Remove the very old historical but never documented behavior,

than an empty host '' is the same as any-host wildcard '%'. Replace '' with '%' in the parser (for GRANT ... foo@'') and when loading grant tables. Side effect: one cannot have foo@'' and foo@'%' both at the same time (but one can have foo@'%' and foo@'%%')

Remove the very old historical but never documented behavior,
than an empty host '' is the same as any-host wildcard '%'. Replace '' with '%' in the parser (for GRANT ... foo@'') and when loading grant tables. Side effect: one cannot have foo@'' and foo@'%' both at the same time (but one can have foo@'%' and foo@'%%')
4cc8cda3 · Sergei Golubchik · cefe5d96 · 4cc8cda3 · 4cc8cda3 · 4cc8cda3
Commit 4cc8cda3 authored Oct 18, 2013 by Sergei Golubchik
26 changed files
--- a/mysql-test/r/acl_roles_create_and_grant_role.result
+++ b/mysql-test/r/acl_roles_create_and_grant_role.result
@@ -15,7 +15,7 @@ show grants;
 Grants for root@localhost
 GRANT r1 TO 'root'@'localhost'
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 GRANT USAGE ON *.* TO 'r1'
 drop role r1;
 select * from mysql.roles_mapping;
@@ -23,4 +23,4 @@ HostFk	UserFk	RoleFk
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
--- a/mysql-test/r/acl_roles_set_role-multiple-role.result
+++ b/mysql-test/r/acl_roles_set_role-multiple-role.result
@@ -16,25 +16,25 @@ update mysql.user set Reload_priv='Y' where user like 'r_rld';
 update mysql.user set is_role='Y' where user like 'r\_%';
 select * from mysql.user where user='r_sel';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_sel		Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_sel		Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_ins';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_ins		N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_ins		N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_upd';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_upd		N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_upd		N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_del';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_del		N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_del		N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_crt';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_crt		N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_crt		N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_drp';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_drp		N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_drp		N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user='r_rld';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	r_rld		N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	r_rld		N	N	N	N	N	N	Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
 'test_user',
 'r_sel');

--- a/mysql-test/r/acl_roles_set_role-recursive.result
+++ b/mysql-test/r/acl_roles_set_role-recursive.result
@@ -12,8 +12,8 @@ insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('',
 flush privileges;
 select user, host from mysql.user where user not like 'root';
 user	host
-test_role1	
+test_role1	%
-test_role2	
+test_role2	%
 test_user	localhost
 select * from mysql.roles_mapping where UserFk like 'test_user';
 HostFk	UserFk	RoleFk
@@ -24,10 +24,11 @@ HostFk	UserFk	RoleFk
 grant select on *.* to 'test_role2'@'';
 select * from mysql.user where user like 'test_role1';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	test_role1		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	test_role1		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 select * from mysql.user where user like 'test_role2';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
 	test_role2		Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	test_role2		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 flush privileges;
 select * from mysql.roles_mapping;
 ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'

--- a/mysql-test/r/acl_roles_set_role-simple.result
+++ b/mysql-test/r/acl_roles_set_role-simple.result
@@ -6,7 +6,7 @@ insert into mysql.roles_mapping (HostFk, UserFk, RoleFk) values ('localhost',
 'test_role1');
 select user, host from mysql.user where user not like 'root';
 user	host
-test_role1	
+test_role1	%
 test_user	localhost
 select * from mysql.roles_mapping;
 HostFk	UserFk	RoleFk
@@ -14,7 +14,7 @@ localhost	test_user	test_role1
 grant select on *.* to 'test_role1'@'';
 select * from mysql.user where user='test_role1';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	is_role
-	test_role1		Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
+%	test_role1		Y	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					0	0	0	0			Y
 flush privileges;
 select * from mysql.roles_mapping;
 ERROR 42000: SELECT command denied to user 'test_user'@'localhost' for table 'roles_mapping'

--- a/mysql-test/r/events_bugs.result
+++ b/mysql-test/r/events_bugs.result
@@ -569,7 +569,7 @@ USE test;
 SHOW GRANTS FOR CURRENT_USER;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 SET GLOBAL event_scheduler = ON;
 CREATE TABLE events_test.event_log
 (id int KEY AUTO_INCREMENT, ev_nm char(40), ev_cnt int, ev_tm timestamp)

