MySQL Bugs: #109415: CREATE USER IF NOT EXISTS adds a password history entry

Bug #109415	CREATE USER IF NOT EXISTS adds a password history entry
Submitted:	16 Dec 2022 20:17	Modified:	23 Feb 2023 22:12
Reporter:	Juan Arruti	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: Security: Privileges	Severity:	S3 (Non-critical)
Version:	8.0.31	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
The command adds a password history entry even when the user already exists and the password is not altered. A subsequent ALTER USER fails due to the password history policy.

How to repeat:
mysql [localhost:40019] {msandbox} ((none)) > select @@version ;
+-----------+
| @@version |
+-----------+
| 8.0.31    |
+-----------+
1 row in set (0.00 sec)

mysql [localhost:40019] {msandbox} ((none)) > select @@password_history ;
+--------------------+
| @@password_history |
+--------------------+
|                  5 |
+--------------------+
1 row in set (0.00 sec)

mysql [localhost:40019] {msandbox} ((none)) > CREATE USER IF NOT EXISTS 'test'@'%' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.01 sec)

mysql [localhost:40019] {msandbox} ((none)) > select * from mysql.password_history where user = 'test' ;
+------+------+----------------------------+------------------------------------------------------------------------+
| Host | User | Password_timestamp         | Password                                                               |
+------+------+----------------------------+------------------------------------------------------------------------+
| %    | test | 2022-12-16 20:00:19.841037 | $A$005${"I@'~lw<a{C3M_E!9oPkPR8pZWxeEIkeigZ3ihpSRhoQDVu21Jr2BkKav48 |
+------+------+----------------------------+------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql [localhost:40019] {msandbox} ((none)) > CREATE USER IF NOT EXISTS 'test'@'%' IDENTIFIED BY 'newpassword';
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql [localhost:40019] {msandbox} ((none)) > show warnings ;
+-------+------+---------------------------------------------+
| Level | Code | Message                                     |
+-------+------+---------------------------------------------+
| Note  | 3163 | Authorization ID 'test'@'%' already exists. |
+-------+------+---------------------------------------------+
1 row in set (0.00 sec)

mysql [localhost:40019] {msandbox} ((none)) > select * from mysql.password_history where user = 'test' ;
+------+------+----------------------------+------------------------------------------------------------------------+
| Host | User | Password_timestamp         | Password                                                               |
+------+------+----------------------------+------------------------------------------------------------------------+
| %    | test | 2022-12-16 20:00:39.792705 | $A$005$(3ccMc
                                                          ?nVN?M^j6DN/olTTYinBbh/xEsA0Nh5/czVuSsT7GlRboJe3./ |
| %    | test | 2022-12-16 20:00:19.841037 | $A$005${"I@'~lw<a{C3M_E!9oPkPR8pZWxeEIkeigZ3ihpSRhoQDVu21Jr2BkKav48 |
+------+------+----------------------------+------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql [localhost:40019] {msandbox} ((none)) > ALTER USER 'test'@'%' IDENTIFIED BY 'newpassword';
ERROR 3638 (HY000): Cannot use these credentials for 'test@%' because they contradict the password history policy

Suggested fix:
Prevent adding a password entry when the password is not altered.

Hello Juan Arruti,

Thank you for the report and test case.
Verified as described.

regards,
Umesh

Documented fix as follows in the MySQL 8.0.33 changelog:

    CREATE USER IF NOT EXISTS added a password history entry even
    when the user already existed and the password was not updated.
    This caused a subsequent ALTER USER statement to be rejected.

Closed.