Percona Toolkit moved to https://jira.percona.com/projects/PT

pt-show-grants --separate fails with proxy user

Bug #844034 reported by Derek Downey on 2011-09-07

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Percona Toolkit moved to https://jira.percona.com/projects/PT	Fix Released	Medium	Baron Schwartz	Percona Toolkit moved to https://jira.percona.com/projects/PT 2.1.2

Bug Description

System info: Using pt-show-grants version 1.0.1 on mysql 5.5.15

pt-show-grants gives the following error when the --separate flag is specified: Use of uninitialized value in split at /usr/bin/pt-show-grants line 1714.

Here is output without separate flag:

$ pt-show-grants
-- Grants dumped by pt-show-grants
-- Dumped from server rs.dev via TCP/IP, MySQL 5.5.15-log at 2011-09-07 10:55:09
-- Grants for 'dtest'@'localhost'
GRANT ALL PRIVILEGES ON *.* TO 'dtest'@'localhost' IDENTIFIED BY PASSWORD 'mypass';
-- Grants for 'proxy'@'localhost'
GRANT PROXY ON 'dtest'@'localhost' TO 'proxy'@'localhost';
GRANT USAGE ON *.* TO 'proxy'@'localhost';
-- Grants for 'root'@'localhost'
GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD 'rootPass' WITH GRANT OPTION;
GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;

And output with separate flag:
$ pt-show-grants --separate
-- Grants dumped by pt-show-grants
-- Dumped from server rs.dev via TCP/IP, MySQL 5.5.15-log at 2011-09-07 10:55:01
-- Grants for 'dtest'@'localhost'
GRANT ALL PRIVILEGES ON *.* TO 'dtest'@'localhost' IDENTIFIED BY PASSWORD 'mypass';
Use of uninitialized value in split at /usr/bin/pt-show-grants line 1714.

I am only assuming this is because there is no GRANT USAGE clause for the user `dtest`@`localhost`, which is set up as a proxy user.

See original description

Tags:

Revision history for this message

Derek Downey (derek-9) wrote on 2011-09-07:

Just to clarify why I believe this is happening. For these Grants:
GRANT PROXY ON 'dtest'@'localhost' TO 'proxy'@'localhost';
GRANT USAGE ON *.* TO 'proxy'@'localhost';

The GRANT USAGE is for the `proxy`@`localhost` user and not the parent user `dtest`@`localhost`;

Proxy User was set up using mysql's test authentication plugin, process described here: http://dba.stackexchange.com/questions/526/can-you-su-in-mysql/4708#4708

Derek Downey (derek-9) on 2011-09-07

description:

updated

Revision history for this message

Tom Krouper (thomas-krouper) wrote on 2011-11-04:

I've run into the same situation after upgrading from 5.1 to 5.5 and running mysql_upgrade. The upgrade utility apparently creates "GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;" automatically.

Daniel Nichter (daniel-nichter) on 2011-12-16

tags:

added: pt-show-grants
removed: proxy-users

Revision history for this message

William Taylor (williamt-sonic) wrote on 2012-03-05:

proxy.patch Edit (616 bytes, text/plain)

I ran into this bug with the --revoke option.
I believe this patch will fix the problem

Brian Fraser (fraserbn) on 2012-03-08

Changed in percona-toolkit:
status:	New → Confirmed

Revision history for this message

William Taylor (williamt-sonic) wrote on 2012-04-03:

Can we get this patch applied? Just had to re-apply patch after an upgrade happened last month. Took me a bit to remember why revoke wasn't working and to notice the upgrade happened.

Revision history for this message

Baron Schwartz (baron-xaprb) wrote on 2012-04-03:

We are about to release 2.1.1 and this bug will not be fixed due to lack of time. But we can target it to the next releases in the 2.0 and 2.1 series, and if you can provide a complete fix including updated test cases and any new test cases needed, that will greatly ease the amount of work we will need to do ourselves. Even a "simple" 616-byte patch is a lot more work than meets the eye.

Revision history for this message

William Taylor (williamt-sonic) wrote on 2012-04-03:

proxy.patch Edit (942 bytes, text/plain)

Thanks Barron. In hindsight I probably should have submitted this as a separate bug. Here is an updated patch.
My original patch only fixed running with --revoke this fixes running with --separate also.

If u have a GRANT PROXY option --revoke and or --separate will fail because the regex pt-show-grants uses only tests for backticks or asterisk after the ON statement but PROXY GRANTS use single quotes.

example:
asterisk: GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' WITH GRANT OPTION;
backticks: GRANT ALL PRIVILEGES ON `test`.* TO 'root'@'127.0.0.1';

This is the GRANT statement that breaks pt-show-grants using --revoke and or --separate because it uses single quotes
GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION;

with --revoke
Use of uninitialized value $grants in concatenation (.) or string at /usr/bin/pt-show-grants line 1767.
with --separate
Use of uninitialized value $grants in split at /usr/bin/pt-show-grants line 1718.

Thanks,
William

Revision history for this message

Baron Schwartz (baron-xaprb) wrote on 2012-06-12:

This bug will be fixed in the upcoming release.

Changed in percona-toolkit:
status:	Confirmed → Fix Committed
importance:	Undecided → Medium
assignee:	nobody → Baron Schwartz (baron-xaprb)
milestone:	none → 2.1.2
tags:	added: mysql-5.5

Daniel Nichter (daniel-nichter) on 2012-06-19

Changed in percona-toolkit:
status:	Fix Committed → Fix Released

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-24:

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PT-419

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.