The check_access() function retrieves privileges like that

        db_access= acl_get(sctx->host, sctx->ip, sctx->priv_user, db,

                           db_is_pattern);

Note that it is using sctx->host and sctx->priv_user pair. This is wrong, they belong to different values — the first is the host part in the USER(), the second is the user part in CURRENT_USER().

See the following test case:

create user c@localhost;

create user c@'%';

grant select on mysql.* to c@'%';

connect (c,localhost,c,,,,,);

select user(), current_user();

select user from mysql.user group by user;

disconnect c;

connection default;

drop user c@'%';

drop user c@localhost;

Note that SELECT is allowed, while it is granted to c@%, and we're connected as c@localhost. Which suggests wildcard matching for the purpose of privilege checking. On the other hand, if the test case above is modified as

create user ''@localhost;

create user c@'%';

grant select on mysql.* to c@'%';

connect (c,localhost,c,,,,,);

select user(), current_user();

--error ER_TABLEACCESS_DENIED_ERROR

select user from mysql.user group by user;

disconnect c;

connection default;

drop user c@'%';

drop user ''@localhost;

then the SELECT will fail. De facto, wildcard matching works for host names, but not for user names. Which is inconsistent.

Note: if this is to be fixed, all privilege checks should be analyzed and probably changed, including the one for SET ROLE