Bug #21807286: "CREATE USER IF NOT EXISTS" REPORTS AN ERROR

CREATE|ALTER IF [NOT] EXISTS ... IDENTIFIED BY ... was failing
if the user existed(not existed for alter) and raw error log was
off due to considerations of wrong binlogging in that case.

Converted this to a warning (regardless of the raw log option)
because this is how it operates without the IDENTIFIED BY option.
Logging IDENTIFIED BY is safe, since it's converted on the fly to
IDENTIFIED WITH (hence is not revealing the password).

Also made sure that the warning for a user is not counted towards
the number of users successfully processed by CREATE USER.

Also made sure that the IDENTIFIED clauses are handled properly
when binlogged.

Added test case and updated the existing tests to cover the change.

Now logging of all user operations involving credentials that
are a no-op on the master is inhibited.

Author: gkodinov

mysql-test/r/user_if_exists.result

@@ -205,16 +205,20 @@ password_expired	N
 password_lifetime	NULL
 CREATE USER IF NOT EXISTS user1@localhost
 IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
-ERROR HY000: Operation CREATE USER failed for 'user1'@'localhost'
+Warnings:
+Note	3163	User 'user1'@'localhost' already exists.
 CREATE USER IF NOT EXISTS ne_user1@localhost,user1@localhost
 IDENTIFIED WITH 'mysql_native_password' BY 'auth_string';
-ERROR HY000: Operation CREATE USER failed for 'user1'@'localhost'
+Warnings:
+Note	3163	User 'user1'@'localhost' already exists.
 ALTER USER IF EXISTS ne_user2@localhost
 IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
-ERROR HY000: Operation ALTER USER failed for 'ne_user2'@'localhost'
+Warnings:
+Note	3162	User 'ne_user2'@'localhost' does not exist.
 ALTER USER IF EXISTS user1@localhost,ne_user3@localhost
 IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
-ERROR HY000: Operation ALTER USER failed for 'ne_user3'@'localhost'
+Warnings:
+Note	3162	User 'ne_user3'@'localhost' does not exist.
 DROP USER IF EXISTS user1@localhost,user2@localhost,ne_user1@localhost,
 ne_user2@localhost,ne_user3@localhost;
 Warnings:
@@ -249,3 +253,17 @@ ne_user2@localhost,ne_user3@localhost;
 Warnings:
 Note	3162	User 'ne_user2'@'localhost' does not exist.
 Note	3162	User 'ne_user3'@'localhost' does not exist.
+#
+# Bug #21807286: "CREATE USER IF NOT EXISTS" REPORTS AN ERROR
+#
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+# Must not fail but return a warning
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+Warnings:
+Note	3163	User 'b21807286'@'localhost' already exists.
+DROP USER b21807286@localhost;
+# Must not fail but return a warning
+ALTER USER IF EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+Warnings:
+Note	3162	User 'b21807286'@'localhost' does not exist.
+# End of 5.7 tests

mysql-test/suite/binlog/r/binlog_user_if_exists.result

@@ -16,15 +16,30 @@ Note	3163	User 'u1'@'localhost' already exists.
 ALTER USER IF EXISTS u1@localhost ACCOUNT LOCK;
 DROP USER u1@localhost;
 DROP USER IF EXISTS u2@localhost;
+#
+# Bug #21807286: "CREATE USER IF NOT EXISTS" REPORTS AN ERROR
+#
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'haha';
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'haha2';
+Warnings:
+Note	3163	User 'b21807286'@'localhost' already exists.
+ALTER USER IF EXISTS b21807286@localhost IDENTIFIED BY 'haha3';
+ALTER USER IF EXISTS b21807286_not_exists@localhost IDENTIFIED BY 'haha4';
+Warnings:
+Note	3162	User 'b21807286_not_exists'@'localhost' does not exist.
+DROP USER b21807286@localhost;
 include/sync_slave_sql_with_master.inc
 [On Slave]
 include/show_binlog_events.inc
 Log_name	Pos	Event_type	Server_id	End_log_pos	Info
 slave-bin.000001	#	Query	#	#	use `test`; CREATE USER 'u1'@'localhost' IDENTIFIED WITH 'mysql_native_password'
-slave-bin.000001	#	Query	#	#	use `test`; CREATE USER IF NOT EXISTS 'u1'@'localhost' IDENTIFIED WITH 'mysql_native_password','u2'@'localhost' IDENTIFIED WITH 'mysql_native_password'
+slave-bin.000001	#	Query	#	#	use `test`; CREATE USER IF NOT EXISTS 'u2'@'localhost' IDENTIFIED WITH 'mysql_native_password'
 slave-bin.000001	#	Query	#	#	use `test`; ALTER USER IF EXISTS 'u1'@'localhost' ACCOUNT LOCK
 slave-bin.000001	#	Query	#	#	use `test`; DROP USER u1@localhost
 slave-bin.000001	#	Query	#	#	use `test`; DROP USER IF EXISTS u2@localhost
+slave-bin.000001	#	Query	#	#	use `test`; CREATE USER IF NOT EXISTS 'b21807286'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*85D0F19E5598AC04AC7B3FCF5383247D28FB59EF'
+slave-bin.000001	#	Query	#	#	use `test`; ALTER USER IF EXISTS 'b21807286'@'localhost' IDENTIFIED WITH 'mysql_native_password' AS '*7B8BEAA4240FE1A214BFAEDD99FB3842E4234E5E'
+slave-bin.000001	#	Query	#	#	use `test`; DROP USER b21807286@localhost
 include/rpl_end.inc
 
 End of 5.7 tests!

mysql-test/suite/binlog/t/binlog_user_if_exists.test

@@ -16,6 +16,18 @@ ALTER USER IF EXISTS u1@localhost ACCOUNT LOCK;
 DROP USER u1@localhost;
 DROP USER IF EXISTS u2@localhost;
 
+--echo #
+--echo # Bug #21807286: "CREATE USER IF NOT EXISTS" REPORTS AN ERROR
+--echo #
+
+
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'haha';
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'haha2';
+ALTER USER IF EXISTS b21807286@localhost IDENTIFIED BY 'haha3';
+ALTER USER IF EXISTS b21807286_not_exists@localhost IDENTIFIED BY 'haha4';
+DROP USER b21807286@localhost;
+
+
 --source include/sync_slave_sql_with_master.inc
 --echo [On Slave]
 --source include/show_binlog_events.inc

mysql-test/t/user_if_exists.test

@@ -116,24 +116,18 @@ IDENTIFIED WITH 'mysql_native_password'
 query_vertical SELECT User,plugin,authentication_string,ssl_type,
 password_expired,password_lifetime FROM mysql.user WHERE USER='user2';
 
-# CREATE USER IF NOT EXISTS statements with plain-text passwords will
-# trigger an error if the user does exist and --log-raw=OFF.
---error ER_CANNOT_USER
+# CREATE USER IF NOT EXISTS statements with plain-text passwords will work
 CREATE USER IF NOT EXISTS user1@localhost
             IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
 
---error ER_CANNOT_USER
-# Operation CREATE USER failed for 'user3'@'localhost'
+# Operation CREATE USER works but triggers a warning
 CREATE USER IF NOT EXISTS ne_user1@localhost,user1@localhost
             IDENTIFIED WITH 'mysql_native_password' BY 'auth_string';
 
-# ALTER USER IF EXISTS statements with plain-text passwords will trigger
-# an error if the user does not exist and --log-raw=OFF
---error ER_CANNOT_USER
+# Operation ALTER USER works with a password too
 ALTER USER IF EXISTS ne_user2@localhost
             IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
---error ER_CANNOT_USER
-# Operation ALTER USER failed for 'ne_user3'@'localhost'
+# Operation ALTER USER works with a password too
 ALTER USER IF EXISTS user1@localhost,ne_user3@localhost
             IDENTIFIED WITH 'mysql_native_password' BY 'auth_string#%y';
 
@@ -191,3 +185,16 @@ ALTER USER IF EXISTS user1@localhost,ne_user3@localhost
 DROP USER IF EXISTS user1@localhost,user2@localhost,ne_user1@localhost,
                     ne_user2@localhost,ne_user3@localhost;
 
+--echo #
+--echo # Bug #21807286: "CREATE USER IF NOT EXISTS" REPORTS AN ERROR
+--echo #
+
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+--echo # Must not fail but return a warning
+CREATE USER IF NOT EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+DROP USER b21807286@localhost;
+--echo # Must not fail but return a warning
+ALTER USER IF EXISTS b21807286@localhost IDENTIFIED BY 'xyz';
+
+
+--echo # End of 5.7 tests

sql/auth/auth_common.h

@@ -1,7 +1,7 @@
 #ifndef AUTH_COMMON_INCLUDED
 #define AUTH_COMMON_INCLUDED
 
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -21,6 +21,7 @@
 #include "sql_string.h"                         /* String */
 #include "table.h"                              /* TABLE_LIST */
 #include "field.h"
+#include <set>
 
 /* Forward Declarations */
 class LEX_COLUMN;
@@ -549,7 +550,8 @@ bool acl_check_host(const char *host, const char *ip);
 #define ACCOUNT_LOCK_ATTR       (1L << 6)    /* update account lock status */
 
 /* rewrite CREATE/ALTER/GRANT user */
-void mysql_rewrite_create_alter_user(THD *thd, String *rlb);
+void mysql_rewrite_create_alter_user(THD *thd, String *rlb,
+                                     std::set<LEX_USER *> *users_not_to_log= NULL);
 void mysql_rewrite_grant(THD *thd, String *rlb);
 
