A typical db host should have these GRANTs:
```lang=sql
Grants for wikiadmin@10.%
GRANT PROCESS, REPLICATION CLIENT ON *.* TO `wikiadmin`@`10.%` IDENTIFIED BY PASSWORD '*redacted'
GRANT SELECT, EXECUTE ON `sys`.* TO `wikiadmin`@`10.%`
GRANT SELECT ON `performance_schema`.* TO `wikiadmin`@`10.%`
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`10.%`
GRANT SELECT ON `heartbeat`.`heartbeat` TO `wikiadmin`@`10.%`
Grants for wikiadmin@localhost
GRANT PROCESS, REPLICATION CLIENT ON *.* TO `wikiadmin`@`localhost` IDENTIFIED BY PASSWORD '*redacted'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`localhost`
```
I wrote a script to analyze grants and here are the results of analyzing 210 dbs:
== General issues ==
**DB unavaiable**
No further check was done on this db
[] db1139.eqiad.wmnet:3311 (s1)
[] db1124.eqiad.wmnet:3306 (s4)None!
----
**10.% user missing**
No further check was done on this grants of 10.% user in these dbs
[] db1140.eqiad.wmnet:3311 (s1)
[] db1139.eqiad.wmnet:3311 (s1)
[] db1133.eqiad.wmnet:3306 (s1)
[] db1128.eqiad.wmnet:3306 (s1)
[] db1125.eqiad.wmnet:3306 (s4)
[] db1124.eqiad.wmnet:3306 (s4)
[] db1177.eqiad.wmnet:3306 (s8)
[] db1111.eqiad.wmnet:3306 (s8)
----
**localhost user missing**
No further check was done on this grants of localhost user in these dbs
[] db1163.eqiad.wmnet:3306 (s1)
[] db1105.eqiad.wmnet:3311 (s1)
[] db1102.eqiad.wmnet:3312 (s2)
[] db2101.codfw.wmnet:3315 (s5)
----
==Localhost==
**appserver grant missing**
[] db1100.eqiad.wmnet:3306 (s5)
----
**replication grant missing**
None!
----
**Extra grant #1**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`localhost````
[] db1100.eqiad.wmnet:3306 (s5)
----
**Extra grant #2**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `centralauth`.* TO `wikiadmin`@`localhost````
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #3**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `webshop`.* TO `wikiadmin`@`localhost````
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #4**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE ROUTINE, ALTER ROUTINE ON `boardvote%`.* TO `wikiadmin`@`localhost````
[] db2141.codfw.wmnet:3316 (s6)
[] db2129.codfw.wmnet:3306 (s6)
[] db2124.codfw.wmnet:3306 (s6)
[] db2117.codfw.wmnet:3306 (s6)
[] db2114.codfw.wmnet:3306 (s6)
[] db2089.codfw.wmnet:3316 (s6)
[] db2087.codfw.wmnet:3316 (s6)
[] db2076.codfw.wmnet:3306 (s6)
[] db1180.eqiad.wmnet:3306 (s6)
[] db1173.eqiad.wmnet:3306 (s6)
[] db1168.eqiad.wmnet:3306 (s6)
[] db1165.eqiad.wmnet:3306 (s6)
[] db1140.eqiad.wmnet:3316 (s6)
[] db1131.eqiad.wmnet:3306 (s6)
[] db1113.eqiad.wmnet:3316 (s6)
[] db1098.eqiad.wmnet:3316 (s6)
[] db1096.eqiad.wmnet:3316 (s6)
----
**Extra grant #5**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `centralauth`.* TO `wikiadmin`@`localhost````
[] db2150.codfw.wmnet:3306 (s7)
[] db2122.codfw.wmnet:3306 (s7)
[] db2121.codfw.wmnet:3306 (s7)
[] db2120.codfw.wmnet:3306 (s7)
[] db2118.codfw.wmnet:3306 (s7)
[] db2108.codfw.wmnet:3306 (s7)
[] db2098.codfw.wmnet:3317 (s7)
[] db2087.codfw.wmnet:3317 (s7)
[] db2086.codfw.wmnet:3317 (s7)
[] db2077.codfw.wmnet:3306 (s7)
[] db1181.eqiad.wmnet:3306 (s7)
[] db1174.eqiad.wmnet:3306 (s7)
[] db1171.eqiad.wmnet:3317 (s7)
[] db1170.eqiad.wmnet:3317 (s7)
[] db1158.eqiad.wmnet:3306 (s7)
[] db1136.eqiad.wmnet:3306 (s7)
[] db1127.eqiad.wmnet:3306 (s7)
[] db1101.eqiad.wmnet:3317 (s7)
[] db1098.eqiad.wmnet:3317 (s7)
----
==10.%==
**appserver grant missing**
[] db1100.eqiad.wmnet:3306 (s5)
----
**replication grant missing**
None!
----
**sys grant missing**
None!
----
**heartbeat grant missing**
[] db1105.eqiad.wmnet:3311 (s1)
----
**performance_schema grant missing**
None!
----
**Extra grant #1**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `centralauth ON `heartbeat`.* TO `wikiadmin`@`10.%````
[] db116305.eqiad.wmnet:330611 (s1)
----
**Extra grant #2**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, [] db1156.eqiad.wmnet:3306 (s2)TRIGGER ON `%wik%`.* TO `wikiadmin`@`10.%````
[] db11020.eqiad.wmnet:3312 (s2)06 (s5)
----
**Extra grant #3**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `centralauth`.* TO `wikiadmin`@`10.%````
[] db2150.codfw.wmnet:3306 (s7)
[] db2122.codfw.wmnet:3306 (s7)
[] db2121.codfw.wmnet:3306 (s7)
[] db2120.codfw.wmnet:3306 (s7)
[] db2118.codfw.wmnet:3306 (s7)
[] db2108.codfw.wmnet:3306 (s7)
[] db2098.codfw.wmnet:3317 (s7)
[] db2087.codfw.wmnet:3317 (s7)
[] db2086.codfw.wmnet:3317 (s7)
[] db2077.codfw.wmnet:3306 (s7)
[] db1181.eqiad.wmnet:3306 (s7)
[] db1174.eqiad.wmnet:3306 (s7)
[] db1171.eqiad.wmnet:3317 (s7)
[] db1170.eqiad.wmnet:3317 (s7)
[] db1158.eqiad.wmnet:3306 (s7)
[] db1136.eqiad.wmnet:3306 (s7)
[] db1127.eqiad.wmnet:3306 (s7)
[] db1101.eqiad.wmnet:3317 (s7)
[] db1098.eqiad.wmnet:3317 (s7)
----
**Extra grant #2**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `flowdb`.* TO `wikiadmin`@`10.%````
[] db1105.eqiad.wmnet:3311 (s1)
----
**Extra grant #3**
The extra grant:
```lang=mysql
GRANT SELECT ON `heartbeat`.* TO `wikiadmin`@`10.%````
[] db1105.eqiad.wmnet:3311 (s1)
----
**Extra grant #4**
The extra grant:
```lang=mysql
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON `%wik%`.* TO `wikiadmin`@`10.%````
[] db1100.eqiad.wmnet:3306 (s5)