/usr/bin/mysqlgrants is in mysql-utilities 1.6.1-2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 | #!/usr/bin/python
#
# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
"""
This file contains the privilege display utility. It is used to show
the list of users and their privileges over the set of objects presented by
the user.
"""
from mysql.utilities.command.grants import check_grants
from mysql.utilities.common.ip_parser import parse_connection
from mysql.utilities.common.options import (setup_common_options,
add_verbosity,
db_objects_list_to_dictionary)
from mysql.utilities.common.tools import (check_python_version,
check_connector_python,
join_and_build_str)
# Check Python version compatibility
from mysql.utilities.exception import UtilError, FormatError
check_python_version()
import os
import sys
# Check for connector/python
if not check_connector_python():
sys.exit(1)
# Constants
_VALID_PRIVS = set(["CREATE", "DROP", "GRANT OPTION", "LOCK TABLES",
"REFERENCES", "EVENT", "ALTER", "DELETE", "INDEX",
"INSERT", "SELECT", "UPDATE", "TRIGGER", "CREATE VIEW",
"CREATE TEMPORARY TABLES", "SHOW VIEW", "ALTER ROUTINE",
"CREATE ROUTINE", "EXECUTE", "FILE", "CREATE TABLESPACE",
"CREATE USER", "PROCESS", "RELOAD", "REPLICATION CLIENT",
"REPLICATION SLAVE", "SHOW DATABASES", "SHUTDOWN",
"SUPER", "ALL", "ALL PRIVILEGES", "USAGE", "REFERENCES"])
NAME = "MySQL Utilities - mysqlgrants"
DESCRIPTION = "mysqlgrants - display grants per object"
USAGE = ("%prog --server=user:pass@host:port \\\n"
" [<db_name>[.<obj_name>]]")
EXTENDED_HELP = """
Introduction
------------
The mysqlgrants utility is designed to display the users who have access to a
list of objects and/or databases. It can also display the privileges grouped
by user and the raw GRANT statements.
Furthermore, if the user specifies a list of privileges, the utility shall
display those users who have all of the privileges listed (they are AND
conditions).
In order to use the utility, you need to specify at least one object to check.
To specify several objects at once, you should list each object as a separate
argument for the utility, using full qualified names as shown by the following
examples:
# Get the list of users with their respective privileges for the 'db1'
# database and 'db1'.'table1' table.
$ mysqlgrants --server=root:pass@host1:3306 \\
--show=user_grants db1 db1.table1
# Get the list of users with both SELECT and UPDATE privileges on the 'db1'
# database and 'db1'.'table1' table.
$ mysqlgrants --server=root:pass@host1:3306 \\
--show=users --privileges=SELECT,UPDATE db1 db1.table1
# Get the list of users that have at least the TRIGGER and DROP privileges
# for database 'db1' and 'db1'.'table1' table and show the list of SQL GRANT
# statements that grant them those privileges.
$ mysqlgrants --server=root:pass@host1:3306 \\
--show=raw --privileges=TRIGGER,DROP db1 db1.table1
Helpful Hints
-------------
- To use the --show=users option you need to specify at least one privilege
using the --privilege option.
- You can list the users that have specific privileges using the option
--privileges. The user must have all privileges listed in order to be
included in the result.
- If you specify some privileges on the --privileges option that are not
valid for all the specified objects, any that do not apply are not
included in the list. For example, the SELECT privilege will be
ignored for stored routines and the EXECUTE privilege will be ignored for
tables but both will be taken into account for databases.
"""
if __name__ == '__main__':
# Setup the command parser (with common options).
parser = setup_common_options(os.path.basename(sys.argv[0]), DESCRIPTION,
USAGE, append=False, server=True,
server_default=None,
extended_help=EXTENDED_HELP)
# Add verbosity option (no --quite option).
add_verbosity(parser, False)
# Add show mode options
parser.add_option("--show", action="store",
dest="show_mode", type="choice",
default="user_grants",
choices=["users", "user_grants", "raw"],
help="Controls the content of the report. If the value "
"USERS is specified, the report shows only the "
"list of users with any kind of grant over the "
"object. If USER_GRANTS is specified the reports "
"shows each user along with her list of privileges "
"for each object. Finally, specifying RAW the "
"utility returns each user along with the list of "
"SQL grant statements that have influence over the "
"specific object. Default is USER_GRANTS.")
parser.add_option("--privileges", action="store", dest="privileges",
type="string", default=None,
help="Minimum set of privileges that a user must have "
"for any given object. Unless a user has all the "
"privileges listed for a specific object, "
"she will not appear in the list of users with "
"privileges for that specific object. To list "
"multiple privileges, use a comma-separated list.")
# Now we process the rest of the arguments.
opt, args = parser.parse_args()
if not opt.server:
parser.error("You need to specify a server using the --server option.")
# Parse server connection
server_val = None
try:
server_val = parse_connection(opt.server, None, opt)
except FormatError:
_, err, _ = sys.exc_info()
parser.error("Server connection values invalid: "
"{0!s}.".format(err))
except UtilError:
_, err, _ = sys.exc_info()
parser.error("Server connection values invalid: "
"{0!s}.".format(err.errmsg))
# The --show=users can only be used together with the privilege option
if opt.show_mode == 'users' and not opt.privileges:
parser.error("The --show=users can only be used if you specify a "
"list of privileges with the --privileges option.")
# Process list objects for which grants will be shown
# (check format errors).
objects_to_include = {}
if args:
objects_to_include = db_objects_list_to_dictionary(
parser, args, 'list of objects to show the grants',
db_over_tables=False)
else:
parser.error("You need to specify at least one object (database, table"
" or routine) in order to get the list of grantees.")
# Validate list of privileges:
priv_list = None
if opt.privileges:
priv_list = [priv.upper() for priv in opt.privileges.split(',')]
if opt.verbosity and opt.verbosity > 2:
print("The list of supported privileges is {0}".format(
join_and_build_str(sorted(_VALID_PRIVS))))
for priv in priv_list:
if priv not in _VALID_PRIVS:
if priv == "PROXY":
print("# WARNING: PROXY privilege is not supported ("
"privilege ignored).")
else:
parser.error("Unknown privilege: '{0}'. For a list of "
"valid privileges, please check: http://dev."
"mysql.com/doc/en/privileges-provided."
"html".format(priv))
# Set options for database operations.
options = {
"verbosity": 0 if opt.verbosity is None else opt.verbosity,
"privileges": priv_list,
"show_mode": opt.show_mode,
}
try:
check_grants(server_val, options, objects_to_include)
except UtilError:
_, e, _ = sys.exc_info()
print("ERROR: {0}".format(e.errmsg))
sys.exit(1)
except Exception:
_, e, _ = sys.exc_info()
print("ERROR: {0}".format(e))
sys.exit(1)
print("#...done.")
sys.exit()
|