1

MySQL User Management

User management is the process of controlling which users are allowed to connect to the MySQL
server and what permissions they have on each database.

Start the mysql server

# /etc/init.d/mysql start or # service mysql start or # mysqld_safe –user=”mysql” &

Login into mysql database

[root@maxisdb1 mysql]# mysql -proot -u root

mysql>\q
mysql> show engines;

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| mysql |

| test |

+--------------------+

3 rows in set (0.00 sec)

mysql>use mysql;
mysql> show tables;

mysql> select user,host from user;

Mysql default port number is 3306
Mysql default storage engine is “MyIsam”(Up to 5.5) “Innodb”(From 5.5)

SQL Commands:
 2

Data Definition Language (DDL)

CREATE,ALTER,DROP,RENAME and TRUNCATE

Data Manipulation Language (DML)

INSERT, UPDATE, and DELETE.

Data query Language (DQL)

SELECT

Transaction Control Language (TCL)

COMMIT, ROLLBACK, and SAVEPOINT.

Data Control Language (DCL)

GRANT and REVOKE.

The GRANT statement grants privileges to MySQL user accounts.

We can maintain the user privileges in two ways

1) Using DCL and DDL Commands

2) Using DML and DQL Commands

creating a user

mysql> create user 'u1'@'localhost' IDENTIFIED BY 'p1' ;

or
create user 'u2' IDENTIFIED BY 'p1' ;

check the user privileges;

> show grants for 'u1'@'localhost';

Creating a User with Full Privileges to all databases:

mysql> GRANT ALL PRIVILEGES ON *.* TO 'u1'@'localhost' IDENTIFIED BY 'p1' ;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'u2'@'localhost' IDENTIFIED BY 'p2' WITH GRANT OPTION;
 3

Creating a User with Full Privileges to a single database:

mysql> GRANT ALL PRIVILEGES ON rajadb.* TO 'raja'@'localhost' IDENTIFIED BY 'raja' WITH GRANT
OPTION;

mysql> GRANT ALL PRIVILEGES ON *.* TO 'raja'@'%' IDENTIFIED BY 'raja' WITH GRANT OPTION;
Using the WITH GRANT OPTION allows the account to add user accounts to the specified databases.

Creating a User Account with Full Privileges on All DATABASES:

Creating Specific Privileges to a User on one database:

GRANT SELECT, INSERT, DELETE, UPDATE, EXECUTE ON test.* TO 'username'@'[Link]';

To check the privileges for an account, use SHOW GRANTS:

mysql> SHOW GRANTS FOR 'raja'@'localhost';

Removing Users:

USE mysql;

DELETE FROM user WHERE user = 'username' AND host = 'hostname';

As an alternative to GRANT, you can create the same accounts directly by issuing INSERT statements
and then telling the server to reload the grant tables:

An example of how to Create a User in MySQL using the INSERT statement

INSERT INTO user (Host,User,Password) VALUES('localhost','my_user',PASSWORD('my_pass'));

If you want to add some privileges with the same command the query will look like this:

An example of how to create a user with INSERT and SELECT privileges by editing the '[Link]'
table
 4

INSERT INTO user (Host,User,Password,Select_priv,Insert_priv)

VALUES('localhost','my_user',PASSWORD('my_pass'),'Y','Y');

mysql> INSERT INTO user VALUES('localhost','raja',PASSWORD('raja'),

'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

mysql> INSERT INTO user

VALUES('%','raja',PASSWORD('raja'),'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');

mysql> INSERT INTO user SET Host='localhost',User='admin', Reload_priv='Y', Process_priv='Y';

mysql> INSERT INTO user (Host,User,Password) VALUES('localhost','dummy','');

mysql> FLUSH PRIVILEGES;

The REVOKE statement enables system administrators to revoke privileges from MySQL accounts.

REVOKE ALL PRIVILEGES, GRANT OPTION FROM raja@localhost;

REVOKE INSERT ON *.* FROM 'raja'@'[Link]';

update the password

mysql>update user set passowrd=PASSWORD('raja') where user='raja';
#flush privilges

GRANT ALL PRIVILEGES ON *.* TO 'u1'@'localhost' WITH MAX_QUERIES_PER_HOUR 50

MAX_UPDATES_PER_HOUR 15 MAX_CONNECTIONS_PER_HOUR 3 MAX_USER_CONNECTIONS 2;

Advanced Commands MySQL 5.7

mysql> show create user 'raja'@'%';

+--------------------------------------------------------------------------------------------------------------------------------------
-----------------------------+
| CREATE USER for raja@%
|
+--------------------------------------------------------------------------------------------------------------------------------------
-----------------------------+
| CREATE USER 'raja'@'%' IDENTIFIED WITH 'mysql_native_password' AS
'*14060FF22F2422B251036026B7C59989937343A3' REQUIRE NONE PASSWORD EXPIRE DEFAULT
ACCOUNT UNLOCK |
+--------------------------------------------------------------------------------------------------------------------------------------
-----------------------------+
 5

1 row in set (0.00 sec)

mysql>

does this include the rights on dbname given by:

grant all on dbname.* to 'user'@'host';

 The ALL or ALL PRIVILEGES privilege specifier is shorthand. It stands for “all privileges available
at a given privilege level” (except GRANT OPTION). For example, granting ALL at the global or
table level grants all global privileges or all table-level privileges.
 The ALTER privilege enables use of ALTER TABLE to change the structure of tables. ALTER
TABLE also requires the CREATE and INSERT privileges. Renaming a table re-
quires ALTER and DROP on the old table, CREATE, and INSERT on the new table.
 The ALTER ROUTINE privilege is needed to alter or drop stored routines (procedures and func-
tions).
 The CREATE privilege enables creation of new databases and tables.
 The CREATE ROUTINE privilege is needed to create stored routines (procedures and func-
tions).
 The CREATE TABLESPACE privilege is needed to create, alter, or drop tablespaces and log file
groups.
 The CREATE TEMPORARY TABLES privilege enables the creation of temporary tables using
the CREATE TEMPORARY TABLE statement.
After a session has created a temporary table, the server performs no further privilege checks on
the table. The creating session can perform any operation on the table, such as DROP
TABLE, INSERT, UPDATE, or SELECT.
One implication of this behavior is that a session can manipulate its temporary tables even if the
current user has no privilege to create them. Suppose that the current user does not have
the CREATE TEMPORARY TABLES privilege but is able to execute a DEFINER-context stored pro-
cedure that executes with the privileges of a user who does have CREATE TEMPORARY
TABLES and that creates a temporary table. While the procedure executes, the session uses the
privileges of the defining user. After the procedure returns, the effective privileges revert to
those of the current user, which can still see the temporary table and perform any operation on
it.
To keep privileges for temporary and nontemporary tables separate, a common workaround for
this situation is to create a database dedicated to the use of temporary tables. Then for that
database, a user can be granted the CREATE TEMPORARY TABLES privilege, along with any other
privileges required for temporary table operations done by that user.
 The CREATE USER privilege enables use of ALTER USER, CREATE USER, DROP USER, RENAME
USER, and REVOKE ALL PRIVILEGES.
 The CREATE VIEW privilege enables use of CREATE VIEW.
 The DELETE privilege enables rows to be deleted from tables in a database.
 The DROP privilege enables you to drop (remove) existing databases, tables, and views.
The DROP privilege is required in order to use the statementALTER TABLE ... DROP PARTITION on
a partitioned table. The DROP privilege is also required for TRUNCATE TABLE. If you grant
 6

