root@zlm1 :: ~]
  2.  # pt-show-grants -hlocalhost -P3306 -uroot -pPassw0rd --only=root --drop
  3.  -- Grants dumped by pt-show-grants
  4.  -- Dumped from server Localhost via UNIX socket, MySQL 5.7.-log at -- ::
  5.  DROP USER 'root'@'localhost';
  6.  DELETE FROM `mysql`.`user` WHERE `User`='root' AND `Host`='localhost';
  7.  -- Grants for 'root'@'localhost'
  8.  CREATE USER IF NOT EXISTS 'root'@'localhost';
  9.  ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*DDFB542AA0BD1D251995D81AEBEB96DEEAD1132F' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  10.  GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;
  11.  GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;
Specify the only user "repl" with no timestamp.
  1.  [root@zlm1 :: ~]
  2.  #pt-show-grants -h192.168.56. -P3306 -urepl -prepl4slave --only repl --no-timestamp
  3.  -- Grants dumped by pt-show-grants
  4.  -- Dumped from server 192.168.56.100 via TCP/IP, MySQL 5.7.-log
  5.  -- Grants for 'repl'@'192.168.56.%'
  6.  CREATE USER IF NOT EXISTS 'repl'@'192.168.56.%';
  7.  ALTER USER 'repl'@'192.168.56.%' IDENTIFIED WITH 'mysql_native_password' AS '*872ECE72A7EBAC6A183C90D7043D5F359BD85A9E' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  8.  GRANT ALL PRIVILEGES ON *.* TO 'repl'@'192.168.56.%';
Specify the only user "repl" with no header.
  1.  [root@zlm1 :: ~]
  2.  #pt-show-grants -h192.168.56. -P3306 -urepl -prepl4slave --only repl --no-header
  3.  -- Grants for 'repl'@'192.168.56.%' //Only message of annotation this time.
  4.  CREATE USER IF NOT EXISTS 'repl'@'192.168.56.%';
  5.  ALTER USER 'repl'@'192.168.56.%' IDENTIFIED WITH 'mysql_native_password' AS '*872ECE72A7EBAC6A183C90D7043D5F359BD85A9E' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK;
  6.  GRANT ALL PRIVILEGES ON *.* TO 'repl'@'192.168.56.%';

Distinguish the difference of user privileges between zlm1 & zlm2 and make it be same.

