MDEV-35617: DROP USER should leave no active session for that user

DROP USER looks for sessions by the do-be-dropped user and if found:
* fails with ER_CANNOT_USER in Oracle mode
* continues with ER_ACTIVE_CONNECTIONS_FOR_USER_TO_DROP warning otherwise

Every user being dropped is marked with flag that disallow establishing
a new connections on behalf this user.

mysql-test/main/auth_rpl.test

@@ -57,7 +57,9 @@ DROP USER 'plug_user';
 
 --echo # Cleanup (on master).
 --connection master
+--disable_warnings
 DROP USER 'plug_user';
+--enable_warnings
 
 --let $rpl_only_running_threads= 1
 --source include/rpl_end.inc

mysql-test/main/create_drop_user.result

@@ -41,3 +41,80 @@ Warnings:
 Note	1974	Can't drop user 'u1'@'%'; it doesn't exist
 DROP USER u2;
 ERROR HY000: Operation DROP USER failed for 'u2'@'%'
+#
+# MDEV-35617: DROP USER should leave no active session for that user
+#
+CREATE USER u1;
+CREATE USER u2;
+CREATE USER u3;
+GRANT ALL on test.* to u1;
+GRANT ALL on test.* to u2;
+GRANT ALL on test.* to u3;
+# Establish two connections on behalf the users u1, u3
+# A connection on behalf the user u2 isn't established intentionally
+connect  con1, localhost, u1, , test;
+connect  con3, localhost, u3, , test;
+# Drop the users u1, u2, u3. Since the users u1 and u3 have active
+# connections to the server, the warning about it will be output
+connection default;
+DROP USER u1, u2, u3;
+Warnings:
+Note	4227	Dropped users 'u1'@'%','u3'@'%' have active connections. Use KILL CONNECTION if they should not be used anymore.
+# None of the users u1, u2, u3 should be present in the system
+SELECT user, host FROM mysql.user WHERE user IN ('u1', 'u2', 'u3');
+User	Host
+disconnect con1;
+disconnect con3;
+# Check behaviour of the DROP USER statement in
+# oracle compatibility mode
+SET @save_sql_mode = @@sql_mode;
+SET sql_mode="oracle";
+CREATE USER u1;
+CREATE USER u2;
+CREATE USER u3;
+GRANT ALL on test.* to u1;
+GRANT ALL on test.* to u2;
+GRANT ALL on test.* to u3;
+# Established two connections on behalf the users u1, u3;
+# A connection on behalf the user u2 isn't established intentionally
+connect  con1, localhost, u1, , test;
+connect  con3, localhost, u3, , test;
+connection default;
+# In oracle compatibility mode, DROP USER fails in case
+# there are connections on behalf the users being dropped.
+DROP USER u1, u2, u3;
+ERROR HY000: Operation DROP USER failed for 'u1'@'%','u3'@'%'
+# It is expected to see two users in output of the query: u1 and u3,
+# u2 should be dropped since it doesn't have active connection at the moment
+SELECT user, host FROM mysql.user WHERE user IN ('u1', 'u2', 'u3');
+User	Host
+u1	%
+u3	%
+SET sql_mode= @save_sql_mode;
+disconnect con1;
+disconnect con3;
+# Clean up
+# Clean up
+DROP USER u1, u3;
+CREATE USER u@localhost;
+CREATE USER u@'%';
+connect u,localhost,u;
+connection default;
+DROP USER u@'%';
+disconnect u;
+DROP USER u@localhost;
+CREATE USER u@localhost;
+SET sql_mode=oracle;
+connect u,localhost,u;
+connection default;
+DROP USER u@'%';
+ERROR HY000: Operation DROP USER failed for 'u'@'%'
+disconnect u;
+connect u,localhost,u;
+SELECT user(), current_user();
+user()	current_user()
+u@localhost	u@localhost
+disconnect u;
+connection default;
+# Clean up
+DROP USER u@localhost;

mysql-test/main/create_drop_user.test

@@ -44,3 +44,94 @@ DROP USER IF EXISTS u1, u2;
 
 --error ER_CANNOT_USER
 DROP USER u2;
+
+--echo #
+--echo # MDEV-35617: DROP USER should leave no active session for that user
+--echo #
+
+CREATE USER u1;
+CREATE USER u2;
+CREATE USER u3;
+
+GRANT ALL on test.* to u1;
+GRANT ALL on test.* to u2;
+GRANT ALL on test.* to u3;
+
+--echo # Establish two connections on behalf the users u1, u3
+--echo # A connection on behalf the user u2 isn't established intentionally
+--connect (con1, localhost, u1, , test)
+--connect (con3, localhost, u3, , test)
+
+--echo # Drop the users u1, u2, u3. Since the users u1 and u3 have active
+--echo # connections to the server, the warning about it will be output
+--connection default
+DROP USER u1, u2, u3;
+
+--echo # None of the users u1, u2, u3 should be present in the system
+SELECT user, host FROM mysql.user WHERE user IN ('u1', 'u2', 'u3');
+
+--disconnect con1
+--disconnect con3
+
+--echo # Check behaviour of the DROP USER statement in
+--echo # oracle compatibility mode
+SET @save_sql_mode = @@sql_mode;
+SET sql_mode="oracle";
+CREATE USER u1;
+CREATE USER u2;
+CREATE USER u3;
+
+GRANT ALL on test.* to u1;
+GRANT ALL on test.* to u2;
+GRANT ALL on test.* to u3;
+
+--echo # Established two connections on behalf the users u1, u3;
+--echo # A connection on behalf the user u2 isn't established intentionally
+--connect (con1, localhost, u1, , test)
+--connect (con3, localhost, u3, , test)
+
+--connection default
+--echo # In oracle compatibility mode, DROP USER fails in case
+--echo # there are connections on behalf the users being dropped.
+--error ER_CANNOT_USER
+DROP USER u1, u2, u3;
+
+--echo # It is expected to see two users in output of the query: u1 and u3,
+--echo # u2 should be dropped since it doesn't have active connection at the moment
+SELECT user, host FROM mysql.user WHERE user IN ('u1', 'u2', 'u3');
+SET sql_mode= @save_sql_mode;
+
+--disconnect con1
+--disconnect con3
+--echo # Clean up
+--disable_warnings
+--echo # Clean up
+DROP USER u1, u3;
+--enable_warnings
+
+CREATE USER u@localhost;
+CREATE USER u@'%';
+--connect u,localhost,u
+--connection default
+DROP USER u@'%';
+
+--disconnect u
+--disable_warnings
+DROP USER u@localhost;
+--enable_warnings
+
+CREATE USER u@localhost;
+SET sql_mode=oracle;
+--connect u,localhost,u
+--connection default
+--error ER_CANNOT_USER
+DROP USER u@'%';
+--disconnect u
+
+--connect u,localhost,u
+SELECT user(), current_user();
+
+--disconnect u
+--connection default
+--echo # Clean up
+DROP USER u@localhost;

mysql-test/main/grant.result

@@ -1585,6 +1585,8 @@ mysqltest1.f1()
 0
 connection default;
 drop user mysqluser1@localhost;
+Warnings:
+Note	4227	Dropped users 'mysqluser1'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 #
 # Test that dropping of user is properly reflected in
 # both privilege tables and in in-memory structures.

mysql-test/main/grant_utf8_cli.test

@@ -8,5 +8,7 @@ set names utf8;
 create user юзер_юзер@localhost;
 grant select on test.* to юзер_юзер@localhost;
 --exec $MYSQL --default-character-set=utf8 --user=юзер_юзер -e "select user()"
+--disable_warnings
 drop user юзер_юзер@localhost;
+--enable_warnings
 set names default;

mysql-test/main/information_schema_db.result

@@ -473,6 +473,8 @@ USER	PASSWORD_ERRORS	PASSWORD_EXPIRATION_TIME
 # Delete user while some connection is still alive, then select.
 connection default;
 drop user nice_user;
+Warnings:
+Note	4227	Dropped users 'nice_user'@'%' have active connections. Use KILL CONNECTION if they should not be used anymore.
 connection con2;
 select * from information_schema.users;
 ERROR 0L000: The current user is invalid

