How can I export the privileges from MySQL and then import to a new server?

Question

I know how to export/import the databases using mysqldump & that's fine but how do I get the privileges into the new server.

For extra points, there are a couple of existing databases on the new one already, how do I import the old servers privileges without nuking the couple existing of ones.

Old server: 5.0.67-community

New server: 5.0.51a-24+lenny1

EDIT: I've got a dump of the db 'mysql' from the Old Server & now want to know the proper way to merge with the 'mysql' db on the New Server.

I tried a straight 'Import' using phpMyAdmin and ended up with an error regarding a duplicate (one that I've already migrated manually).

Anyone got an elegant way of merging the two 'mysql' databases?

Answer 1

Do not mess with the mysql db. There is a lot more going on there than just the users table. Your best bet is the "SHOW GRANTS FOR" command. I have a lot of CLI maintenance aliases and functions in my .bashrc (actually my .bash_aliases that I source in my .bashrc). This function:

mygrants()
{
  mysql -B -N $@ -e "SELECT DISTINCT CONCAT(
    'SHOW GRANTS FOR \'', user, '\'@\'', host, '\';'
    ) AS query FROM mysql.user" | \
  mysql $@ | \
  sed 's/\(GRANT .*\)/\1;/;s/^\(Grants for .*\)/## \1 ##/;/##/{x;p;x;}'
}

The first mysql command uses SQL to generate valid SQL which is piped to the second mysql command. The output is then piped through sed to add pretty comments.

The $@ in the command will allow you to call it as: mygrants --host=prod-db1 --user=admin --password=secret

You can use your full unix tool kit on this like so:

mygrants --host=prod-db1 --user=admin --password=secret | grep rails_admin | mysql --host=staging-db1 --user=admin --password=secret

That is THE right way to move users. Your MySQL ACL is modified with pure SQL.

Answer 2

There are two methods for extracting SQL Grants from a MySQL Instance

METHOD #1

You can use pt-show-grants from Percona Toolkit

MYSQL_CONN="-uroot -ppassword"
pt-show-grants ${MYSQL_CONN} > MySQLUserGrants.sql

METHOD #2

You can emulate pt-show-grants with the following

MYSQL_CONN="-uroot -ppassword"
mysql ${MYSQL_CONN} --skip-column-names -A -e"SELECT CONCAT('SHOW GRANTS FOR ''',user,'''@''',host,''';') FROM mysql.user WHERE user<>''" | mysql ${MYSQL_CONN} --skip-column-names -A | sed 's/$/;/g' > MySQLUserGrants.sql

Either method will produce a pure SQL dump of the MySQL grants. All there is left to do is to execute the script on a new server:

mysql -uroot -p -A < MySQLUserGrants.sql

Give it a Try !!!

Answer 3

Richard Bronosky's answer was extremely useful for me. Many thanks!!!

Here is a small variation which was useful for me. It is helpful for transfering users e.g. between two Ubuntu installations running phpmyadmin. Just dump privileges for all users apart from root, phpmyadmin and debian-sys-maint. The code is then

mygrants()
{
mysql -B -N $@ -e "SELECT DISTINCT CONCAT(
'SHOW GRANTS FOR ''', user, '''@''', host, ''';'
) AS query FROM mysql.user WHERE user NOT IN ('root','phpmyadmin','debian-sys-maint')"  | \
mysql $@ | \
sed 's/\(GRANT .*\)/\1;/;s/^\(Grants for .*\)/## \1 ##/;/##/{x;p;x;}'
}

Answer 4

Or, utilize percona-toolkit (former maatkit) and use pt-show-grants (or mk-show-grants) for that purpose. No need for cumbersome scripts and/or stored procedures.

Answer 5

You can mysqldump the 'mysql' database and import to the new one; a flush_privileges or restart will be required and you'll definitely want to back up the existing mysq db first.

To avoid removing your existing privileges, make sure to append rather than replace rows in the privilege tables (db, columns_priv, host, func, etc.).

