Description:
Reviewing this page;
https://dev.mysql.com/doc/refman/8.0/en/grant.html
There is mention of the new CONNECTION ADMIN privileges;
https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_connection-admin
But the page does not seem to warn against an expected course of user (admin) behavior, as follows;
An user may be accustomed to doing something like this;
GRANT ALL ON *.* TO 'bob'@'%' IDENTIFIED BY 'apple';
REVOKE SUPER ON *.* FROM 'bob'@'%';
FLUSH PRIVILEGES;
Assuming that bob will thereby not have a super-like admin level. Yet, this is not the case;
mysql> SHOW GRANTS\G
*************************** 1. row ***************************
Grants for bob@%: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, SHUTDOWN, PROCESS, FILE, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER, CREATE TABLESPACE, CREATE ROLE, DROP ROLE ON *.* TO `bob`@`%`
*************************** 2. row ***************************
Grants for bob@%: GRANT BACKUP_ADMIN,BINLOG_ADMIN,CONNECTION_ADMIN,ENCRYPTION_KEY_ADMIN,GROUP_REPLICATION_ADMIN,PERSIST_RO_VARIABLES_ADMIN,REPLICATION_SLAVE_ADMIN,RESOURCE_GROUP_ADMIN,RESOURCE_GROUP_USER,ROLE_ADMIN,SET_USER_ID,SYSTEM_VARIABLES_ADMIN,XA_RECOVER_ADMIN ON *.* TO `bob`@`%`
And thus bob has certain privileges that are unexpected. And regrettably executing;
select * from mysql.user where user ='bob'\G
Will not show these differences.
How to repeat:
As per above
Suggested fix:
1) Update manual
2) Is there anything that can be done to make the "select * from mysql.user where user ='...';" list consistent with the full reality, or - the opposite - to avoid this list including any grants at all?