--- a/mysql-test/r/grant.result
+++ b/mysql-test/r/grant.result
--- a/mysql-test/r/grant_cache_no_prot.result
+++ b/mysql-test/r/grant_cache_no_prot.result
@@ -7,11 +7,11 @@ flush status;
 show grants for current_user;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 create database if not exists mysqltest;
 create table mysqltest.t1 (a int,b int,c int);
 create table mysqltest.t2 (a int,b int,c int);

--- a/mysql-test/r/grant_cache_ps_prot.result
+++ b/mysql-test/r/grant_cache_ps_prot.result
@@ -7,11 +7,11 @@ flush status;
 show grants for current_user;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 create database if not exists mysqltest;
 create table mysqltest.t1 (a int,b int,c int);
 create table mysqltest.t2 (a int,b int,c int);

--- a/mysql-test/r/plugin_auth.result
+++ b/mysql-test/r/plugin_auth.result
@@ -116,7 +116,7 @@ ERROR 42000: There is no such grant defined for user 'grant_plug' on host '%'
 in grant_plug_dest_con
 ## testing what an ordinary user can grant 
 this should fail : no rights to grant all
-GRANT PROXY ON ''@'' TO grant_plug;
+GRANT PROXY ON ''@'%%' TO grant_plug;
 ERROR 28000: Access denied for user 'grant_plug_dest'@'localhost'
 this should fail : not the same user
 GRANT PROXY ON grant_plug TO grant_plug_dest;
@@ -139,15 +139,15 @@ ERROR 42000: You are not allowed to create a user with GRANT
 in default connection
 # test what root can grant
 should work : root has PROXY to all users
-GRANT PROXY ON ''@'' TO grant_plug;
+GRANT PROXY ON ''@'%%' TO grant_plug;
-REVOKE PROXY ON ''@'' FROM grant_plug;
+REVOKE PROXY ON ''@'%%' FROM grant_plug;
 should work : root has PROXY to all users
-GRANT PROXY ON ''@'' TO proxy_admin IDENTIFIED BY 'test' 
+GRANT PROXY ON ''@'%%' TO proxy_admin IDENTIFIED BY 'test' 
 WITH GRANT OPTION;
 need USAGE : PROXY doesn't contain it.
 GRANT USAGE on *.* TO proxy_admin;
 in proxy_admin_con;
-should work : proxy_admin has proxy to ''@''
+should work : proxy_admin has proxy to ''@'%%'
 GRANT PROXY ON future_user TO grant_plug;
 in default connection
 SHOW GRANTS FOR grant_plug;
@@ -234,25 +234,25 @@ DROP USER plug_dest;
 #  Bug #56798 : Wrong credentials assigned when using a proxy user.
 #
 GRANT ALL PRIVILEGES ON *.* TO power_user;
-GRANT USAGE ON anonymous_db.* TO ''@''
+GRANT USAGE ON anonymous_db.* TO ''@'%%'
  IDENTIFIED WITH 'test_plugin_server' AS 'power_user';
-GRANT PROXY ON power_user TO ''@'';
+GRANT PROXY ON power_user TO ''@'%%';
 CREATE DATABASE confidential_db;
 SELECT user(),current_user(),@@proxy_user;
 user()	current_user()	@@proxy_user
-test_login_user@localhost	power_user@%	''@''
+test_login_user@localhost	power_user@%	''@'%%'
 DROP USER power_user;
-DROP USER ''@'';
+DROP USER ''@'%%';
 DROP DATABASE confidential_db;
 # Test case #2 (crash with double grant proxy)
-CREATE USER ''@'' IDENTIFIED WITH 'test_plugin_server' AS 'standard_user';
+CREATE USER ''@'%%' IDENTIFIED WITH 'test_plugin_server' AS 'standard_user';
 CREATE USER standard_user;
 CREATE DATABASE shared;
 GRANT ALL PRIVILEGES ON shared.* TO standard_user;
-GRANT PROXY ON standard_user TO ''@'';
+GRANT PROXY ON standard_user TO ''@'%%';
 #should not crash
-GRANT PROXY ON standard_user TO ''@'';
+GRANT PROXY ON standard_user TO ''@'%%';
-DROP USER ''@'';
+DROP USER ''@'%%';
 DROP USER standard_user;
 DROP DATABASE shared;
 #

--- a/mysql-test/r/plugin_auth_qa_1.result
+++ b/mysql-test/r/plugin_auth_qa_1.result
@@ -186,7 +186,7 @@ connection default;
 disconnect plug_user;
 DROP USER new_user,new_dest,plug_dest;
 ========== test 2, 2.1, 2.2 ================================
-CREATE USER ''@'' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
+CREATE USER ''@'%%' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user IDENTIFIED BY 'proxied_user_passwd';
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 user	plugin	authentication_string
@@ -204,7 +204,7 @@ connection default;
 disconnect proxy_con;
 connect(proxy_con,localhost,proxy_user,proxied_user);
 ERROR 28000: Access denied for user 'proxy_user'@'localhost' (using password: YES)
-GRANT PROXY ON proxied_user TO ''@'';
+GRANT PROXY ON proxied_user TO ''@'%%';
 connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
@@ -218,11 +218,11 @@ proxy_user@localhost	proxied_user@%
 ========== test 2.2.1 ======================================
 SELECT @@proxy_user;
 @@proxy_user
-''@''
+''@'%%'
 connection default;
 disconnect proxy_con;
-DROP USER ''@'',proxied_user;
+DROP USER ''@'%%',proxied_user;
-GRANT ALL PRIVILEGES ON test_user_db.* TO ''@'' 
+GRANT ALL PRIVILEGES ON test_user_db.* TO ''@'%%' 
 IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user IDENTIFIED BY 'proxied_user_passwd';
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
@@ -240,7 +240,7 @@ connection default;
 disconnect proxy_con;
 connect(proxy_con,localhost,proxy_user,proxied_user);
 ERROR 28000: Access denied for user 'proxy_user'@'localhost' (using password: YES)
-GRANT PROXY ON proxied_user TO ''@'';
+GRANT PROXY ON proxied_user TO ''@'%%';
 connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
@@ -253,21 +253,21 @@ USER()	CURRENT_USER()
 proxy_user@localhost	proxied_user@%
 SELECT @@proxy_user;
 @@proxy_user
-''@''
+''@'%%'
 connection default;
 disconnect proxy_con;
-DROP USER ''@'',proxied_user;
+DROP USER ''@'%%',proxied_user;
-CREATE USER ''@'' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
+CREATE USER ''@'%%' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user_1 IDENTIFIED BY 'proxied_user_1_pwd';
 CREATE USER proxied_user_2 IDENTIFIED BY 'proxied_user_2_pwd';
 CREATE USER proxied_user_3 IDENTIFIED BY 'proxied_user_3_pwd';
 CREATE USER proxied_user_4 IDENTIFIED BY 'proxied_user_4_pwd';
 CREATE USER proxied_user_5 IDENTIFIED BY 'proxied_user_5_pwd';
-GRANT PROXY ON proxied_user_1 TO ''@'';
+GRANT PROXY ON proxied_user_1 TO ''@'%%';
-GRANT PROXY ON proxied_user_2 TO ''@'';
+GRANT PROXY ON proxied_user_2 TO ''@'%%';
-GRANT PROXY ON proxied_user_3 TO ''@'';
+GRANT PROXY ON proxied_user_3 TO ''@'%%';
-GRANT PROXY ON proxied_user_4 TO ''@'';
+GRANT PROXY ON proxied_user_4 TO ''@'%%';
-GRANT PROXY ON proxied_user_5 TO ''@'';
+GRANT PROXY ON proxied_user_5 TO ''@'%%';
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 user	plugin	authentication_string
 	test_plugin_server	proxied_user
@@ -322,7 +322,7 @@ disconnect proxy_con_2;
 disconnect proxy_con_3;
 disconnect proxy_con_4;
 disconnect proxy_con_5;
-DROP USER ''@'',proxied_user_1,proxied_user_2,proxied_user_3,proxied_user_4,proxied_user_5;
+DROP USER ''@'%%',proxied_user_1,proxied_user_2,proxied_user_3,proxied_user_4,proxied_user_5;
 ========== test 3 ==========================================
 GRANT ALL PRIVILEGES ON *.* TO plug_user
 IDENTIFIED WITH test_plugin_server AS 'plug_dest';

--- a/mysql-test/r/skip_grants.result
+++ b/mysql-test/r/skip_grants.result
@@ -36,14 +36,14 @@ CREATE DEFINER=a@'' FUNCTION f3() RETURNS INT
 RETURN 3;
 SHOW CREATE VIEW v3;
 View	Create View	character_set_client	collation_connection
-v3	CREATE ALGORITHM=UNDEFINED DEFINER=`a`@`` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`c` AS `c` from `t1`	latin1	latin1_swedish_ci
+v3	CREATE ALGORITHM=UNDEFINED DEFINER=`a`@`%` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`c` AS `c` from `t1`	latin1	latin1_swedish_ci
 SHOW CREATE PROCEDURE p3;
 Procedure	sql_mode	Create Procedure	character_set_client	collation_connection	Database Collation
-p3		CREATE DEFINER=`a`@`` PROCEDURE `p3`()
+p3		CREATE DEFINER=`a`@`%` PROCEDURE `p3`()
 SELECT 3	latin1	latin1_swedish_ci	latin1_swedish_ci
 SHOW CREATE FUNCTION f3;
 Function	sql_mode	Create Function	character_set_client	collation_connection	Database Collation
-f3		CREATE DEFINER=`a`@`` FUNCTION `f3`() RETURNS int(11)
+f3		CREATE DEFINER=`a`@`%` FUNCTION `f3`() RETURNS int(11)
 RETURN 3	latin1	latin1_swedish_ci	latin1_swedish_ci
 DROP TRIGGER t1_bi;
 DROP TRIGGER ti_ai;

--- a/mysql-test/r/sp_notembedded.result
+++ b/mysql-test/r/sp_notembedded.result
@@ -9,11 +9,11 @@ end|
 call bug4902()|
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 call bug4902()|
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 drop procedure bug4902|
 drop procedure if exists bug4902_2|
 create procedure bug4902_2()
@@ -156,11 +156,11 @@ create procedure 15298_2 () sql security definer show grants;
 call 15298_1();
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 call 15298_2();
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 drop user mysqltest_1@localhost;
 drop procedure 15298_1;
 drop procedure 15298_2;

--- a/mysql-test/r/view_grant.result
+++ b/mysql-test/r/view_grant.result
@@ -531,13 +531,13 @@ drop user mysqltest_1@localhost;
 drop database mysqltest;
 create definer=some_user@`` sql security invoker view v1 as select 1;
 Warnings:
-Note	1449	The user specified as a definer ('some_user'@'') does not exist
+Note	1449	The user specified as a definer ('some_user'@'%') does not exist
 create definer=some_user@localhost sql security invoker view v2 as select 1;
 Warnings:
 Note	1449	The user specified as a definer ('some_user'@'localhost') does not exist
 show create view v1;
 View	Create View	character_set_client	collation_connection
-v1	CREATE ALGORITHM=UNDEFINED DEFINER=`some_user`@`` SQL SECURITY INVOKER VIEW `v1` AS select 1 AS `1`	latin1	latin1_swedish_ci
+v1	CREATE ALGORITHM=UNDEFINED DEFINER=`some_user`@`%` SQL SECURITY INVOKER VIEW `v1` AS select 1 AS `1`	latin1	latin1_swedish_ci
 show create view v2;
 View	Create View	character_set_client	collation_connection
 v2	CREATE ALGORITHM=UNDEFINED DEFINER=`some_user`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select 1 AS `1`	latin1	latin1_swedish_ci

--- a/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/innodb_trig_03e.result
@@ -573,7 +573,7 @@ root@localhost
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 drop trigger trg1_1;
 use priv_db;

--- a/mysql-test/suite/funcs_1/r/memory_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/memory_trig_03e.result
@@ -574,7 +574,7 @@ root@localhost
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 drop trigger trg1_1;
 use priv_db;

--- a/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
+++ b/mysql-test/suite/funcs_1/r/myisam_trig_03e.result
@@ -574,7 +574,7 @@ root@localhost
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 drop trigger trg1_1;
 use priv_db;

--- a/mysql-test/suite/funcs_1/r/processlist_priv_no_prot.result
+++ b/mysql-test/suite/funcs_1/r/processlist_priv_no_prot.result
@@ -70,7 +70,7 @@ ERROR 42000: Access denied for user 'root'@'localhost' to database 'information_
 SHOW GRANTS;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 CREATE INDEX i_processlist ON processlist (user);
 ERROR 42000: Access denied for user 'root'@'localhost' to database 'information_schema'
 DROP TABLE processlist;

