A typical db host should have these GRANTs:
```lang=sql
Grants for wikiadmin@10.%
GRANT PROCESS, REPLICATION CLIENT ON *.* TO `wikiadmin`@`10.%` IDENTIFIED BY PASSWORD '*redacted'
GRANT SELECT, EXECUTE ON `sys`.* TO `wikiadmin`@`10.%`
GRANT SELECT ON `performance_schema`.* TO `wikiadmin`@`10.%`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`10.%`
GRANT SELECT ON `heartbeat`.`heartbeat` TO `wikiadmin`@`10.%`
Grants for wikiadmin@localhost
GRANT PROCESS, REPLICATION CLIENT ON *.* TO `wikiadmin`@`localhost` IDENTIFIED BY PASSWORD '*redacted'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`localhost`
```
I wrote a script to analyze grants and here are the results of analyzing 210 dbs:
== General issues ==
**DB unavaiable**
No further check was done on this db
[] db1139.eqiad.wmnet:3311 (s1)
[] db1124.eqiad.wmnet:3306 (s4)
----
**10.% user missing**
No further check was done on this grants of 10.% user in these dbs
[] db1140.eqiad.wmnet:3311 (s1)
[] db1133.eqiad.wmnet:3306 (s1)
[] db1125.eqiad.wmnet:3306 (s4)
[] db1177.eqiad.wmnet:3306 (s8)
[] db1111.eqiad.wmnet:3306 (s8)
----
**localhost user missing**
No further check was done on this grants of localhost user in these dbs
[] db1163.eqiad.wmnet:3306 (s1)
[] db1105.eqiad.wmnet:3311 (s1)
[] db1102.eqiad.wmnet:3312 (s2)
[] db2101.codfw.wmnet:3315 (s5)
----
==Localhost==
**appserver grant missing**
[] db2095.codfw.wmnet:3312 (s2)
[] db2095.codfw.wmnet:3314 (s4)
[x] db1100.eqiad.wmnet:3306 (s5)
[] db2095.codfw.wmnet:3316 (s6)
[] clouddb1021.eqiad.wmnet:3316 (s6)
[] clouddb1019.eqiad.wmnet:3316 (s6)
[] clouddb1015.eqiad.wmnet:3316 (s6)
[] db2095.codfw.wmnet:3317 (s7)
[] clouddb1021.eqiad.wmnet:3317 (s7)
[] clouddb1018.eqiad.wmnet:3317 (s7)
[] clouddb1014.eqiad.wmnet:3317 (s7)
----
**replication grant missing**
None!
----
**Extra grant #1**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`localhost````
[x] db1100.eqiad.wmnet:3306 (s5)
Expected {T249683}
----
**Extra grant #2**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `centralauth`.* TO `wikiadmin`@`localhost````
[] dbstore1005.eqiad.wmnet:3316 (s6)
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1155.eqiad.wmnet:3316 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #3**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `webshop`.* TO `wikiadmin`@`localhost````
[] dbstore1005.eqiad.wmnet:3316 (s6)
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1155.eqiad.wmnet:3316 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #4**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `boardvote%`.* TO `wikiadmin`@`localhost````
[] dbstore1005.eqiad.wmnet:3316 (s6)
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1155.eqiad.wmnet:3316 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #5**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `centralauth`.* TO `wikiadmin`@`localhost````
