Bug #76560 CREATE USER binlog events include new ACCOUNT keyword
Submitted: 1 Apr 2015 14:34 Modified: 14 Apr 2015 20:01
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.7.7 OS:Any
Assigned to: CPU Architecture:Any

[1 Apr 2015 14:34] Todd Farmer 
Description:
MySQL 5.7 introduces support for new syntax in the CREATE USER statement.  All CREATE USER statements are rewritten into a format which includes the new ACCOUNT keyword when written to the binlog:

# at 757
#150401  8:23:58 server id 1  end_log_pos 943 CRC32 0x91699720  Query   thread_i
d=4     exec_time=0     error_code=0
use `mysql`/*!*/;
SET TIMESTAMP=1427898238/*!*/;
CREATE USER 't1'@'localhost' IDENTIFIED BY PASSWORD '*C720D8C695B25DC4CAAD629BA2
6CCE9FB0CCA5C0' ACCOUNT UNLOCK
/*!*/;

This happens regardless of how log_backward_compatible_user_definition is set (above binlog output was created while set to ON).  This will break replication to earlier MySQL servers, and undermines the purpose of log_backward_compatible_user_definition.

How to repeat:
* Start mysqld with binary logging
* Set log_backward_compatible_user_definition=ON
* Create user using pre-5.7 compatible syntax\
* View mysqlbinlog output

Suggested fix:
Ensure CREATE USER statements which are compatible with pre-5.7 syntax are written to the binary log in similar fashion.
[14 Apr 2015 20:01] Paul DuBois 
Noted in 5.7.8, 5.8.0 changelogs.

CREATE USER events written to the binary log included the new ACCOUNT
syntax even with log_backward_compatible_user_definition enabled.