Sign inTry Free

SHOW GRANTS

On this page

Show permissions (privileges) for the specified user (or role).

Syntax

SHOW GRANTS [FOR {user | role}]


user:
  'user'@'host_name'
role:
  ROLE 'role_name'

Arguments

  • 'user'@'host_name' - user for which to show privileges. If a hostname is not specified, @'%' will be appended to the user string. For example, 'demo-user' is equivalent to 'demo-user'@'%'.The '%' wildcard matches any hostname. user and host_name need not be quoted if they are legal as unquoted identifiers. Quotes must be used if a host_name string contains wildcard characters (such as %), or a user string contains special characters (such as space or -) or is a restricted keyword.

  • 'role_name' - role for which to show privileges

Remarks

  • This command can be run on any SingleStore node. For more information, see Node Requirements for SingleStore Commands.

  • The SHOW GRANTS output depends on the value of the engine variable privilege_transfer_mode. If the value is left at the default value grant_option, then the output is one row and can include the WITH GRANT OPTION privilege. If the value is per_privilege, then the output can be two rows. The first row will display the non-transferable privileges. The second row will display the transferable privileges.

    Note: The user must have SYSTEM_VARIABLES_ADMIN privilege to be able to change the value of privilege_transfer_mode. See GRANT page for more information.

  • Refer to the Permission Matrix for the required permission.

Example

The SHOW GRANTS command displays the privileges assigned to the current user.

SHOW GRANTS;
+---------------------------------------------------------------------+
| Grants for root@%                                                   |
+---------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'                           |
+---------------------------------------------------------------------+

+---------------------------------------------------------------------+
| Grants for user1@%                                                  |
+---------------------------------------------------------------------+
| GRANT SELECT, INSERT ON `mydb`.* TO 'user1'@' [WITH GRANT OPTION]   |
| GRANT TRANSFERABLE SELECT, INSERT ON `mydb`.* TO 'user1'@'%'     |
+---------------------------------------------------------------------+

The SHOW GRANTS FOR command displays the privileges assigned to the specified user.

SHOW GRANTS FOR user1;
+---------------------------------------------------------------------+
| Grants for user1@%                                                  |
+---------------------------------------------------------------------+
| GRANT SELECT, INSERT ON `mydb`.* TO 'user1'@' [WITH GRANT OPTION]   |
| GRANT TRANSFERABLE SELECT, INSERT ON `mydb`.* TO 'user1'@'%'     |
+---------------------------------------------------------------------+

Users with SUPER or ALTER USER privilege can see the hashed password using the command SHOW GRANTS FOR <user>.

SHOW GRANTS FOR user1;
+--------------------------------------------------------------------------------------------------------------+
| Grants for user1@%                                                                                           |
+--------------------------------------------------------------------------------------------------------------+
| GRANT SHOW METADATA ON *.* TO 'user1'@'%' IDENTIFIED BY PASSWORD '*785FBD495FC22B3620EB1572D2504C03B1278554' |
+--------------------------------------------------------------------------------------------------------------+

Users without SUPER or ALTER USER privilege will not be able to see the hashed password.

SHOW GRANTS FOR user1;
+---------------------------------------------------------------------------+
| Grants for user1@%                                                        |
+---------------------------------------------------------------------------+
| GRANT SHOW METADATA ON *.* TO 'user1'@'%' IDENTIFIED BY PASSWORD <secret> |
+---------------------------------------------------------------------------+

The SHOW GRANTS FOR ROLE command displays the grants assigned to the role specified in the query. The following query displays the grants assigned to the role rw.

SHOW GRANTS FOR ROLE 'rw';
+---------------------------------------------------------------------------------+
| Grants for role rw                                                              |
+---------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO ROLE 'rw'                                                 |
| GRANT TRANSFERABLE SELECT, INSERT, UPDATE ON `trades`.`company` TO ROLE 'rw' |
+---------------------------------------------------------------------------------+

Last modified: March 7, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK