Don't allow authentication clauses for roles, in particular:

  GRANT ... IDENTIFIED BY [ PASSWORD ] ...
  GRANT ... IDENTIFIED VIA ... [ USING ... ]
  GRANT ... REQUIRE ...
  GRANT ... MAX_xxx ...
  SET PASSWORD FOR ... = ...

4 files changed, 84 insertions, 2 deletions

diff --git a/mysql-test/r/grant2.result b/mysql-test/r/grant2.result
index da24f454564..42bde270440 100644
--- a/mysql-test/r/grant2.result
+++ b/mysql-test/r/grant2.result
@@ -36,7 +36,7 @@ select @@sql_mode;
 @@sql_mode
 NO_AUTO_CREATE_USER
 grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
-ERROR 42000: Can't find any matching row in the user table
+ERROR 28000: Can't find any matching row in the user table
 grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
 with grant option;
 show grants for mysqltest_1@localhost;
diff --git a/mysql-test/r/plugin_auth_qa.result b/mysql-test/r/plugin_auth_qa.result
index 72d21994792..b86a01f6b52 100644
--- a/mysql-test/r/plugin_auth_qa.result
+++ b/mysql-test/r/plugin_auth_qa.result
@@ -303,7 +303,7 @@ grant_user	test_plugin_server	plug_dest
 CREATE USER plug_dest;
 DROP USER plug_dest;
 GRANT ALL PRIVILEGES ON test_user_db.* TO plug_dest;
-ERROR 42000: Can't find any matching row in the user table
+ERROR 28000: Can't find any matching row in the user table
 DROP USER grant_user;
 GRANT INSERT ON test_user_db.* TO grant_user IDENTIFIED WITH test_plugin_server AS 'plug_dest';
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
diff --git a/mysql-test/suite/roles/password.result b/mysql-test/suite/roles/password.result
new file mode 100644
index 00000000000..e41816bdef7
--- /dev/null
+++ b/mysql-test/suite/roles/password.result
@@ -0,0 +1,34 @@
+create role r1;
+grant select on *.* to r1 identified by 'foobar';
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 identified by '';
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 identified via plugin;
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 identified via plugin using 'param';
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 require subject 'foobar';
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 require issuer 'foobar';
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 require cipher 'foobar';
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 require ssl;
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 require x509;
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 require none;
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 with max_queries_per_hour 10;
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 with max_updates_per_hour 10;
+ERROR 28000: Can't find any matching row in the user table
+grant select on *.* to r1 with max_connections_per_hour 10;
+ERROR 28000: Can't find any matching row in the user table
+grant select on mysql.user to r1 with max_user_connections 10;
+ERROR 28000: Can't find any matching row in the user table
+set password for r1 = '00000000000000000000000000000000000000000';
+ERROR 28000: Can't find any matching row in the user table
+drop role r1;
diff --git a/mysql-test/suite/roles/password.test b/mysql-test/suite/roles/password.test
new file mode 100644
index 00000000000..6b5073fae43
--- /dev/null
+++ b/mysql-test/suite/roles/password.test
@@ -0,0 +1,48 @@
+#
+# setting authentication for roles
+#
+
+--source include/not_embedded.inc
+
+#identified by [password]...
+#identified with ... [using ...]
+#require [subject][issuer][cipher][ssl][x509]
+# max_queries_per_hour | max_updates_per_hour | max_connections_per_hour | max_user_connections
+#set password for ... = ...
+
+create role r1;
+
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 identified by 'foobar';
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 identified by '';
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 identified by password '00000000000000000000000000000000000000000';
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 identified via plugin;
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 identified via plugin using 'param';
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 require subject 'foobar';
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 require issuer 'foobar';
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 require cipher 'foobar';
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 require ssl;
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 require x509;
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 require none;
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 with max_queries_per_hour 10;
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 with max_updates_per_hour 10;
+--error ER_PASSWORD_NO_MATCH
+grant select on *.* to r1 with max_connections_per_hour 10;
+--error ER_PASSWORD_NO_MATCH
+grant select on mysql.user to r1 with max_user_connections 10;
+--error ER_PASSWORD_NO_MATCH
+set password for r1 = '00000000000000000000000000000000000000000';
+
+drop role r1;