From ad0a508fbe2c5f8b3c51fe473dd0f2da56c59029 Mon Sep 17 00:00:00 2001
From: Dirkjan Bussink <d.bussink@gmail.com>
Date: Tue, 16 Apr 2024 08:00:47 +0200
Subject: [PATCH] Cleanup usage of FLUSH PRIVILEGES (#15700)

Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
---
 config/init_db.sql                               | 16 +++-------------
 examples/compose/config/init_db.sql              |  8 +++-----
 examples/compose/external_db/mysql/grant.sh      |  4 ++--
 examples/compose/vttablet-up.sh                  |  2 +-
 examples/operator/101_initial_cluster.yaml       |  9 ++-------
 go/test/endtoend/cluster/cluster_util.go         |  1 -
 .../testdata/config/init_testserver_db.sql       |  9 ++-------
 go/vt/vttablet/tabletmanager/tm_init_test.go     |  2 --
 vitess-mixin/e2e/config/init_db.sql              |  8 +++-----
 vitess-mixin/e2e/external_db/mysql/grant.sh      |  4 ++--
 vitess-mixin/e2e/vttablet-up.sh                  |  2 +-
 11 files changed, 19 insertions(+), 46 deletions(-)

diff --git a/config/init_db.sql b/config/init_db.sql
index d04960633de..392053baade 100644
--- a/config/init_db.sql
+++ b/config/init_db.sql
@@ -1,12 +1,5 @@
 # This file is executed immediately after initializing a fresh data directory.
 
-###############################################################################
-# WARNING: This sql is *NOT* safe for production use,
-#          as it contains default well-known users and passwords.
-#          Care should be taken to change these users and passwords
-#          for production.
-###############################################################################
-
 ###############################################################################
 # Equivalent of mysql_secure_installation
 ###############################################################################
@@ -14,17 +7,16 @@
 # these commands. Note that disabling it does NOT disable read_only.
 # We save the current value so that we only re-enable it at the end if it was
 # enabled before.
+
 SET @original_super_read_only=IF(@@global.super_read_only=1, 'ON', 'OFF');
 SET GLOBAL super_read_only='OFF';
 
 # Changes during the init db should not make it to the binlog.
 # They could potentially create errant transactions on replicas.
 SET sql_log_bin = 0;
-# Remove anonymous users.
-DELETE FROM mysql.user WHERE User = '';
 
-# Disable remote root access (only allow UNIX socket).
-DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
+# Remove anonymous users & disable remote root access (only allow UNIX socket).
+DROP USER IF EXISTS ''@'%', ''@'localhost', 'root'@'%';
 
 # Remove test database.
 DROP DATABASE IF EXISTS test;
@@ -78,8 +70,6 @@ GRANT SELECT, PROCESS, SUPER, REPLICATION CLIENT, RELOAD
 GRANT SELECT, UPDATE, DELETE, DROP
   ON performance_schema.* TO 'vt_monitoring'@'localhost';
 
-FLUSH PRIVILEGES;
-
 RESET SLAVE ALL;
 RESET MASTER;
 
diff --git a/examples/compose/config/init_db.sql b/examples/compose/config/init_db.sql
index 8239d5ed5ec..1de631d2adb 100644
--- a/examples/compose/config/init_db.sql
+++ b/examples/compose/config/init_db.sql
@@ -12,10 +12,8 @@ SET GLOBAL super_read_only='OFF';
 # Changes during the init db should not make it to the binlog.
 # They could potentially create errant transactions on replicas.
 SET sql_log_bin = 0;
-# Remove anonymous users.
-DELETE FROM mysql.user WHERE User = '';
-# Disable remote root access (only allow UNIX socket).
-DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
+# Remove anonymous users & disable remote root access (only allow UNIX socket).
+DROP USER IF EXISTS ''@'%', ''@'localhost', 'root'@'%';
 # Remove test database.
 DROP DATABASE IF EXISTS test;
 ###############################################################################
@@ -70,7 +68,7 @@ GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, FILE,
   LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW,
   SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
   ON *.* TO 'vt_filtered'@'localhost';
-FLUSH PRIVILEGES;
+
 RESET SLAVE ALL;
 RESET MASTER;
 