Answer 6

You could also do it as a stored procedure:

CREATE PROCEDURE spShowGrants()
    READS SQL DATA
    COMMENT 'Show GRANT statements for users'
BEGIN
    DECLARE v VARCHAR(64) CHARACTER SET utf8;
    DECLARE c CURSOR FOR
    SELECT DISTINCT CONCAT(
        'SHOW GRANTS FOR ', user, '@', host, ';'
    ) AS query FROM mysql.user;
    DECLARE EXIT HANDLER FOR NOT FOUND BEGIN END;  
    OPEN c;
    WHILE TRUE DO
        FETCH c INTO v;
        SET @v = v;
        PREPARE stmt FROM @v;
        EXECUTE stmt;
    END WHILE;
    CLOSE c;
END

and call it with

$ mysql -p -e "CALL spShowGrants" mysql

then pipe the output through Richards sed command to get a backup of the privileges.

Answer 7

How about a PHP script? :)

View source on this script and you will have all the privileges listed:

//connect
mysql_select_db("mysql", mysql_connect("localhost","root",""));

//create grants select statements
$rs = mysql_query("SELECT DISTINCT CONCAT('SHOW GRANTS FOR ''', user, '''@''', host, ''';') AS query FROM user");

//iterate through grants
while ($row=mysql_fetch_array($rs)) {
    //run grant query
    $rs2 = mysql_query($row['query']);
    //iterate through results
    while($row2 = mysql_fetch_array($rs2)){
        //print results
        echo $row2[0] . ";\n\n";
    }
}

Answer 8

While it appears @Richard Bronosky's answer is the correct one, I came across this question after trying to migrate a set of databases from one server to another and the solution was much simpler:

server1$ mysqldump -u root -p --all-databases > dbdump.sql

server2$ mysql -u root -p < dbdump.sql

At this point, all my data was visible if I logged in as root, the mysql.user table had everything in it I was expecting, but I couldn't log in as any of the other users and found this question assuming I'd have to re-issue the GRANT statements.

However, it turns out that the mysql server simply needed to be restarted for the updated privileges in the mysql.* tables to take effect:

server2$ sudo restart mysql

Hopefully that helps someone else achieve what should be a simple task!

Answer 9

create a shell script file with the following code:

##############################################3

echo "SELECT DISTINCT CONCAT (\"show grants for '\", user, \"'@'\", host, \"';\") AS query FROM mysql.user; " >   script.sql    
echo "*** You will be asked to enter the root password twice ******"    
mysql -u root -p  < script.sql > output.sql ;    
cat output.sql | grep show > output1.sql  ; rm output.sql -f ; 
mysql -u root -p  < output1.sql > output.sql ;
clear
echo "-----Exported Grants-----"    
cat  output.sql ; rm  output.sql   output1.sql -f    
echo "-------------------------"
rm  script.sql -f

#

****then run it on the shell like this: you will be asked to enter the root password twice and then the GRANTS SQL will be displayed on the screen.****

Answer 10

A challenge often encountered with some of the shell-based and command-line-based answers here is trying to execute them on a remote server -- the level of escaping of all the ticks and double-quotes and backslashes gets insane. Here is a way this can be done, from the command-line on a remote server:

cat  << EOQ | ssh $REMOTE_SERVER 'mysql -B -N  mysql | mysql -B -N ' | mysql 
 SELECT CONCAT('show grants for \'', user,'\'@\'', host, '\'\;') FROM user WHERE user != 'root' AND user != ''
EOQ

This command logs into the remote server remotely (here, we assume passwords are not needed with ssh keys and mysql/my.cnf/client configurations), executes the query which generates the show grants commands, a second mysql execution runs the generated commands, and the final mysql in the pipeline is executed on the local server which applies those show grants output on the local server.

The "root" user is not copied for security reasons.

Answer 11

One-liner doing pretty much the same as the awesome pt-show-grants:

mysql --skip-column-names -A -e"SELECT CONCAT('SHOW GRANTS FOR ''',user,'''@''',host,''';') FROM mysql.user WHERE user<>''" | mysql --skip-column-names -A | sed 's/$/;/g'

Based on unix tools only, no additional software needed.

Execute from within a bash shell, assumed is you have a working .my.cnf where the password of your mysql root user can be read.