  1.  //Dump the user grans into a file on server zlm1
  2.  [root@zlm1 :: ~]
  3.  #pt-show-grants -h192.168.56. -P3306 -urepl -prepl4slave --only repl > repl_grants.sql 
  4.  
  5.  //Copy the file to zlm2.
  6.  [root@zlm1 :: ~]
  7.  #scp repl_grants.sql 192.168.56.101:~
  8.  repl_grants.sql                                                                                                    %       .4KB/s   :    
  9.  
  10.  [root@zlm1 :: ~]
  11.  
  12.  //Show user infomation on zlm2.
  13.  root@localhost:mysql.sock [(none)]>select user,host from mysql.user;
  14.  +---------------+--------------+
  15.  | user          | host         |
  16.  +---------------+--------------+
  17.  | repl          | 192.168..% |
  18.  | bkuser        | localhost    |
  19.  | mysql.session | localhost    |
  20.  | mysql.sys     | localhost    |
  21.  | root          | localhost    |
  22.  +---------------+--------------+
  23.   rows in set (0.00 sec)
  24.  
  25.  //Show user grants infomation.
  26.  root@localhost:mysql.sock [(none)]>show grants for repl@'192.168.56.%';
  27.  +---------------------------------------------------------+
  28.  | Grants for repl@192.168..%                            |
  29.  +---------------------------------------------------------+
  30.  | GRANT REPLICATION SLAVE ON *.* TO 'repl'@'192.168.56.%' |
  31.  +---------------------------------------------------------+
  32.   row in set (0.00 sec)
  33.  
  34.  //Revoke the privileges from repl user to mimic difference.
  35.  root@localhost:mysql.sock [(none)]>revoke all on *.* from repl@'192.168.56.%';
  36.  Query OK,  rows affected (0.00 sec)
  37.  
  38.  root@localhost:mysql.sock [(none)]>show grants for repl@'192.168.56.%';
  39.  +---------------------------------------------+
  40.  | Grants for repl@192.168..%                |
  41.  +---------------------------------------------+
  42.  | GRANT USAGE ON *.* TO 'repl'@'192.168.56.%' |
  43.  +---------------------------------------------+
  44.   row in set (0.00 sec)
  45.  
  46.  //Check difference with zlm1.
  47.  [root@zlm2 :: ~]
  48.  #pt-show-grants -hlocalhost -P3306 -uroot -pPassw0rd --only repl | diff repl_grants.sql -
  49.  2c2
  50.  < -- Dumped from server 192.168.56.100 via TCP/IP, MySQL 5.7.-log at -- ::
  51.  ---
  52.  > -- Dumped from server Localhost via UNIX socket, MySQL 5.7.-log at -- ::
  53.  6c6
  54.  < GRANT ALL PRIVILEGES ON *.* TO 'repl'@'192.168.56.%'; //User privileges in dump file.
  55.  ---
  56.  > GRANT USAGE ON *.* TO 'repl'@'192.168.56.%'; //User privileges in local server.
  57.  
  58.  [root@zlm2 :: ~]
  59.  #mysql -hlocalhost -S /var/lib/mysql/mysql.sock -uroot -pPassw0rd < repl_grants.sql >/dev/null //Import the user grants from dump file.
  60.  
  61.  //Check the privileges of user repl again.
  62.  [root@zlm2 :: ~]
  63.  #mysql
  64.  Welcome to the MySQL monitor.  Commands end with ; or \g.
  65.  Your MySQL connection id is
  66.  Server version: 5.7.-log MySQL Community Server (GPL)
  67.  
  68.  Copyright (c) , , Oracle and/or its affiliates. All rights reserved.
  69.  
  70.  Oracle is a registered trademark of Oracle Corporation and/or its
  71.  affiliates. Other names may be trademarks of their respective
  72.  owners.
  73.  
  74.  Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
  75.  
  76.  root@localhost:mysql.sock [(none)]>show grants for repl@'192.168.56.%';
  77.  +------------------------------------------------------+
  78.  | Grants for repl@192.168..%                         |
  79.  +------------------------------------------------------+
  80.  | GRANT ALL PRIVILEGES ON *.* TO 'repl'@'192.168.56.%' | //The privileges are same with zlm1 now.
  81.  +------------------------------------------------------+
  82.   row in set (0.00 sec)
Summary
  • pt-show-grants helps us dba to manager user privileges better than MySQL command line "show grant for ... ;" does.
  • pt-show-grants is convenient to use even with any options specified.
  • pt-show-grants can be used to check the difference of user privileges between the servers.
  • pt-show-grants is not a intrusive tool like pt-pmp,you can run it at any time you need.

Percona-Tookit工具包之pt-show-grants的更多相关文章

  1. Linux后台开发工具箱

    https://files-cdn.cnblogs.com/files/aquester/Linux后台开发工具箱.pdf 目录 目录 1 1. 前言 3 2. 脚本类工具 3 2.1. sed命令- ...

  2. Mysql: pt-table-checksum 和 pt-table-sync 检查主从一致性,实验过程

    一.安装 percona 包 1.安装仓库的包 https://www.percona.com/doc/percona-repo-config/yum-repo.html sudo yum insta ...

  3. Linux后台开发工具箱-葵花宝典

    Linux后台开发工具箱-葵花宝典 一见 2016/11/4 目录 目录 1 1. 前言 4 2. 脚本类工具 4 2.1. 双引号和单引号 4 2.2. 取脚本完整文件路径 5 2.3. 环境变量和 ...