 /* sql_user */

sql/auth/sql_user.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; version 2 of the License.
@@ -1243,6 +1243,7 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool if_not_exists)
   ulong what_to_update= 0;
   bool is_anonymous_user= false;
   bool rollback_whole_statement= false;
+  std::set<LEX_USER *> users_not_to_log;
   DBUG_ENTER("mysql_create_user");
 
   /*
@@ -1307,16 +1308,20 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool if_not_exists)
         result= true;
         break;
       }
-      else if (if_not_exists &&
-               (opt_general_log_raw
-               || !user_name->uses_identified_by_clause))
+      else if (if_not_exists)
       {
         String warn_user;
         append_user(thd, &warn_user, user_name, FALSE, FALSE);
         push_warning_printf(thd, Sql_condition::SL_NOTE,
                             ER_USER_ALREADY_EXISTS,
                             ER_THD(thd, ER_USER_ALREADY_EXISTS),
                             warn_user.c_ptr_safe());
+        try
+        {
+          users_not_to_log.insert(tmp_user_name);
+        }
+        catch (...) {}
+        continue;
       }
      else
       {
@@ -1340,11 +1345,12 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool if_not_exists)
       my_error(ER_CANNOT_USER, MYF(0), "CREATE USER", wrong_users.c_ptr_safe());
   }
 
-  if (some_users_created || if_not_exists)
+  if (some_users_created ||
+      (if_not_exists && users_not_to_log.size() < list.elements))
   {
     String *rlb= &thd->rewritten_query;
     rlb->mem_free();
-    mysql_rewrite_create_alter_user(thd, rlb);
+    mysql_rewrite_create_alter_user(thd, rlb, &users_not_to_log);
 
     if (!thd->rewritten_query.length())
       result|= write_bin_log(thd, false, thd->query().str, thd->query().length,
@@ -1647,6 +1653,7 @@ bool mysql_alter_user(THD *thd, List <LEX_USER> &list, bool if_exists)
   bool save_binlog_row_based;
   bool is_privileged_user= false;
   bool rollback_whole_statement= false;
+  std::set<LEX_USER *> users_not_to_log;
 
   DBUG_ENTER("mysql_alter_user");
 
@@ -1715,15 +1722,19 @@ bool mysql_alter_user(THD *thd, List <LEX_USER> &list, bool if_exists)
     if (!(acl_user= find_acl_user(user_from->host.str,
                                    user_from->user.str, TRUE)))
     {
-      if (if_exists && (opt_general_log_raw
-          || !user_from->uses_identified_by_clause))
+      if (if_exists)
       {
         String warn_user;
         append_user(thd, &warn_user, user_from, FALSE, FALSE);
         push_warning_printf(thd, Sql_condition::SL_NOTE,
           ER_USER_DOES_NOT_EXIST,
           ER_THD(thd, ER_USER_DOES_NOT_EXIST),
           warn_user.c_ptr_safe());
+        try
+        {
+          users_not_to_log.insert(tmp_user_from);
+        }
+        catch (...) {}
       }
       else
       {
@@ -1799,12 +1810,13 @@ bool mysql_alter_user(THD *thd, List <LEX_USER> &list, bool if_exists)
       my_error(ER_CANNOT_USER, MYF(0), "ALTER USER", wrong_users.c_ptr_safe());
   }
 
-  if (some_user_altered || if_exists)
+  if (some_user_altered ||
+      (if_exists && users_not_to_log.size() < list.elements))
   {
     /* do query rewrite for ALTER USER */
     String *rlb= &thd->rewritten_query;
     rlb->mem_free();
-    mysql_rewrite_create_alter_user(thd, rlb);
+    mysql_rewrite_create_alter_user(thd, rlb, &users_not_to_log);
 
     result|= (write_bin_log(thd, false,
                             thd->rewritten_query.c_ptr_safe(),

sql/sql_rewrite.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
@@ -344,7 +344,8 @@ static void mysql_rewrite_set(THD *thd, String *rlb)
   @param rlb      An empty String object to put the rewritten query in.
 */
 
-void mysql_rewrite_create_alter_user(THD *thd, String *rlb)
+void mysql_rewrite_create_alter_user(THD *thd, String *rlb,
+                                     std::set<LEX_USER *> *users_not_to_log)
 {
   LEX                      *lex= thd->lex;
   LEX_USER                 *user_name, *tmp_user_name;
@@ -366,6 +367,9 @@ void mysql_rewrite_create_alter_user(THD *thd, String *rlb)
 
   while ((tmp_user_name= user_list++))
   {
+    if (users_not_to_log &&
+        users_not_to_log->find(tmp_user_name) != users_not_to_log->end())
+      continue;
     if ((user_name= get_current_user(thd, tmp_user_name)))
     {
       if (opt_log_builtin_as_identified_by_password &&