Bug #76465 SHOW GRANTS no longer shows password information in 5.7.6
Submitted: 23 Mar 2015 21:19 Modified: 23 Mar 2015 21:45
Reporter: Simon Mudd (OCA) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.7.6 OS:Any
Assigned to: CPU Architecture:Any

[23 Mar 2015 21:19] Simon Mudd 
Description:
SHOW GRANTS FOR <user> no longer shows password information in 5.7.6. 

http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-6.html talks about password changes but does not mention this explicitly.

http://dev.mysql.com/doc/refman/5.7/en/show-grants.html is almost the same as the 5.0 version and the only example shown does NOT show a password yet if I run this on 5.5/5.7.5 servers or earlier I typically get: 

root@myhost [(none)]> show grants for root@localhost; -- 5.6.15 
+----------------------------------------------------------------------------------------------------------------------------------------+ 
| Grants for root@localhost | 
+----------------------------------------------------------------------------------------------------------------------------------------+ 
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*A77XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' WITH GRANT OPTION | 
| GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION | 
+----------------------------------------------------------------------------------------------------------------------------------------+ 
2 rows in set (0.00 sec) 

5.7.6 does not show the IDENTIFIED BY PASSWORD ... part. 

This is a problem. 
I use this information to determine if the password hash matches the "expected password [hash]" 
I  use this information to see if a password has actually been set for this user, to enable me to change it. 
There's thus no mention of this change so it's not clear it's intentional. 
I see the mysql.user.Password column has been replaced by authentication_string and a reference to syntax changes. 
However, confused by this change. Please comment if it's intentional.

How to repeat:
run SHOW GRANTS FOR <some_user> on 5.0..5.7.5 and if the user has a password you'll see a reference to IDENTIFIED BY PASSWORD ...
Do the same on 5.7.6 and you'll see that is missing.

Suggested fix:
For the reasons stated completely hiding the password information is quite intrusive as this requires changes scripts which may need to look at this information.
Other tools such as percona-toolkit's pt-show-grants are similarly affected.  See: https://bugs.launchpad.net/percona-toolkit/+bug/1435370 where this has been brought up.

I can understand that some authentication methods may not be able to provide or show the equivalent of a password hash. That's fine, but the current behaviour makes it look as if there's no password at all.
[23 Mar 2015 21:45] Ben Krug 
Thank you for reporting this.  This is an intentional change in 5.7.  Password information has been separated off and can be obtained using SHOW CREATE USER.  (See http://dev.mysql.com/doc/refman/5.7/en/show-create-user.html .)

This provides more flexibility going forward, separating grants in effect, and a user's authentication information.  (For example, in proxied users, these may be two different matters.)

The release notes for 5.7.6 mention the new SHOW CREATE USER statement, and also mention the possible issue with SHOW GRANTS and proxied users.