mysql-test/main/lock_view.test

@@ -94,5 +94,7 @@ connection default;
 exec $MYSQL_DUMP --no-autocommit=0 test v1 -uu1 --compact;
 drop view v1;
 drop table t1;
+--disable_warnings
 drop user u1@localhost;
+--enable_warnings
 --enable_service_connection

mysql-test/main/mysql.test

@@ -792,7 +792,9 @@ create user ser@localhost identified by "ass";
 --echo MYSQL --ssl-verify-server-cert -e "\\s"
 --replace_regex /^.[^S].*// /\b[-A-Z_0-9]+,/XXX,/
 --exec $MYSQL -user -pass --ssl-verify-server-cert -e "\\s"
+--disable_warnings
 drop user ser@localhost;
+--enable_warnings
 
 --echo #
 --echo # MDEV-32473 --disable-ssl doesn't disable it

mysql-test/main/mysqlbinlog.test

@@ -4,6 +4,7 @@
 
 -- source include/have_log_bin.inc
 -- source include/binlog_start_pos.inc
+-- source include/count_sessions.inc
 
 --disable_query_log
 CALL mtr.add_suppression("Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT");
@@ -365,6 +366,7 @@ echo mysql mysqltest1 -uuntrusted < var/tmp/bug31611.sql;
 error 1;
 exec $MYSQL mysqltest1 -uuntrusted < $MYSQLTEST_VARDIR/tmp/bug31611.sql;
 --remove_file $MYSQLTEST_VARDIR/tmp/bug31611.sql
+
 connection unsecure;
 error ER_TABLEACCESS_DENIED_ERROR;
 INSERT INTO t1 VALUES (1,USER());
@@ -373,6 +375,7 @@ SELECT * FROM t1;
 connection default;
 disconnect unsecure;
 DROP DATABASE mysqltest1;
+--source include/wait_until_count_sessions.inc
 DROP USER untrusted@localhost;
 
 --echo # Bug#32580 mysqlbinlog cannot read binlog event with user variables

mysql-test/main/mysqldump-system.test

@@ -125,7 +125,9 @@ set time_zone= @@global.time_zone;
 --echo # Restore from mysqldump
 --exec $MYSQL --user mariadb_test_restore --password=getitback --show-warnings  < $MYSQLTEST_VARDIR/tmp/dump1.sql
 
+--disable_warnings
 DROP USER mariadb_test_restore;
+--enable_warnings
 
 # successful restore?
 

mysql-test/main/mysqldump.result

@@ -3934,6 +3934,8 @@ drop table t1;
 drop table u1;
 revoke all privileges on mysqldump_myDB.* from myDB_User@localhost;
 drop user myDB_User@localhost;
+Warnings:
+Note	4227	Dropped users 'myDB_User'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 drop database mysqldump_myDB;
 flush privileges;
 # Bug#21424 continues from here.

mysql-test/main/mysqldump.test

@@ -1617,8 +1617,10 @@ drop procedure sp1;
 
 connection default;
 disconnect user27293;
+--disable_warnings
 drop user user1;
 drop user user2;
+--enable_warnings
 
 drop database mysqldump_test_db;
 
@@ -2348,7 +2350,9 @@ connection conn_1;
 connection default;
 disconnect conn_1;
 
+--disable_warnings
 DROP USER user1;
+--enable_warnings
 DROP DATABASE BUG52792;
 --echo # UTF-8
 CREATE DATABASE BUG52792;

mysql-test/main/password_expiration.test

@@ -3,6 +3,7 @@
 #
 
 --source include/not_embedded.inc
+--source include/count_sessions.inc
 
 --echo #
 --echo # Only privileged users should be able to expire passwords
@@ -54,6 +55,7 @@ set global disconnect_on_expired_password=ON;
 connect(con1,localhost,user1);
 
 --exec $MYSQL --connect-expired-password -u user1 -e "set password=password('');"
+--source include/wait_until_count_sessions.inc
 drop user user1@localhost;
 