  4. 推荐几款MySQL相关工具

    前言: 随着互联网技术的不断发展, MySQL 相关生态也越来越完善,越来越多的工具涌现出来.一些公司或个人纷纷开源出一些不错的工具,本篇文章主要介绍几款 MySQL 相关实用工具.提醒下,这里并不介 ...

  5. [知识库分享系列] 二、.NET(ASP.NET)

    最近时间又有了新的想法,当我用新的眼光在整理一些很老的知识库时,发现很多东西都已经过时,或者是很基础很零碎的知识点.如果分享出去大家不看倒好,更担心的是会误人子弟,但为了保证此系列的完整,还是选择分享 ...

  6. SQL慢查询安装过程

    SQL慢查询 基本操作 打开防火墙 firewall-cmd --zone=public --add-port=3306/tcp --permanent firewall-cmd --reload 安 ...

  7. 快速安装Percona pt工具

    yum install perl-DBI perl-DBD-MySQL perl-Time-HiRes perl-Time-HiRes perl-IO-Socket-SSLwget http://pk ...

  8. Percona 工具包 pt-online-schema-change 简介

    mysql的在线表结构修改,因为低效和阻塞读写.一直被诟病.至于ALTER TABLE 的原理,参看我上一篇文章.MySQL在线修改大表结构.看完后,发现的问题是还是会锁的,且对于在线更新的这块也是不 ...

  9. 安装percona工具包

    1.安装percona源 sudo yum install http://www.percona.com/downloads/percona-release/redhat/0.1-4/percona- ...

  10. percona pt toolkit 总结

    ##=====================================================##pt-osc之工作流程:1.检查更改表是否有主键或唯一索引,是否有触发器2.检查修改表 ...

随机推荐

  1. 支持触屏的zepto轮播图插件

    占个座,有时间再写,呵呵 关于zepto.js,官方标准版是不支持touch的.可以去github下载压缩包,里面有所有支持的模块.我用的zepto.js,是经过打包的,包括polyfill zept ...

  2. JavaScript中双叹号(!!)作用

    经常看到这样的例子: var a: var b=!!a a默认是undefined.!a是true,!!a则是false,所以b的值是false,而不再是undefined,也非其它值,主要是为后续判 ...

  3. 原生js封装十字参考线插件(一)

    需求来源: 拓扑图之机房平面图,显示机房长宽比例尺,房间内标注各种设备间距不易实现,特在机房平面图上层加一个十字参考线 横竖两条线垂直,在鼠标指针处交叉,显示鼠标指针坐标(相对机房平面图的坐标,不是相 ...

  4. 嵌入式开发 MCU

    From: http://www.infoq.com/cn/articles/intelligent-embedded-os-Internet-of-things-and-robots 嵌入式开发是一 ...

  5. .NET开源工作流RoadFlow-表单设计-数据字典选择

    添加数字字典选择框: 选择范围:指定可选择的字典范围. 是否多选:指定是否可以多选.

  6. keras 自定义 custom 函数

    转自: https://kexue.fm/archives/4493/,感谢分享! Keras是一个搭积木式的深度学习框架,用它可以很方便且直观地搭建一些常见的深度学习模型.在tensorflow出来 ...

  7. OFFICE_EXCEL_Combine text from two or more cells into one cell.

    Excel   Enter and format data   Layout   Combine text from two or more cells into one cell Combine t ...

  8. 获取v$latch数据源实验

    实验环境:Oracle Rac 11.2.0.3 首先获取v$latch的定义:通过PL/SQL或者get ddl等常规途径只能获取到v_$latch相关的视图信息.需要通过特殊方法获取v$latch ...

  9. May 14th 2017 Week 20th Sunday

    A smooth sea never made a skillful mariner. 平静的海洋练不出熟练的水手. A smooth sea never made a skillful marine ...

  10. wireshark抓取本地回环数据包

      linux环境下,用tcpdump,可以用-i lo参数抓取环回接口的包.如果服务端和客户端安装在同一台机器上,调试时是很方便的.linux版的wireshark,选取网卡的菜单里也有lo选项,也 ...