--- a/mysql-test/suite/funcs_1/r/processlist_priv_ps.result
+++ b/mysql-test/suite/funcs_1/r/processlist_priv_ps.result
@@ -70,7 +70,7 @@ ERROR 42000: Access denied for user 'root'@'localhost' to database 'information_
 SHOW GRANTS;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 CREATE INDEX i_processlist ON processlist (user);
 ERROR 42000: Access denied for user 'root'@'localhost' to database 'information_schema'
 DROP TABLE processlist;

--- a/mysql-test/suite/perfschema/r/column_privilege.result
+++ b/mysql-test/suite/perfschema/r/column_privilege.result
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 grant usage on *.* to 'pfs_user_5'@localhost with GRANT OPTION;
 grant SELECT(thread_id, event_id) on performance_schema.events_waits_current
 to 'pfs_user_5'@localhost;

--- a/mysql-test/suite/perfschema/r/privilege.result
+++ b/mysql-test/suite/perfschema/r/privilege.result
 show grants;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 grant ALL on *.* to 'pfs_user_1'@localhost with GRANT OPTION;
 grant ALL on performance_schema.* to 'pfs_user_2'@localhost
 with GRANT OPTION;

--- a/mysql-test/suite/rpl/r/rpl_do_grant.result
+++ b/mysql-test/suite/rpl/r/rpl_do_grant.result
@@ -190,7 +190,7 @@ GRANT EXECUTE ON PROCEDURE `test`.`p1` TO 'user49119'@'localhost'
 SHOW GRANTS FOR CURRENT_USER;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 ##############################################################
 ##############################################################
 ### Showing grants for both users: root and user49119 (master)
@@ -201,7 +201,7 @@ GRANT EXECUTE ON PROCEDURE `test`.`p1` TO 'user49119'@'localhost'
 SHOW GRANTS FOR CURRENT_USER;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 ##############################################################
 ## This statement will make the revoke fail because root has no
 ## execute grant. However, it will still revoke the grant for
@@ -217,7 +217,7 @@ GRANT USAGE ON *.* TO 'user49119'@'localhost'
 SHOW GRANTS FOR CURRENT_USER;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 ##############################################################
 #############################################################
 ### Showing grants for both users: root and user49119 (slave)
@@ -228,7 +228,7 @@ GRANT USAGE ON *.* TO 'user49119'@'localhost'
 SHOW GRANTS FOR CURRENT_USER;
 Grants for root@localhost
 GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION
-GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION
+GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION
 ##############################################################
 DROP TABLE t1;
 DROP PROCEDURE p1;

--- a/mysql-test/t/grant.test
+++ b/mysql-test/t/grant.test
@@ -587,7 +587,6 @@ flush privileges;
 # Create some users with different hostnames
 create user mysqltest_8@'';
-create user mysqltest_8;
 create user mysqltest_8@host8;
 # Try to create them again
@@ -614,7 +613,6 @@ select * from t1;
 disconnect conn3;
 connection master;
 revoke select on mysqltest.* from mysqltest_8@'';
-revoke select on mysqltest.* from mysqltest_8;
 show grants for mysqltest_8@'';
 show grants for mysqltest_8;
 select * from  information_schema.schema_privileges
@@ -642,7 +640,6 @@ select * from t1;
 disconnect conn4;
 connection master;
 revoke update (a) on t1 from mysqltest_8@'';
-revoke update (a) on t1 from mysqltest_8;
 show grants for mysqltest_8@'';
 show grants for mysqltest_8;
 select * from  information_schema.column_privileges;
@@ -664,7 +661,6 @@ select * from t1;
 disconnect conn5;
 connection master;
 revoke update on t1 from mysqltest_8@'';
-revoke update on t1 from mysqltest_8;
 show grants for mysqltest_8@'';
 show grants for mysqltest_8;
 select * from  information_schema.table_privileges;
@@ -692,10 +688,6 @@ show grants for mysqltest_8;
 drop user mysqltest_8@'';
 --error ER_NONEXISTING_GRANT
 show grants for mysqltest_8@'';
-show grants for mysqltest_8;
-select * from  information_schema.user_privileges
-where grantee like "'mysqltest_8'%";
-drop user mysqltest_8;
 --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
 --error ER_ACCESS_DENIED_ERROR
 connect (conn6,localhost,mysqltest_8,,);

--- a/mysql-test/t/plugin_auth.test
+++ b/mysql-test/t/plugin_auth.test
@@ -168,7 +168,7 @@ connection grant_plug_dest_con;
 --echo ## testing what an ordinary user can grant 
 --echo this should fail : no rights to grant all
 --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
-GRANT PROXY ON ''@'' TO grant_plug;
+GRANT PROXY ON ''@'%%' TO grant_plug;
 --echo this should fail : not the same user
 --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
@@ -211,11 +211,11 @@ disconnect grant_plug_dest_con;
 --echo # test what root can grant
 --echo should work : root has PROXY to all users
-GRANT PROXY ON ''@'' TO grant_plug;
+GRANT PROXY ON ''@'%%' TO grant_plug;
-REVOKE PROXY ON ''@'' FROM grant_plug;
+REVOKE PROXY ON ''@'%%' FROM grant_plug;
 --echo should work : root has PROXY to all users
-GRANT PROXY ON ''@'' TO proxy_admin IDENTIFIED BY 'test' 
+GRANT PROXY ON ''@'%%' TO proxy_admin IDENTIFIED BY 'test' 
  WITH GRANT OPTION;
 --echo need USAGE : PROXY doesn't contain it.
@@ -225,7 +225,7 @@ connect (proxy_admin_con,localhost,proxy_admin,test);
 connection proxy_admin_con;
 --echo in proxy_admin_con;
--echo should work : proxy_admin has proxy to ''@''
+--echo should work : proxy_admin has proxy to ''@'%%'
 GRANT PROXY ON future_user TO grant_plug;
 connection default;
@@ -317,9 +317,9 @@ DROP USER plug_dest;
 --echo #
 GRANT ALL PRIVILEGES ON *.* TO power_user;
-GRANT USAGE ON anonymous_db.* TO ''@''
+GRANT USAGE ON anonymous_db.* TO ''@'%%'
  IDENTIFIED WITH 'test_plugin_server' AS 'power_user';
-GRANT PROXY ON power_user TO ''@'';
+GRANT PROXY ON power_user TO ''@'%%';
 CREATE DATABASE confidential_db;
 connect(plug_con,localhost, test_login_user, power_user, confidential_db);
@@ -329,24 +329,23 @@ connection default;
 disconnect plug_con;
 DROP USER power_user;
-DROP USER ''@'';
+DROP USER ''@'%%';
 DROP DATABASE confidential_db;
 --echo # Test case #2 (crash with double grant proxy)
-CREATE USER ''@'' IDENTIFIED WITH 'test_plugin_server' AS 'standard_user';
+CREATE USER ''@'%%' IDENTIFIED WITH 'test_plugin_server' AS 'standard_user';
 CREATE USER standard_user;
 CREATE DATABASE shared;
 GRANT ALL PRIVILEGES ON shared.* TO standard_user;
-GRANT PROXY ON standard_user TO ''@'';
+GRANT PROXY ON standard_user TO ''@'%%';
 --echo #should not crash
-GRANT PROXY ON standard_user TO ''@'';
+GRANT PROXY ON standard_user TO ''@'%%';
-DROP USER ''@'';
+DROP USER ''@'%%';
 DROP USER standard_user;
 DROP DATABASE shared;
 --echo #
 --echo # Bug #57551 : Live upgrade fails between 5.1.52 -> 5.5.7-rc
 --echo #

