The check_access() function retrieves privileges like that
Note that it is using sctx->host and sctx->priv_user pair. This is wrong, they belong to different values — the first is the host part in the USER(), the second is the user part in CURRENT_USER().
See the following test case:
Note that SELECT is allowed, while it is granted to c@%, and we're connected as c@localhost. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as
then the SELECT will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.
Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for SET ROLE