[] dbstore1003.eqiad.wmnet:3317 (s7)
[] db2150.codfw.wmnet:3306 (s7)
[] db2122.codfw.wmnet:3306 (s7)
[] db2121.codfw.wmnet:3306 (s7)
[] db2120.codfw.wmnet:3306 (s7)
[] db2118.codfw.wmnet:3306 (s7)
[] db2108.codfw.wmnet:3306 (s7)
[] db2098.codfw.wmnet:3317 (s7)
[] db2087.codfw.wmnet:3317 (s7)
[] db2086.codfw.wmnet:3317 (s7)
[] db2077.codfw.wmnet:3306 (s7)
[] db1181.eqiad.wmnet:3306 (s7)
[] db1174.eqiad.wmnet:3306 (s7)
[] db1171.eqiad.wmnet:3317 (s7)
[] db1170.eqiad.wmnet:3317 (s7)
[] db1158.eqiad.wmnet:3306 (s7)
[] db1155.eqiad.wmnet:3317 (s7)
[] db1136.eqiad.wmnet:3306 (s7)
[] db1127.eqiad.wmnet:3306 (s7)
[] db1101.eqiad.wmnet:3317 (s7)
[] db1098.eqiad.wmnet:3317 (s7)
----
==10.%==
**appserver grant missing**
[] db2095.codfw.wmnet:3312 (s2)
[] db2095.codfw.wmnet:3314 (s4)
[x] db1100.eqiad.wmnet:3306 (s5)
[] clouddb1021.eqiad.wmnet:3316 (s6)
[] clouddb1019.eqiad.wmnet:3316 (s6)
[] clouddb1015.eqiad.wmnet:3316 (s6)
[] db2095.codfw.wmnet:3317 (s7)
[] clouddb1021.eqiad.wmnet:3317 (s7)
[] clouddb1018.eqiad.wmnet:3317 (s7)
[] clouddb1014.eqiad.wmnet:3317 (s7)
----
**replication grant missing**
[] clouddb1021.eqiad.wmnet:3311 (s1)
[] clouddb1013.eqiad.wmnet:3311 (s1)
----
**sys grant missing**
[] db2094.codfw.wmnet:3311 (s1)
[] db1154.eqiad.wmnet:3311 (s1)
[] clouddb1021.eqiad.wmnet:3311 (s1)
[] clouddb1017.eqiad.wmnet:3311 (s1)
[] clouddb1013.eqiad.wmnet:3311 (s1)
[] db2095.codfw.wmnet:3312 (s2)
[] db1155.eqiad.wmnet:3312 (s2)
[] clouddb1021.eqiad.wmnet:3312 (s2)
[] clouddb1018.eqiad.wmnet:3312 (s2)
[] clouddb1014.eqiad.wmnet:3312 (s2)
[] db2094.codfw.wmnet:3313 (s3)
[] db1154.eqiad.wmnet:3313 (s3)
[] clouddb1021.eqiad.wmnet:3313 (s3)
[] clouddb1017.eqiad.wmnet:3313 (s3)
[] clouddb1013.eqiad.wmnet:3313 (s3)
[] db2095.codfw.wmnet:3314 (s4)
[] db1155.eqiad.wmnet:3314 (s4)
[] clouddb1021.eqiad.wmnet:3314 (s4)
[] clouddb1019.eqiad.wmnet:3314 (s4)
[] clouddb1015.eqiad.wmnet:3314 (s4)
[] db2094.codfw.wmnet:3315 (s5)
[] db1154.eqiad.wmnet:3315 (s5)
[] clouddb1021.eqiad.wmnet:3315 (s5)
[] clouddb1020.eqiad.wmnet:3315 (s5)
[] clouddb1016.eqiad.wmnet:3315 (s5)
[] db2095.codfw.wmnet:3316 (s6)
[] db1155.eqiad.wmnet:3316 (s6)
[] clouddb1021.eqiad.wmnet:3316 (s6)
[] clouddb1019.eqiad.wmnet:3316 (s6)
[] clouddb1015.eqiad.wmnet:3316 (s6)
[] db2095.codfw.wmnet:3317 (s7)
[] db1155.eqiad.wmnet:3317 (s7)
[] clouddb1021.eqiad.wmnet:3317 (s7)
[] clouddb1018.eqiad.wmnet:3317 (s7)
[] clouddb1014.eqiad.wmnet:3317 (s7)
[] db1154.eqiad.wmnet:3318 (s8)
[] clouddb1021.eqiad.wmnet:3318 (s8)
[] clouddb1020.eqiad.wmnet:3318 (s8)
[] clouddb1016.eqiad.wmnet:3318 (s8)
----
**heartbeat grant missing**
[] db1105.eqiad.wmnet:3311 (s1)
[] db2095.codfw.wmnet:3312 (s2)
[] db2095.codfw.wmnet:3314 (s4)
[] db2095.codfw.wmnet:3316 (s6)
[] clouddb1021.eqiad.wmnet:3316 (s6)
[] clouddb1019.eqiad.wmnet:3316 (s6)
[] clouddb1015.eqiad.wmnet:3316 (s6)
