Bug #120274 Specific account authentication permanently fails with "Public Key Retrieval is not allowed" after FLUSH PRIVILEGES
Submitted: 16 Apr 5:53
Reporter: SeWoong Jeon Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S2 (Serious)
Version:8.4.6 OS:Red Hat (Rocky Linux 8.8)
Assigned to: CPU Architecture:x86 (4.18.0-477.27.1.el8_8.x86_64)
Tags: caching_sha2_password

[16 Apr 5:53] SeWoong Jeon 
Description:
After executing FLUSH PRIVILEGES, a specific user account became unable to establish new connections. 
The failure persisted for over 90 minutes and was only resolved by executing FLUSH PRIVILEGES a second time. 
No other accounts were affected during this period, and the server was otherwise healthy with no waiting sessions observed.

Expected behavior:
After FLUSH PRIVILEGES clears the sha2_cache, the next connection attempt should trigger Full Authentication via the established SSL channel, successfully re-populate the cache, and complete the connection — regardless of how many times FLUSH PRIVILEGES is executed.

Actual behavior:
After FLUSH PRIVILEGES, one specific account became unable to authenticate. All new connection attempts failed with "Public Key Retrieval is not allowed" and did not self-recover for approximately 90 minutes. A second FLUSH PRIVILEGES immediately resolved the issue.

The root cause is not confirmed, but based on the observed behavior, our current hypothesis is as follows: 
the first FLUSH PRIVILEGES may have left the affected account's sha2_cache entry in a corrupted or inconsistent state rather than cleanly clearing it. If this is the case, the server may have been treating the connection as non-secure during the authentication phase despite SSL being active, which would explain why the client received a "Public Key Retrieval is not allowed" error — an error that should not occur when SSL is properly established (sslMode=PREFERRED with an SSL-capable server). However, we were unable to confirm the internal cache state at the time of the incident, and we acknowledge that other explanations may exist.

Notes:
- Client: JDBC Connector/J with HikariCP (sslMode=PREFERRED, allowPublicKeyRetrieval=false)
- FLUSH PRIVILEGES is executed frequently in this environment; 
  this failure has occurred only once, suggesting a timing-dependent trigger condition.
- MySQL Workbench connection attempts for the affected account 
  produced no response (hung with no error returned).

How to repeat:
Unable to reproduce

Suggested fix:
n/a