Based on the query in the commit for
MXS-1716, PAM authenticators will only actually use PAM accounts that meet certain conditions.
PAM authenticators will use an account if:
- It uses the PAM plugin for authentication (plugin=pam in mysql.user).
- It has global SELECT privileges;
- Or it has some database-level privilege;
- Or it some table-level privilege.
This should probably be documented: