|
1 | | -# Extended SHOW GRANTS |
| 1 | +# Review effective privileges with SHOW EFFECTIVE GRANTS |
2 | 2 |
|
3 | | -In Oracle *MySQL* `SHOW GRANTS` displays only the privileges granted |
4 | | -explicitly to the named account. Other privileges might be available |
5 | | -to the account, but they are not displayed. For example, if an |
6 | | -anonymous account exists, the named account might be able to use its |
7 | | -privileges, but `SHOW GRANTS` will not display them. *Percona Server for MySQL* offers the `SHOW EFFECTIVE GRANTS` command to display |
8 | | -all the effectively available privileges to the account, including |
9 | | -those granted to a different account. |
| 3 | +In MySQL, `SHOW GRANTS` has the following limitations: |
| 4 | + |
| 5 | +* Shows only explicitly granted privileges |
| 6 | + |
| 7 | +* Does not show inherited anonymous user privileges |
| 8 | + |
| 9 | +* Does not show privileges inherited through roles unless the USING clause is specified |
| 10 | + |
| 11 | +Other privileges might be available to the account but are not displayed. For example: |
| 12 | + |
| 13 | +```{.bash data-prompt="mysql>"} |
| 14 | +-- Create named and anonymous users |
| 15 | +mysql> CREATE USER 'user1'@'localhost'; |
| 16 | +mysql> CREATE USER ''@'localhost'; |
| 17 | + |
| 18 | +-- Grant privilege to anonymous user |
| 19 | +mysql> GRANT SELECT ON db.* TO ''@'localhost'; |
| 20 | +``` |
| 21 | + |
| 22 | +```{.bash data-prompt="mysql>"} |
| 23 | +-- Check user1's grants |
| 24 | +mysql> SHOW GRANTS FOR 'user1'@'localhost'; |
| 25 | +``` |
| 26 | +??? example "Expected output" |
| 27 | +
|
| 28 | + ```text |
| 29 | + GRANT USAGE ON *.* TO 'user1'@'localhost' |
| 30 | + ``` |
| 31 | +
|
| 32 | +
|
| 33 | +
|
| 34 | +Even though 'user1'@'localhost' can use `SELECT on db.*`, this privilege does not appear in `SHOW GRANTS`. |
| 35 | +
|
| 36 | +Percona Server for MySQL's `SHOW EFFECTIVE GRANTS` command provides a comprehensive view of a user's permissions. It reveals not only the privileges directly granted to the user but also those inherited from other accounts, such as anonymous users or roles. This includes system-level, database-level, and table-level privileges, giving you a complete picture of the user's access rights within the database. |
| 37 | + |
| 38 | +The benefits are: |
| 39 | + |
| 40 | +* Shows complete privilege picture |
| 41 | + |
| 42 | +* Helps identify privilege sources |
| 43 | + |
| 44 | +* Simplifies security audits |
| 45 | + |
| 46 | +* Makes troubleshooting easier |
| 47 | + |
| 48 | +* Reveals inherited privileges |
10 | 49 |
|
11 | 50 | ## Example |
12 | 51 |
|
@@ -104,7 +143,4 @@ mysql> SHOW EFFECTIVE GRANTS; |
104 | 143 | +-------------------------------------------------------------------+ |
105 | 144 | 2 rows in set (0.00 sec) |
106 | 145 | ``` |
107 | | - |
108 | | -## Other reading |
109 | | - |
110 | | -* [#53645](https://bugs.mysql.com/bug.php?id=53645) - `SHOW GRANTS` not displaying all the applicable grants |
| 146 | + |
0 commit comments