Bug #96640 Rule for account without password does not distinguish Account from Role
Submitted: 24 Aug 2019 16:53 Modified: 21 Oct 2019 13:25
Reporter: Jonathan Gibert Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Enterprise Monitor: Advisors/Rules Severity:S3 (Non-critical)
Version:8.0.1 OS:Any
Assigned to: CPU Architecture:Any

[24 Aug 2019 16:53] Jonathan Gibert
Description:
Advisor report "Server has Accounts without A Password" because it does not/can't distinguish Regular Account from Role.

As stated in the documentation : 
While locked, a role cannot be used to authenticate to the server. If unlocked, a role can be used to authenticate. This is because roles and users are both authorization identifiers with much in common and little to distinguish them. See also User and Role Interchangeability. 

So admin that want the default behavior (no password and account locked) will always trigger that rule.

How to repeat:
create a role, the regular way

CREATE ROLE 'example';

wait for advisory to detect

Suggested fix:
- check if account is locked _and_ has an empty password
- reduce the level of criticality if both condition match or do not alert
- keep the same level of criticality if no password and account is unlocked
[21 Oct 2019 13:25] MySQL Verification Team
Hello Mr. Gibert,

Thank you for your bug report.

However, this is a feature request that has already being reported internally and is being scheduled for fixing. However, scheduling is unknown to us and that infor is not available to us.

If you are a customer, open a SR in our support portal and ask for more info.