[MDEV-20435] ALTER USER prints bad error message if specified user account does not exist Created: 2019-08-27  Updated: 2022-05-31

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.4.7
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Vicențiu Ciorbaru
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
PartOf
includes MDEV-20434 ALTER USER prints bad error message i... Open
Relates
relates to MDEV-20434 ALTER USER prints bad error message i... Open
relates to MDEV-22312 Bad error message for SET DEFAULT ROL... Closed

 Description   

GRANT prints a very nice error message if the specified user account does not exist and sql_mode has NO_AUTO_CREATE_USER set. In contrast, ALTER USER prints a generic error message, so the root cause can be difficult to determine in some cases.

GRANT:

MariaDB [(none)]> CREATE USER IF NOT EXISTS 'testuser'@'127.0.0.1' IDENTIFIED BY 'Pa$swd123';
 
Query OK, 0 rows affected (0.001 sec)
 
 
 
MariaDB [(none)]> GRANT SELECT ON *.* TO 'testuserr'@'127.0.0.1';
 
ERROR 1133 (28000): Can't find any matching row in the user table

ALTER USER:

MariaDB [(none)]> CREATE USER IF NOT EXISTS 'testuser'@'127.0.0.1' IDENTIFIED BY 'Pa$swd123';
 
Query OK, 0 rows affected (0.001 sec)
 
 
 
MariaDB [(none)]> ALTER USER 'testuserr'@'127.0.0.1' IDENTIFIED VIA ed25519 USING PASSWORD('Pa$swd123');
 
ERROR 1396 (HY000): Operation ALTER USER failed for 'testuserr'@'127.0.0.1'

I think that ALTER USER's error message should be similar to the one used by GRANT in this case.

 Comments   
Comment by Robert Bindar [ 2019-10-01 ]

serg can you please review https://github.com/MariaDB/server/commit/d87e079c4350ee0cdc8f80522b9c35c57c0c5928 ?

Comment by Sergei Golubchik [ 2020-04-23 ]

I think it went a bit off. See how wrong_users is used — there are lots of commands that accept a list of users. They all (but not GRANT) print something at the end. This doesn't work very well when many users are specified. Consider GRANT ROLE for example:

create user foo@bar;
 
create role role1;
 
error 1133;
 
GRANT role1 TO foo1@bar, foo@bar, foo2@bar;
 
show warnings;
 
show grants for foo@bar;
 
drop role role1;
 
drop user foo@bar;

The error and SHOW WARNINGS are:

GRANT role1 TO foo1@bar, foo@bar, foo2@bar;
 
ERROR 28000: Can't find any matching row in the user table
 
show warnings;
 
Level   Code    Message
 
Error   1133    Can't find any matching row in the user table
 
Error   1133    Can't find any matching row in the user table
 
Error   1961    Cannot grant role 'role1' to: 'foo1'@'bar','foo2'@'bar'

I'd think the error should've been 1961, and two 1133 should be in SHOW WARNINGS only.
On the other hand, when there's only one user specified, it's probably more user-friendly to report 1133 as an error and no 1961 at all.
Then the fix should cover all commands that accept many users, basically everything that uses grant_list rule in the parser. And the behavior for them all should be consistent: for one user only report the specific error, for many users do thd->clear_error() and report the generic error with the list.

GeoffMontee what do you think?

Comment by Geoff Montee (Inactive) [ 2020-04-23 ]

Hi serg,

Your suggestion sounds reasonable to me. Thanks!

Generated at Thu Feb 08 08:59:27 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.