diff --git a/examples/compose/external_db/mysql/grant.sh b/examples/compose/external_db/mysql/grant.sh
index 897c1b5dcf2..9371377d074 100755
--- a/examples/compose/external_db/mysql/grant.sh
+++ b/examples/compose/external_db/mysql/grant.sh
@@ -3,5 +3,5 @@ echo '**********GRANTING PRIVILEGES START*******************'
 echo ${mysql[@]}
 # PURGE BINARY LOGS BEFORE DATE(NOW());
 mysql --protocol=socket -uroot -hlocalhost --socket=/var/run/mysqld/mysqld.sock -p$MYSQL_ROOT_PASSWORD -e \
-"GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD'; FLUSH PRIVILEGES;"
-echo '*************GRANTING PRIVILEGES END****************'
\ No newline at end of file
+"GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD'"
+echo '*************GRANTING PRIVILEGES END****************'
diff --git a/examples/compose/vttablet-up.sh b/examples/compose/vttablet-up.sh
index a131e555dfa..8d02a7a528e 100755
--- a/examples/compose/vttablet-up.sh
+++ b/examples/compose/vttablet-up.sh
@@ -68,7 +68,7 @@ if [ "$external" = "1" ]; then
   # We need a common user for the unmanaged and managed tablets else tools like orchestrator will not function correctly
   echo "Creating matching user for managed tablets..."
   echo "CREATE USER IF NOT EXISTS '$DB_USER'@'%' IDENTIFIED BY '$DB_PASS';" >> $init_db_sql_file
-  echo "GRANT ALL ON *.* TO '$DB_USER'@'%';FLUSH PRIVILEGES;" >> $init_db_sql_file
+  echo "GRANT ALL ON *.* TO '$DB_USER'@'%';" >> $init_db_sql_file
 fi
 echo "##[CUSTOM_SQL_END]##" >> $init_db_sql_file
 
diff --git a/examples/operator/101_initial_cluster.yaml b/examples/operator/101_initial_cluster.yaml
index 2b956344659..8550b71d1ae 100644
--- a/examples/operator/101_initial_cluster.yaml
+++ b/examples/operator/101_initial_cluster.yaml
@@ -145,11 +145,8 @@ stringData:
     # Changes during the init db should not make it to the binlog.
     # They could potentially create errant transactions on replicas.
     SET sql_log_bin = 0;
-    # Remove anonymous users.
-    DELETE FROM mysql.user WHERE User = '';
-
-    # Disable remote root access (only allow UNIX socket).
-    DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
+    # Remove anonymous users & disable remote root access (only allow UNIX socket).
+    DROP USER IF EXISTS ''@'%', ''@'localhost', 'root'@'%';
 
     # Remove test database.
     DROP DATABASE IF EXISTS test;
@@ -215,8 +212,6 @@ stringData:
       SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
       ON *.* TO 'vt_filtered'@'localhost';
 
-    FLUSH PRIVILEGES;
-
     RESET SLAVE ALL;
     RESET MASTER;
 
diff --git a/go/test/endtoend/cluster/cluster_util.go b/go/test/endtoend/cluster/cluster_util.go
index 5d7869a421e..061e632dde7 100644
--- a/go/test/endtoend/cluster/cluster_util.go
+++ b/go/test/endtoend/cluster/cluster_util.go
@@ -351,7 +351,6 @@ func GetPasswordUpdateSQL(localCluster *LocalProcessCluster) string {
 					SET PASSWORD FOR 'vt_repl'@'%' = 'VtReplPass';
 					SET PASSWORD FOR 'vt_filtered'@'localhost' = 'VtFilteredPass';
 					SET PASSWORD FOR 'vt_appdebug'@'localhost' = 'VtDebugPass';
-					FLUSH PRIVILEGES;
 					`
 	return pwdChangeCmd
 }
diff --git a/go/test/endtoend/vreplication/testdata/config/init_testserver_db.sql b/go/test/endtoend/vreplication/testdata/config/init_testserver_db.sql
index 03df754ea21..2be570ca152 100644
--- a/go/test/endtoend/vreplication/testdata/config/init_testserver_db.sql
+++ b/go/test/endtoend/vreplication/testdata/config/init_testserver_db.sql
@@ -24,11 +24,8 @@ SET GLOBAL read_only='OFF';
 # Changes during the init db should not make it to the binlog.
 # They could potentially create errant transactions on replicas.
 SET sql_log_bin = 0;
-# Remove anonymous users.
-DELETE FROM mysql.user WHERE User = '';
-
-# Disable remote root access (only allow UNIX socket).
-DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
+# Remove anonymous users & disable remote root access (only allow UNIX socket).
+DROP USER IF EXISTS ''@'%', ''@'localhost', 'root'@'%';
 
