Merge pull request #411 from percona/ps-9516

PS-9516 Redo Extended SHOW GRANTS for 8.4
percona · Oct 31, 2024 · ac72384 · ac72384
2 parents d5e17eb + 3011a99
commit ac72384
Showing 1 changed file with 48 additions and 12 deletions.
diff --git a/docs/extended-show-grants.md b/docs/extended-show-grants.md
@@ -1,12 +1,51 @@
-# Extended SHOW GRANTS
+# Review effective privileges with SHOW EFFECTIVE GRANTS
 
-In Oracle *MySQL* `SHOW GRANTS` displays only the privileges granted
-explicitly to the named account. Other privileges might be available
-to the account, but they are not displayed. For example, if an
-anonymous account exists, the named account might be able to use its
-privileges, but `SHOW GRANTS` will not display them. *Percona Server for MySQL* offers the `SHOW EFFECTIVE GRANTS` command to display
-all the effectively available privileges to the account, including
-those granted to a different account.
+In MySQL, `SHOW GRANTS` has the following limitations:
+
+* Shows only explicitly granted privileges
+
+* Does not show inherited anonymous user privileges
+
+* Does not show privileges inherited through roles unless the USING clause is specified
+
+Other privileges might be available to the account but are not displayed. For example:
+
+```{.bash data-prompt="mysql>"}
+-- Create named and anonymous users
+mysql> CREATE USER 'user1'@'localhost';
+mysql> CREATE USER ''@'localhost';
+
+-- Grant privilege to anonymous user
+mysql> GRANT SELECT ON db.* TO ''@'localhost';
+```
+
+```{.bash data-prompt="mysql>"}
+-- Check user1's grants
+mysql> SHOW GRANTS FOR 'user1'@'localhost';
+```
+??? example "Expected output"
+
+    ```text
+    GRANT USAGE ON *.* TO 'user1'@'localhost'
+    ```
+
+
+
+Even though 'user1'@'localhost' can use `SELECT on db.*`, this privilege does not appear in `SHOW GRANTS`.
+
+Percona Server for MySQL's `SHOW EFFECTIVE GRANTS` command provides a comprehensive view of a user's permissions. It reveals not only the privileges directly granted to the user but also those inherited from other accounts, such as anonymous users or roles. This includes system-level, database-level, and table-level privileges, giving you a complete picture of the user's access rights within the database.
+
+The benefits are:
+
+* Shows complete privilege picture
+
+* Helps identify privilege sources
+
+* Simplifies security audits
+
+* Makes troubleshooting easier
+
+* Reveals inherited privileges
 
 ## Example
 
@@ -104,7 +143,4 @@ mysql> SHOW EFFECTIVE GRANTS;
     +-------------------------------------------------------------------+
     2 rows in set (0.00 sec)
     ```
-
-## Other reading
-
-* [#53645](https://bugs.mysql.com/bug.php?id=53645) - `SHOW GRANTS` not displaying all the applicable grants
+