 --echo #
@@ -65,6 +67,7 @@ set global disconnect_on_expired_password=ON;
 --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_MUST_CHANGE_PASSWORD_LOGIN
 connect(con1,localhost,user1);
+--source include/wait_until_count_sessions.inc
 drop user user1@localhost;
 
 --echo #
@@ -94,6 +97,7 @@ flush privileges;
 --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_MUST_CHANGE_PASSWORD_LOGIN
 connect(con1,localhost,user1);
+--source include/wait_until_count_sessions.inc
 drop user user1@localhost;
 
 --echo #
@@ -215,6 +219,7 @@ flush privileges;
 --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_MUST_CHANGE_PASSWORD_LOGIN
 connect(con1,localhost,user1);
+--source include/wait_until_count_sessions.inc
 drop user user1@localhost;
 
 --echo #
@@ -237,6 +242,7 @@ flush privileges;
 --replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
 --error ER_MUST_CHANGE_PASSWORD_LOGIN
 connect(con1,localhost,user1);
+--source include/wait_until_count_sessions.inc
 drop user user1@localhost;
 
 --echo #

mysql-test/main/password_expiration_unix_socket.test

@@ -21,4 +21,6 @@
 
 --let $replace=drop user '$USER'
 --replace_result $replace "drop user 'USER'"
+--disable_warnings
 --eval drop user '$USER'
+--enable_warnings

mysql-test/main/plugin_auth_qa_1.test

@@ -4,6 +4,7 @@
 --source include/not_embedded.inc
 #enable view protocol after fix MDEV-29542
 --source include/no_view_protocol.inc
+--source include/count_sessions.inc
 
 CREATE DATABASE test_user_db;
 
@@ -27,6 +28,7 @@ GRANT ALL ON test_user_db.* TO 'plug_dest'@'%';
 REVOKE PROXY ON plug_dest FROM plug_user;
 --error 1
 --exec $MYSQL -u plug_user --password=plug_dest -e "SELECT current_user();SELECT user();USE test_user_db;CREATE TABLE t1(a int);SHOW TABLES;DROP TABLE t1;" 2>&1
+--source include/wait_until_count_sessions.inc
 DROP USER plug_user,plug_dest;
 #
 # GRANT...WITH
@@ -48,6 +50,7 @@ REVOKE PROXY ON plug_dest FROM plug_user;
 --echo 3)
 --error 1
 --exec $MYSQL -u plug_user --password=plug_dest -e "SELECT current_user();SELECT user();USE test_user_db;CREATE TABLE t1(a int);SHOW TABLES;DROP TABLE t1;" 2>&1
+--source include/wait_until_count_sessions.inc
 DROP USER plug_user,plug_dest;
 #
 # GRANT...WITH/CREATE...BY
@@ -62,6 +65,7 @@ GRANT ALL ON test_user_db.* TO 'plug_dest'@'%';
 --echo 2)
 --replace_result $MASTER_MYSOCK MASTER_MYSOCK
 --exec $MYSQL -u plug_user --password=plug_dest -e "SELECT current_user();SELECT user();USE test_user_db;CREATE TABLE t1(a int);SHOW TABLES;DROP TABLE t1;" 2>&1
+--source include/wait_until_count_sessions.inc
 DROP USER plug_user,plug_dest;
 
 --echo ========== test 1.2 ========================================
@@ -81,6 +85,7 @@ GRANT PROXY ON new_dest TO plug_user;
 --exec $MYSQL -u plug_user --password=new_dest -e "SELECT current_user();SELECT user();" 2>&1
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
+--source include/wait_until_count_sessions.inc
 DROP USER plug_user,new_dest;
 
 # CREATE...WITH/CREATE...BY
@@ -100,6 +105,7 @@ GRANT PROXY ON new_dest TO plug_user;
 --exec $MYSQL -u plug_user --password=new_dest -e "SELECT current_user();SELECT user();" 2>&1
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
+--source include/wait_until_count_sessions.inc
 DROP USER plug_user,new_dest;
 # CREATE...WITH
 CREATE USER plug_user

mysql-test/main/plugin_auth_qa_2.test

@@ -7,6 +7,7 @@
 --source include/not_embedded.inc
 #enable view protocol after fix MDEV-29542
 --source include/no_view_protocol.inc
+--source include/count_sessions.inc
 
