Bug #118069 Inappropriate error message about passwords policies when revoking rights from an non-existing user
Submitted: 28 Apr 9:28 Modified: 10 Jun 20:43
Reporter: Björn Voigt (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:8.0.42 OS:Any
Assigned to: CPU Architecture:Any
Tags: password, revoke privilege

[28 Apr 9:28] Björn Voigt 
Description:
If an user with administrative rights tries to revoke rights from an non-existing user, then an inappropriate error occurs, if password policies are configured.

How to repeat:
First setup password policies with the validate_password component.

These are my settings:
MySQL [(none)]> SHOW GLOBAL VARIABLES LIKE 'validate_password.%';
+-------------------------------------------------+--------------------------------------------------+
| Variable_name                                   | Value                                            |
+-------------------------------------------------+--------------------------------------------------+
| validate_password.changed_characters_percentage | 0                                                |
| validate_password.check_user_name               | ON                                               |
| validate_password.dictionary_file               | /usr/local/share/bad-passwords/bad-passwords.txt |
| validate_password.length                        | 12                                               |
| validate_password.mixed_case_count              | 1                                                |
| validate_password.number_count                  | 1                                                |
| validate_password.policy                        | MEDIUM                                           |
| validate_password.special_char_count            | 0                                                |
+-------------------------------------------------+--------------------------------------------------+
8 rows in set (0,045 sec)

Ensure, that a test user does not exists:
MySQL [(none)]> SHOW CREATE USER 'test123'@'localhost';
ERROR 1396 (HY000): Operation SHOW CREATE USER failed for 'test123'@'localhost'

Try to revoke rights from the test user:
MySQL [(none)]> REVOKE SELECT ON `mydatabase`.* FROM test123@'localhost';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

The error message "ERROR 1819 (HY000): Your password does not satisfy the current policy requirements" is useless here.

Suggested fix:
Verify the validate_password component and fix the error message.
[28 Apr 10:02] MySQL Verification Team 
Hello Björn,

Thank you for the report and feedback.

regards,
Umesh
[10 Jun 20:43] Björn Voigt 
The error message is displayed for account management actions, if the user does not exists:

mysql> ALTER USER 'test123'@'localhost' PASSWORD EXPIRE;
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> ALTER USER 'test123'@'localhost' ACCOUNT LOCK;
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements