MDEV-34311: Alter USER should reset all account limit counters

This commit introduces a reset of password errors counter on any alter user
command for the altered user. This is done so as to not require a
complete privilege system reload.

Author: cvicentiu

mysql-test/main/max_password_errors.result

@@ -9,10 +9,10 @@ connect  con1, localhost, u, bad_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, good_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 connect(localhost,u,bad_pass,test,MASTER_PORT,MASTER_SOCKET);
 connect con1, localhost, u, bad_pass;
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 FLUSH PRIVILEGES;
 connect  con1, localhost, u, good_pass;
 disconnect con1;
@@ -27,7 +27,7 @@ ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
 ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
-ERROR HY000: User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
 disconnect con1;
 connection default;
 FLUSH PRIVILEGES;
@@ -40,6 +40,21 @@ ERROR 28000: Access denied for user 'root'@'localhost' (using password: YES)
 connect  con1, localhost, u, good_pass;
 disconnect con1;
 connection default;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect(localhost,u,good_pass,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, good_pass;
+ERROR HY000: User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'
+ALTER USER u ACCOUNT UNLOCK;
+connect(localhost,u,bad_password,test,MASTER_PORT,MASTER_SOCKET);
+connect con1, localhost, u, bad_password;
+ERROR 28000: Access denied for user 'u'@'localhost' (using password: YES)
+connect con1, localhost, u, good_pass;
+disconnect con1;
+connection default;
 DROP USER u;
-FLUSH PRIVILEGES;
 set global max_password_errors=@old_max_password_errors;

mysql-test/main/max_password_errors.test

@@ -59,6 +59,28 @@ connect (con1, localhost, root, bad_pass);
 connect (con1, localhost, u, good_pass);
 disconnect con1;
 connection default;
+
+# Block u again
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_USER_IS_BLOCKED;
+connect(con1, localhost, u, good_pass);
+
+# Unblock foo
+ALTER USER u ACCOUNT UNLOCK;
+
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+error ER_ACCESS_DENIED_ERROR;
+connect(con1, localhost, u, bad_password);
+
+connect(con1, localhost, u, good_pass);
+disconnect con1;
+connection default;
+
 DROP USER u;
-FLUSH PRIVILEGES;
-set global max_password_errors=@old_max_password_errors;
+set global max_password_errors=@old_max_password_errors;

sql/share/errmsg-utf8.txt

@@ -9922,9 +9922,9 @@ ER_BACKUP_UNKNOWN_STAGE
         eng "Unknown backup stage: '%s'. Stage should be one of START, FLUSH, BLOCK_DDL, BLOCK_COMMIT or END"
         spa "Fase de respaldo desconocida: '%s'. La fase debería de ser una de START, FLUSH, BLOCK_DDL, BLOCK_COMMIT o END"
 ER_USER_IS_BLOCKED
-        chi "由于凭证错误太多，用户被阻止;用'FLUSH PRIVILEGES'解锁"
-        eng "User is blocked because of too many credential errors; unblock with 'FLUSH PRIVILEGES'"
-        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'FLUSH PRIVILEGES'"
+        chi "由于凭证错误太多，用户被阻止;用'ALTER USER / FLUSH PRIVILEGES'解锁"
+        eng "User is blocked because of too many credential errors; unblock with 'ALTER USER / FLUSH PRIVILEGES'"
+        spa "El usuario está bloqueado a causa de demasiados errores de credenciales; desbloquee mediante 'ALTER USER / FLUSH PRIVILEGES'"
 ER_ACCOUNT_HAS_BEEN_LOCKED
         chi "访问拒绝，此帐户已锁定"
         eng "Access denied, this account is locked"

sql/sql_acl.cc

@@ -263,7 +263,7 @@ class ACL_USER :public ACL_USER_BASE,
     PASSWD_ERROR_INCREMENT
   };
 
-  inline void update_password_errors(PASSWD_ERROR_ACTION action)
+  void update_password_errors(PASSWD_ERROR_ACTION action)
   {
     switch (action)
     {
@@ -3560,6 +3560,9 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth,
     break;
   }
 
+  // Any alter user resets password_errors;
+  acl_user->update_password_errors(ACL_USER::PASSWD_ERROR_CLEAR);
+
   return 0;
 }