 # Remove test database.
 DROP DATABASE IF EXISTS test;
@@ -82,8 +79,6 @@ GRANT SELECT, PROCESS, SUPER, REPLICATION CLIENT, RELOAD
 GRANT SELECT, UPDATE, DELETE, DROP
       ON performance_schema.* TO 'vt_monitoring'@'localhost';
 
-FLUSH PRIVILEGES;
-
 RESET SLAVE ALL;
 RESET MASTER;
 
diff --git a/go/vt/vttablet/tabletmanager/tm_init_test.go b/go/vt/vttablet/tabletmanager/tm_init_test.go
index 0e3256a1aac..1ba77638780 100644
--- a/go/vt/vttablet/tabletmanager/tm_init_test.go
+++ b/go/vt/vttablet/tabletmanager/tm_init_test.go
@@ -926,7 +926,5 @@ func grantAllPrivilegesToUser(t *testing.T, connParams mysql.ConnParams, testUse
 	require.NoError(t, err)
 	_, err = conn.ExecuteFetch(fmt.Sprintf(`GRANT GRANT OPTION ON *.* TO '%v'@'localhost'`, testUser), 1000, false)
 	require.NoError(t, err)
-	_, err = conn.ExecuteFetch("FLUSH PRIVILEGES", 1000, false)
-	require.NoError(t, err)
 	conn.Close()
 }
diff --git a/vitess-mixin/e2e/config/init_db.sql b/vitess-mixin/e2e/config/init_db.sql
index 12e5601d8cc..6059bbf7ca6 100644
--- a/vitess-mixin/e2e/config/init_db.sql
+++ b/vitess-mixin/e2e/config/init_db.sql
@@ -12,10 +12,8 @@ SET GLOBAL super_read_only='OFF';
 # Changes during the init db should not make it to the binlog.
 # They could potentially create errant transactions on replicas.
 SET sql_log_bin = 0;
-# Remove anonymous users.
-DELETE FROM mysql.user WHERE User = '';
-# Disable remote root access (only allow UNIX socket).
-DELETE FROM mysql.user WHERE User = 'root' AND Host != 'localhost';
+# Remove anonymous users & disable remote root access (only allow UNIX socket).
+DROP USER IF EXISTS ''@'%', ''@'localhost', 'root'@'%';
 # Remove test database.
 DROP DATABASE IF EXISTS test;
 ###############################################################################
@@ -71,7 +69,7 @@ GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, FILE,
   LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW,
   SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
   ON *.* TO 'vt_filtered'@'localhost';
-FLUSH PRIVILEGES;
+
 RESET SLAVE ALL;
 RESET MASTER;
 # custom sql is used to add custom scripts like creating users/passwords. We use it in our tests
diff --git a/vitess-mixin/e2e/external_db/mysql/grant.sh b/vitess-mixin/e2e/external_db/mysql/grant.sh
index 897c1b5dcf2..9371377d074 100755
--- a/vitess-mixin/e2e/external_db/mysql/grant.sh
+++ b/vitess-mixin/e2e/external_db/mysql/grant.sh
@@ -3,5 +3,5 @@ echo '**********GRANTING PRIVILEGES START*******************'
 echo ${mysql[@]}
 # PURGE BINARY LOGS BEFORE DATE(NOW());
 mysql --protocol=socket -uroot -hlocalhost --socket=/var/run/mysqld/mysqld.sock -p$MYSQL_ROOT_PASSWORD -e \
-"GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD'; FLUSH PRIVILEGES;"
-echo '*************GRANTING PRIVILEGES END****************'
\ No newline at end of file
+"GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD'"
+echo '*************GRANTING PRIVILEGES END****************'
diff --git a/vitess-mixin/e2e/vttablet-up.sh b/vitess-mixin/e2e/vttablet-up.sh
index 89709cf750f..0bc9d7a629d 100755
--- a/vitess-mixin/e2e/vttablet-up.sh
+++ b/vitess-mixin/e2e/vttablet-up.sh
@@ -68,7 +68,7 @@ if [ "$external" = "1" ]; then
   # We need a common user for the unmanaged and managed tablets else tools like orchestrator will not function correctly
   echo "Creating matching user for managed tablets..."
   echo "CREATE USER IF NOT EXISTS '$DB_USER'@'%' IDENTIFIED BY '$DB_PASS';" >> $init_db_sql_file
-  echo "GRANT ALL ON *.* TO '$DB_USER'@'%';FLUSH PRIVILEGES;" >> $init_db_sql_file
+  echo "GRANT ALL ON *.* TO '$DB_USER'@'%';" >> $init_db_sql_file
 fi
 echo "##[CUSTOM_SQL_END]##" >> $init_db_sql_file