--- a/mysql-test/t/plugin_auth_qa_1.test
+++ b/mysql-test/t/plugin_auth_qa_1.test
@@ -184,7 +184,7 @@ DROP USER new_user,new_dest,plug_dest;
 --echo ========== test 2, 2.1, 2.2 ================================
-CREATE USER ''@'' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
+CREATE USER ''@'%%' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user IDENTIFIED BY 'proxied_user_passwd';
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
@@ -202,7 +202,7 @@ disconnect proxy_con;
 --error ER_ACCESS_DENIED_ERROR : this should fail : no grant
 connect(proxy_con,localhost,proxy_user,proxied_user);
 --enable_query_log
-GRANT PROXY ON proxied_user TO ''@'';
+GRANT PROXY ON proxied_user TO ''@'%%';
 --echo connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 SELECT USER(),CURRENT_USER();
@@ -219,9 +219,9 @@ SELECT @@proxy_user;
 connection default;
 --echo disconnect proxy_con;
 disconnect proxy_con;
-DROP USER ''@'',proxied_user;
+DROP USER ''@'%%',proxied_user;
 #
-GRANT ALL PRIVILEGES ON test_user_db.* TO ''@'' 
+GRANT ALL PRIVILEGES ON test_user_db.* TO ''@'%%' 
                     IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user IDENTIFIED BY 'proxied_user_passwd';
 --sorted_result
@@ -239,7 +239,7 @@ disconnect proxy_con;
 --error ER_ACCESS_DENIED_ERROR : this should fail : no grant
 connect(proxy_con,localhost,proxy_user,proxied_user);
 --enable_query_log
-GRANT PROXY ON proxied_user TO ''@'';
+GRANT PROXY ON proxied_user TO ''@'%%';
 --echo connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 connect(proxy_con,localhost,proxied_user,proxied_user_passwd);
 SELECT USER(),CURRENT_USER();
@@ -255,19 +255,19 @@ SELECT @@proxy_user;
 connection default;
 --echo disconnect proxy_con;
 disconnect proxy_con;
-DROP USER ''@'',proxied_user;
+DROP USER ''@'%%',proxied_user;
 #
-CREATE USER ''@'' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
+CREATE USER ''@'%%' IDENTIFIED WITH test_plugin_server AS 'proxied_user';
 CREATE USER proxied_user_1 IDENTIFIED BY 'proxied_user_1_pwd';
 CREATE USER proxied_user_2 IDENTIFIED BY 'proxied_user_2_pwd';
 CREATE USER proxied_user_3 IDENTIFIED BY 'proxied_user_3_pwd';
 CREATE USER proxied_user_4 IDENTIFIED BY 'proxied_user_4_pwd';
 CREATE USER proxied_user_5 IDENTIFIED BY 'proxied_user_5_pwd';
-GRANT PROXY ON proxied_user_1 TO ''@'';
+GRANT PROXY ON proxied_user_1 TO ''@'%%';
-GRANT PROXY ON proxied_user_2 TO ''@'';
+GRANT PROXY ON proxied_user_2 TO ''@'%%';
-GRANT PROXY ON proxied_user_3 TO ''@'';
+GRANT PROXY ON proxied_user_3 TO ''@'%%';
-GRANT PROXY ON proxied_user_4 TO ''@'';
+GRANT PROXY ON proxied_user_4 TO ''@'%%';
-GRANT PROXY ON proxied_user_5 TO ''@'';
+GRANT PROXY ON proxied_user_5 TO ''@'%%';
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 --echo connect(proxy_con_1,localhost,proxied_user_1,'proxied_user_1_pwd');
@@ -312,7 +312,7 @@ disconnect proxy_con_3;
 disconnect proxy_con_4;
 --echo disconnect proxy_con_5;
 disconnect proxy_con_5;
-DROP USER ''@'',proxied_user_1,proxied_user_2,proxied_user_3,proxied_user_4,proxied_user_5;
+DROP USER ''@'%%',proxied_user_1,proxied_user_2,proxied_user_3,proxied_user_4,proxied_user_5;
 --echo ========== test 3 ==========================================