the DROP privilege for the mysql database to a user, that user can drop the database in which the
MySQL access privileges are stored.
 The EVENT privilege is required to create, alter, drop, or see events for the Event Scheduler.
 The EXECUTE privilege is required to execute stored routines (procedures and functions).
 The FILE privilege gives you permission to read and write files on the server host using
the LOAD DATA INFILE and SELECT ... INTO OUTFILEstatements and the LOAD_FILE() function. A
user who has the FILE privilege can read any file on the server host that is either world-readable
or readable by the MySQL server. (This implies the user can read any file in any database direct-
ory, because the server can access any of those files.) TheFILE privilege also enables the user to
create new files in any directory where the MySQL server has write access. This includes the
server's data directory containing the files that implement the privilege tables. As a security
measure, the server will not overwrite existing files.
To limit the location in which files can be read and written, set the secure_file_priv system to a
specific directory. See Section 5.1.4, “Server System Variables”.
 The GRANT OPTION privilege enables you to give to other users or remove from other users
those privileges that you yourself possess.
 The INDEX privilege enables you to create or drop (remove) indexes. INDEX applies to existing
tables. If you have the CREATE privilege for a table, you can include index definitions in
the CREATE TABLE statement.
 The INSERT privilege enables rows to be inserted into tables in a database. INSERT is also re-
quired for the ANALYZE TABLE, OPTIMIZE TABLE, andREPAIR TABLE table-maintenance state-
ments.
 The LOCK TABLES privilege enables the use of explicit LOCK TABLES statements to lock tables
for which you have the SELECT privilege. This includes the use of write locks, which prevents
other sessions from reading the locked table.
 The PROCESS privilege pertains to display of information about the threads executing within
the server (that is, information about the statements being executed by sessions). The privilege
enables use of SHOW PROCESSLIST or mysqladmin processlist to see threads belonging to other
accounts; you can always see your own threads. The PROCESS privilege also enables use of SHOW
ENGINE.
 The PROXY privilege enables a user to impersonate or become known as another user.
See Section 6.3.10, “Proxy Users”.
 The REFERENCES privilege is unused before MySQL 5.7.6. As of 5.7.6, creation of a foreign key
constraint requires the REFERENCES privilege for the parent table.
 The RELOAD privilege enables use of the FLUSH statement. It also enables mysqladmin com-
mands that are equivalent to FLUSH operations: flush-hosts, flush-logs, flush-privileges, flush-
status, flush-tables, flush-threads, refresh, and reload.
The reload command tells the server to reload the grant tables into memory. flush-privileges is a
synonym for reload. The refresh command closes and reopens the log files and flushes all tables.
The other flush-xxx commands perform functions similar to refresh, but are more specific and
may be preferable in some instances. For example, if you want to flush just the log files, flush-
logs is a better choice than refresh.
 The REPLICATION CLIENT privilege enables the use of SHOW MASTER STATUS, SHOW SLAVE
STATUS, and SHOW BINARY LOGS.
 7

 The REPLICATION SLAVE privilege should be granted to accounts that are used by slave serv-
ers to connect to the current server as their master. Without this privilege, the slave cannot re-
quest updates that have been made to databases on the master server.
 The SELECT privilege enables you to select rows from tables in a database. SELECT statements
require the SELECT privilege only if they actually retrieve rows from a table. Some SELECT state-
ments do not access tables and can be executed without permission for any database. For ex-
ample, you can use SELECT as a simple calculator to evaluate expressions that make no reference
to tables:

 SELECT 1+1;

 SELECT PI()*2;

Permissible Privileges for GRANT and REVOKE

Privilege Column Context
CREATE Create_priv databases, tables, or indexes
DROP Drop_priv databases, tables, or views
GRANT OPTION Grant_priv databases, tables, or stored routines
LOCK TABLES Lock_tables_priv databases
REFERENCES References_priv databases or tables
EVENT Event_priv databases
ALTER Alter_priv tables
DELETE Delete_priv tables
INDEX Index_priv tables
INSERT Insert_priv tables or columns
SELECT Select_priv tables or columns
UPDATE Update_priv tables or columns
CREATE TEMPORARY TABLES Create_tmp_table_priv Tables
TRIGGER Trigger_priv Tables
CREATE VIEW Create_view_priv Views
SHOW VIEW Show_view_priv Views
ALTER ROUTINE Alter_routine_priv stored routines
CREATE ROUTINE Create_routine_priv stored routines
EXECUTE Execute_priv stored routines
FILE File_priv file access on server host
CREATE TABLESPACE Create_tablespace_priv server administration
CREATE USER Create_user_priv server administration
 8

Privilege Column Context

PROCESS Process_priv server administration
PROXY see proxies_priv table server administration
RELOAD Reload_priv server administration
REPLICATION CLIENT Repl_client_priv server administration
REPLICATION SLAVE Repl_slave_priv server administration
SHOW DATABASES Show_db_priv server administration
SHUTDOWN Shutdown_priv server administration
SUPER Super_priv server administration
ALL [PRIVILEGES] server administration
USAGE server administration