[] db2095.codfw.wmnet:3317 (s7)
[] clouddb1021.eqiad.wmnet:3317 (s7)
[] clouddb1018.eqiad.wmnet:3317 (s7)
[] clouddb1014.eqiad.wmnet:3317 (s7)
----
**performance_schema grant missing**
[] db2094.codfw.wmnet:3311 (s1)
[] db1154.eqiad.wmnet:3311 (s1)
[] clouddb1021.eqiad.wmnet:3311 (s1)
[] clouddb1017.eqiad.wmnet:3311 (s1)
[] clouddb1013.eqiad.wmnet:3311 (s1)
[] db2095.codfw.wmnet:3312 (s2)
[] db1155.eqiad.wmnet:3312 (s2)
[] clouddb1021.eqiad.wmnet:3312 (s2)
[] clouddb1018.eqiad.wmnet:3312 (s2)
[] clouddb1014.eqiad.wmnet:3312 (s2)
[] db2094.codfw.wmnet:3313 (s3)
[] db1154.eqiad.wmnet:3313 (s3)
[] clouddb1021.eqiad.wmnet:3313 (s3)
[] clouddb1017.eqiad.wmnet:3313 (s3)
[] clouddb1013.eqiad.wmnet:3313 (s3)
[] db2095.codfw.wmnet:3314 (s4)
[] db1155.eqiad.wmnet:3314 (s4)
[] clouddb1021.eqiad.wmnet:3314 (s4)
[] clouddb1019.eqiad.wmnet:3314 (s4)
[] clouddb1015.eqiad.wmnet:3314 (s4)
[] db2094.codfw.wmnet:3315 (s5)
[] db1154.eqiad.wmnet:3315 (s5)
[] clouddb1021.eqiad.wmnet:3315 (s5)
[] clouddb1020.eqiad.wmnet:3315 (s5)
[] clouddb1016.eqiad.wmnet:3315 (s5)
[] db2095.codfw.wmnet:3316 (s6)
[] db1155.eqiad.wmnet:3316 (s6)
[] clouddb1021.eqiad.wmnet:3316 (s6)
[] clouddb1019.eqiad.wmnet:3316 (s6)
[] clouddb1015.eqiad.wmnet:3316 (s6)
[] db2095.codfw.wmnet:3317 (s7)
[] db1155.eqiad.wmnet:3317 (s7)
[] clouddb1021.eqiad.wmnet:3317 (s7)
[] clouddb1018.eqiad.wmnet:3317 (s7)
[] clouddb1014.eqiad.wmnet:3317 (s7)
[] db1154.eqiad.wmnet:3318 (s8)
[] clouddb1021.eqiad.wmnet:3318 (s8)
[] clouddb1020.eqiad.wmnet:3318 (s8)
[] clouddb1016.eqiad.wmnet:3318 (s8)
----
**Extra grant #1**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `centralauth`.* TO `wikiadmin`@`10.%````
[] db1163.eqiad.wmnet:3306 (s1)
[] db1156.eqiad.wmnet:3306 (s2)
[] db1102.eqiad.wmnet:3312 (s2)
[] dbstore1003.eqiad.wmnet:3317 (s7)
[] db2150.codfw.wmnet:3306 (s7)
[] db2122.codfw.wmnet:3306 (s7)
[] db2121.codfw.wmnet:3306 (s7)
[] db2120.codfw.wmnet:3306 (s7)
[] db2118.codfw.wmnet:3306 (s7)
[] db2108.codfw.wmnet:3306 (s7)
[] db2098.codfw.wmnet:3317 (s7)
[] db2087.codfw.wmnet:3317 (s7)
[] db2086.codfw.wmnet:3317 (s7)
[] db2077.codfw.wmnet:3306 (s7)
[] db1181.eqiad.wmnet:3306 (s7)
[] db1174.eqiad.wmnet:3306 (s7)
[] db1171.eqiad.wmnet:3317 (s7)
[] db1170.eqiad.wmnet:3317 (s7)
[] db1158.eqiad.wmnet:3306 (s7)
[] db1155.eqiad.wmnet:3317 (s7)
[] db1136.eqiad.wmnet:3306 (s7)
[] db1127.eqiad.wmnet:3306 (s7)
[] db1101.eqiad.wmnet:3317 (s7)
[] db1098.eqiad.wmnet:3317 (s7)
----
**Extra grant #2**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `flowdb`.* TO `wikiadmin`@`10.%````
[] db1105.eqiad.wmnet:3311 (s1)
----
**Extra grant #3**
The extra grant:
```lang=mysql
GRANT SELECT ON `heartbeat`.* TO `wikiadmin`@`10.%````
[] db1105.eqiad.wmnet:3311 (s1)
----
**Extra grant #4**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`10.%````
[x] db1100.eqiad.wmnet:3306 (s5)
Expected {T249683}