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -404,9 +404,7 @@ public:
  }
  void set_host(MEM_ROOT *mem, const char *host_arg)
  {
-    update_hostname(&host,
+    update_hostname(&host, safe_strdup_root(mem, host_arg));
-                    (host_arg && *host_arg) ?
-                    strdup_root(mem, host_arg) : NULL);
  }
  bool check_validity(bool check_no_resolve)
@@ -1319,14 +1317,17 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
  while (!(read_record_info.read_record(&read_record_info)))
  {
    ACL_DB db;
-    update_hostname(&db.host,get_field(&mem, table->field[MYSQL_DB_FIELD_HOST]));
+    db.user=get_field(&mem, table->field[MYSQL_DB_FIELD_USER]);
+    const char *hostname= get_field(&mem, table->field[MYSQL_DB_FIELD_HOST]);
+    if (!hostname && find_acl_role(db.user))
+      hostname= "";
+    update_hostname(&db.host, hostname);
    db.db=get_field(&mem, table->field[MYSQL_DB_FIELD_DB]);
    if (!db.db)
    {
      sql_print_warning("Found an entry in the 'db' table with empty database name; Skipped");
      continue;
    }
-    db.user=get_field(&mem, table->field[MYSQL_DB_FIELD_USER]);
    if (check_no_resolve && hostname_requires_resolving(db.host.hostname))
    {
      sql_print_warning("'db' entry '%s %s@%s' "
@@ -1750,8 +1751,7 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
  DBUG_ENTER("acl_getroot");
  DBUG_PRINT("enter", ("Host: '%s', Ip: '%s', User: '%s', db: '%s'",
-                       (host ? host : "(NULL)"), (ip ? ip : "(NULL)"),
+                       host, ip, user, db));
-                       user, (db ? db : "(NULL)")));
  sctx->user= user;
  sctx->host= host;
  sctx->ip= ip;
@@ -2105,7 +2105,7 @@ static void acl_insert_user(const char *user, const char *host,
  acl_user.user.str=*user ? strdup_root(&mem,user) : 0;
  acl_user.user.length= strlen(user);
-  update_hostname(&acl_user.host, *host ? strdup_root(&mem, host): 0);
+  update_hostname(&acl_user.host, safe_strdup_root(&mem, host));
  if (plugin->str[0])
  {
    acl_user.plugin= *plugin;
@@ -2207,7 +2207,7 @@ static void acl_insert_db(const char *user, const char *host, const char *db,
  ACL_DB acl_db;
  mysql_mutex_assert_owner(&acl_cache->lock);
  acl_db.user=strdup_root(&mem,user);
-  update_hostname(&acl_db.host, *host ? strdup_root(&mem,host) : 0);
+  update_hostname(&acl_db.host, safe_strdup_root(&mem, host));
  acl_db.db=strdup_root(&mem,db);
  acl_db.access=privileges;
  if (set_initial_access)
@@ -3161,10 +3161,11 @@ static const char *calc_ip(const char *ip, long *val, char end)
 static void update_hostname(acl_host_and_ip *host, const char *hostname)
 {
+  // fix historical undocumented convention that empty host is the same as '%'
+  hostname=const_cast<char*>(hostname ? hostname : host_not_specified.str);
  host->hostname=(char*) hostname;             // This will not be modified!
-  if (!hostname ||
+  if (!(hostname= calc_ip(hostname,&host->ip,'/')) ||
-      (!(hostname=calc_ip(hostname,&host->ip,'/')) ||
+      !(hostname= calc_ip(hostname+1,&host->ip_mask,'\0')))
-       !(hostname=calc_ip(hostname+1,&host->ip_mask,'\0'))))
  {
    host->ip= host->ip_mask=0;			// Not a masked ip
  }
@@ -4154,11 +4155,18 @@ GRANT_TABLE::GRANT_TABLE(GRANT_TABLE *source, char *u)
 GRANT_NAME::GRANT_NAME(TABLE *form, bool is_routine)
 {
-  update_hostname(&host, get_field(&memex, form->field[0]));
-  db=    get_field(&memex,form->field[1]);
  user=  get_field(&memex,form->field[2]);
  if (!user)
    user= (char*) "";
+  const char *hostname= get_field(&memex, form->field[0]);
+  mysql_mutex_lock(&acl_cache->lock);
+  if (!hostname && find_acl_role(user))
+    hostname= "";
+  mysql_mutex_unlock(&acl_cache->lock);
+  update_hostname(&host, hostname);
+  db=    get_field(&memex,form->field[1]);
  sort=  get_sort(3, host.hostname, db, user);
  tname= get_field(&memex,form->field[3]);
  if (!db || !tname)
@@ -8897,6 +8905,9 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
      }
    }
+    if (!user_name->host.str)
+      user_name->host= host_not_specified;
    /*
      Search all in-memory structures and grant tables
      for a mention of the new user/role name.

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -13197,12 +13197,23 @@ user:
                                         system_charset_info, 0) ||
                check_host_name(&$$->host))
              MYSQL_YYABORT;
-            /*
+            if ($$->host.str[0])
-              Convert hostname part of username to lowercase.
+            {
-              It's OK to use in-place lowercase as long as
+              /*
-              the character set is utf8.
+                Convert hostname part of username to lowercase.
-            */
+                It's OK to use in-place lowercase as long as
-            my_casedn_str(system_charset_info, $$->host.str);
+                the character set is utf8.
+              */
+              my_casedn_str(system_charset_info, $$->host.str);
+            }
+            else
+            {
+              /*
+                fix historical undocumented convention that empty host is the
+                same as '%'
+              */
+              $$->host= host_not_specified;
+            }
          }
        | CURRENT_USER optional_braces
          {