The SELECT privilege is also needed for other statements that read column values. For ex-
ample, SELECT is needed for columns referenced on the right hand side of col_name=expr assign-
ment in UPDATE statements or for columns named in the WHERE clause
of DELETE or UPDATE statements.
 The SHOW DATABASES privilege enables the account to see database names by issuing
the SHOW DATABASE statement. Accounts that do not have this privilege see only databases for
which they have some privileges, and cannot use the statement at all if the server was started
with the --skip-show-database option. Note that any global privilege is a privilege for the data-
base.
 The SHOW VIEW privilege enables use of SHOW CREATE VIEW.
 The SHUTDOWN privilege enables use of the SHUTDOWN statement, the mysqladmin
shutdown command, and the mysql_shutdown() C API function.
 The SUPER privilege enables an account to use CHANGE MASTER TO, KILL or mysqladmin
kill to kill threads belonging to other accounts (you can always kill your own threads), PURGE
BINARY LOGS, configuration changes using SET GLOBAL to modify global system variables,
the mysqladmin debug command, enabling or disabling logging, performing updates even if
the read_only system variable is enabled, starting and stopping replication on slave servers, spe-
cification of any account in the DEFINER attribute of stored programs and views, and enables you
to connect (once) even if the connection limit controlled by the max_connections system variable
is reached.
To create or alter stored functions if binary logging is enabled, you may also need the SUPER priv-
ilege, as described in Section 19.7, “Binary Logging of Stored Programs”.
 The TRIGGER privilege enables trigger operations. You must have this privilege for a table to
create, drop, or execute triggers for that table.
 The UPDATE privilege enables rows to be updated in tables in a database.
 The USAGE privilege specifier stands for “no privileges.” It is used at the global level
with GRANT to modify account attributes such as resource limits or SSL characteristics without
affecting existing account privileges.
 9

It is a good idea to grant to an account only those privileges that it needs. You should exercise particu-
lar caution in granting the FILE and administrative privileges:
 The FILE privilege can be abused to read into a database table any files that the MySQL server
can read on the server host. This includes all world-readable files and files in the server's data dir-
ectory. The table can then be accessed using SELECT to transfer its contents to the client host.
 The GRANT OPTION privilege enables users to give their privileges to other users. Two users
that have different privileges and with the GRANT OPTIONprivilege are able to combine priv-
ileges.
 The ALTER privilege may be used to subvert the privilege system by renaming tables.
 The SHUTDOWN privilege can be abused to deny service to other users entirely by terminating
the server.
 The PROCESS privilege can be used to view the plain text of currently executing statements, in-
cluding statements that set or change passwords.
 The SUPER privilege can be used to terminate other sessions or change how the server oper-
ates.
 Privileges granted for the mysql database itself can be used to change passwords and other ac-
cess privilege information. Passwords are stored encrypted, so a malicious user cannot simply
read them to know the plain text password. However, a user with write access to the user table-
Password column can change an account's password, and then connect to the MySQL server us-
ing that account.

The SUPER privilege enables an account to use CHANGE MASTER TO, KILL or mysqladmin kill to kill
threads belonging to other accounts (you can always kill your own threads), PURGE BINARY LOGS,
configuration changes using SET GLOBAL to modify global system variables, the mysqladmin debug
command, enabling or disabling logging, performing updates even if the read_only system variable is
enabled, starting and stopping replication on slave servers, specification of any account in the
DEFINER attribute of stored programs and views, and enables you to connect (once) even if the con-
nection limit controlled by the max_connections system variable is reached.

To create or alter stored functions if binary logging is enabled, you may also need the SUPER privilege,
as described in Section 17.7, “Binary Logging of Stored Programs”.

