Description:
MySQL proxy should have a way to restrict hosts which can connect, e.g. which user@host
can connect. Because currently it leads to situation when any host can connect using
particular account to database.

How to repeat:
see above

Partial workarounds for this:

1. Firewall. It shouldn't be possible to even see the server unless your host has
permission to access it. If it can be seen, denial of service attacks are possible even
without access rights.
2. Non-standard ports. So standard scripted attacks on default ports will fail.

Only once those methods have failed to protect the server do the individual user
connection and other access rights start to become significant. Not supporting them is a
significant problem for those who want good access control.

Until such time as the mysql server allows us to pass through originating host information
in any way (secure or not), there will always be a limitation that clients connecting
through the proxy will appear to be coming from whichever host the proxy is running on
(usually localhost), thus making it impossible to use grants that discriminate based on
hostname, network, etc. The same issue exists when connections come in via NAT'd subnets,
or via Linux HA virtual IPs, etc.

While we do want to add allow/deny type security to the proxy, there does become a point
of diminishing returns, addressed by and usable today by the workarounds James posted.