Password Expiration Policy

Be aware that, if you make no changes to the default_password_lifetime variable nor to the individual
user accounts, all user passwords will expire after 360 days, and all user accounts will start running in
restricted mode when this happens. Clients (which are effectively users) connecting to the server will
then get an error indicating that the password must be changed: ERROR 1820 (HY000): You must reset
your password using ALTER USER statement before executing this statement.
However, this is easy to miss for clients that automatically connect to the server, like scripts. To avoid
having such clients suddenly stop working due to a password expiring, make sure to change the pass-
word expiration settings for those clients, like this:
 10

ALTER USER 'script'@'localhost' PASSWORD EXPIRE NEVER

To expire a password manually, the database administratior uses the ALTER USER statement:
ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE;

Examples:

To establish a global policy that passwords have a lifetime of approximately six months, start the
server with these lines in an option file:

 [mysqld]

 default_password_lifetime=180

To establish a global policy such that passwords never expire, set default_password_lifetime to 0:

 [mysqld]

 default_password_lifetime=0

default_password_lifetime can also be changed at runtime (this requires the SUPER privilege):

SET GLOBAL default_password_lifetime = 180;

Require the password to be changed every 90 days:

 ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;

 Disable password expiration:

 ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;

 11

Defer to the global expiration policy:

ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;

Require the password to be changed every 90 days:

 ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE INTERVAL 90 DAY;

Disable password expiration:

 ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE NEVER;

Defer to the global expiration policy:

ALTER USER 'jeffrey'@'localhost' PASSWORD EXPIRE DEFAULT;

Pluggable Authentication

If the account row specifies no plugin name, the server authenticates the account using either
the mysql_native_password ormysql_old_password plugin, depending on whether the password hash
value in the Password column used native hashing or the older pre-4.1 hashing method. Clients must
match the password in the Password column of the account row. As of MySQL 5.7.2, the server re-
quires the plugin value to be nonempty, and as of 5.7.5, support for mysql_old_password is removed.

Proxy user basics

One key attribute of SQL roles is the ability to manage common sets of privileges independent of user
credentials. Typically, DBAs create user accounts and assign privileges directly to those accounts.
Given five admins needing identical access, DBAs were faced with the options of creating a single
shared account (bad for auditing and password control) or five individual accounts (bad for privilege
maintenance/updates). Proxy user functionality – like roles – breaks the coupling between authentic-
ation (credentials) and authorization (privileges). With proxy users, it is easy to manage privileges for
an arbitrary group of users – simply modify the privileges of the proxied user account, and all users
which proxy to that are affected. For example:
mysql> CREATE USER proxy_base@localhost;
Query OK, 0 rows affected (0.00 sec)
 12

mysql> CREATE USER admin_1@localhost;

Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER admin_2@localhost;

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT PROXY ON proxy_base@localhost

-> TO admin_1@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT PROXY ON proxy_base@localhost

-> TO admin_2@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON app.*

-> TO proxy_base@localhost;
Query OK, 0 rows affected (0.00 sec)
Now if you want to add privileges for these admin_1 and admin_2 accounts, you can do it like so:
mysql> GRANT SELECT ON archive.*
-> TO proxy_base@localhost;
Query OK, 0 rows affected (0.00 sec)
After the above statement, both admin_1 and admin_2 accounts will have SELECT access to
thearchive database when they are mapped to proxy users.

Mapping Proxy Users

You may have noticed that I said, “when they are mapped to proxy users” in the statement above.
The account management commands shown above aren’t new to MySQL 5.7 – they will work in
MySQL 5.5 and MySQL 5.6 just the same. In these earlier versions – as well as in MySQL 5.7 with de-
fault configuration – the default mysql_native_password plugin does not map users to proxy ac-
counts. The above GRANT PROXY commands are meaningless – the admin_1@localhost user will al-
ways be mapped to the admin_1@localhost account privileges.

In MySQL 5.5 and 5.6, mapping of users to proxy users was done exclusively by the authentication plu-
gin. That means that the various authentication plugins such as PAM or Windows Native would do
authentication and map the user to the appropriate privilege account. The server would check to
make sure the actual user has the PROXY privilege for the intended account.

Starting in MySQL Server 5.7.7, the server can now leverage PROXY privilege definitions to do the
proxy user mapping directly, rather than relying on the authentication plugin to do it. This must be
 13

explicitly enabled using the new --check_proxy_users configuration option. Setting this to ON will
cause the server to reference the PROXY privilege definitions to seek a user to proxy, when the au-
thentication plugin requests this be done.

Authentication plugin changes

Again, there’s a caveat buried in the last sentence of the previous section – authentication plugins
have to request that the server do this proxy user mapping for them. They do this by returning a spe-
cial flag value. This behavior is controlled for mysql_native_password and sha256_password with
the --mysql_native_password_proxy_users and --sha256_password_proxy_usersvariables, respect-
ively. As with –check_proxy_users, the default value is OFF, so each must be explicitly enabled to al-
low proxy user mapping of accounts which use that authentication plugin.

Putting it all together

Starting right where we left off, let’s enable proxy user mapping and the special flag
formysql_native_password:
mysql> SET @@global.check_proxy_users = ON;
Query OK, 0 rows affected (0.00 sec)

mysql> SET @@global.mysql_native_password_proxy_users = ON;

Query OK, 0 rows affected (0.00 sec)
Now we are be able to log in using admin_1@localhost and have privileges of proxy_base@localhost:
D:\mysql-5.7.7-rc-winx64>bin\mysql -uadmin_1 -P3309
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.7-rc MySQL Community Server (GPL)
...
mysql> SELECT USER(), CURRENT_USER(), @@session.proxy_user;
+-------------------+----------------------+-----------------------+
| USER() | CURRENT_USER() | @@session.proxy_user |
+-------------------+----------------------+-----------------------+
| admin_1@localhost | proxy_base@localhost | 'admin_1'@'localhost' |
+-------------------+----------------------+-----------------------+
1 row in set (0.00 sec)

mysql> SHOW GRANTS;

+---------------------------------------------------------+
| Grants for proxy_base@localhost |
+---------------------------------------------------------+
 14

| GRANT USAGE ON *.* TO 'proxy_base'@'localhost' |

| GRANT SELECT ON `app`.* TO 'proxy_base'@'localhost' |
| GRANT SELECT ON `archive`.* TO 'proxy_base'@'localhost' |
+---------------------------------------------------------+
3 rows in set (0.00 sec)
Now the role-like privilege management capabilities of proxy user no longer require external authen-
tication systems or complicated setup.

Other considerations and notes

With PAM and Windows Native authentication plugins, proxy user mapping was explicit and determ-
inistic. There’s nothing preventing DBAs from defining a single account which can proxy to multiple
base accounts. However, the server mapping using these PROXY privileges is non-deterministic when
mutliple proxy privileges exist for a given user account. Do not do the following with server proxy
user mapping:
mysql> CREATE USER proxy_b1@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER proxy_b2@localhost;

Query OK, 0 rows affected (0.00 sec)

mysql> CREATE USER bad@localhost;

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT PROXY ON proxy_b1@localhost

-> TO bad@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT PROXY ON proxy_b2@localhost

-> TO bad@localhost;
Query OK, 0 rows affected (0.00 sec)
MySQL Server will do proxy user mapping, but there is no guarantee which account will be selected to
proxy.
mysql> SELECT USER(), CURRENT_USER(), @@session.proxy_user;
+---------------+--------------------+----------------------+
| USER() | CURRENT_USER() | @@session.proxy_user |
+---------------+--------------------+----------------------+
| bad@localhost | proxy_b1@localhost | 'bad'@'localhost' |
+---------------+--------------------+----------------------+
 15

1 row in set (0.00 sec)

Anonymous users are also problematic for server-side proxy mapping. You cannot map a user to an
anonymous proxied user. The following is a legal GRANT command, but will be ignored when the
server tries to map proxy users from the PROXY privileges:
mysql> GRANT PROXY ON ''@localhost
-> TO bad@localhost;
Query OK, 0 rows affected (0.00 sec)
You also cannot map from an anonymous user account using the new server-based mapping. This is
an important difference from external authentication plugins, which work great with anonymous user
accounts, as the PAM or Windows Native authentication modules identify the user based on other
factors.

It’s important to note that user accounts which have no matching PROXY privilege authenticate and
have their normal assigned privileges regardless of the configuration options described above. This
allows mixing and matching of use cases – there’s no need to make all mysql_native_password users
leverage proxy mapping.