 CREATE DATABASE test_user_db;
 
@@ -29,6 +30,7 @@ SELECT @@external_user;
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_1_user;
 DROP USER qa_test_1_dest;
 
@@ -52,6 +54,7 @@ SELECT @@external_user;
 --sorted_result
 SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_2_user;
 DROP USER qa_test_2_dest;
 DROP USER authenticated_as;
@@ -66,6 +69,7 @@ GRANT PROXY ON qa_test_3_dest TO qa_test_3_user;
 --echo exec MYSQL -h localhost -u qa_test_3_user --password=qa_test_3_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 --exec $MYSQL -h localhost -u qa_test_3_user --password=qa_test_3_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_3_user;
 DROP USER qa_test_3_dest;
 
@@ -79,6 +83,7 @@ GRANT PROXY ON qa_test_4_dest TO qa_test_4_user;
 --echo exec MYSQL -h localhost -u qa_test_4_user --password=qa_test_4_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 --exec $MYSQL -h localhost -u qa_test_4_user --password=qa_test_4_dest  test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_4_user;
 DROP USER qa_test_4_dest;
 
@@ -99,6 +104,7 @@ SELECT user,plugin,authentication_string,password FROM mysql.user WHERE user !=
 --error 1
 --exec $MYSQL -h localhost --user=qa_test_5_user --password=qa_test_5_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_5_user;
 DROP USER qa_test_5_dest;
 DROP USER ''@'localhost';
@@ -133,6 +139,7 @@ SELECT user,plugin,authentication_string FROM mysql.user WHERE user != 'root';
 --error 1
 --exec $MYSQL -h localhost --user=root --password=qa_test_6_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_6_user;
 DROP USER qa_test_6_dest;
 DELETE FROM mysql.user WHERE user='root' AND plugin='qa_auth_interface';
@@ -151,7 +158,6 @@ GRANT PROXY ON qa_test_11_dest TO qa_test_11_user;
 --error 1
 --exec $MYSQL --default_auth=qa_auth_client -h localhost -u qa_test_11_user --password=qa_test_11_dest test_user_db -e "SELECT current_user(),user(),@@local.proxy_user,@@local.external_user;" 2>&1
 
+--source include/wait_until_count_sessions.inc
 DROP USER qa_test_11_user, qa_test_11_dest;
 DROP DATABASE test_user_db;
-
---exit

mysql-test/main/ssl_autoverify.test

@@ -121,9 +121,11 @@ inc $mitm_port;
 }
 
 drop function have_ssl;
+--disable_warnings
 drop user native@'%';
 drop user ed@'%';
 drop user nohash@'%';
 drop user multi@'%';
+--enable_warnings
 uninstall plugin ed25519;
 uninstall plugin three_attempts;

mysql-test/main/ssl_cipher.test

@@ -8,6 +8,7 @@ CALL mtr.add_suppression("are insecure");
 --enable_query_log
 
 --source include/have_ssl_communication.inc
+--source include/count_sessions.inc
 
 if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
   skip OpenSSL 1.1.1;
@@ -43,6 +44,7 @@ connection con4;
 SHOW STATUS LIKE 'Ssl_cipher';
 disconnect con4;
 connection default;
+--source include/wait_until_count_sessions.inc
 drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 
 #
@@ -93,6 +95,7 @@ select 'is still running; no cipher request crashed the server' as result from d
 create user mysqltest_1@localhost;
 grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
 --exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
+--source include/wait_until_count_sessions.inc
 drop user mysqltest_1@localhost;
 
 #

mysql-test/main/upgrade_MDEV-19650.result

@@ -279,6 +279,8 @@ GRANT PROXY ON ''@'%' TO 'not_root'@'localhost' WITH GRANT OPTION;
 connect  con1,localhost,not_root,,;
 connection con1;
 DROP USER 'root'@'localhost';
+Warnings:
+Note	4227	Dropped users 'root'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 DROP USER 'root'@'127.0.0.1';
 DROP USER 'root'@'::1';
 use mysqltest1;

mysql-test/main/user_limits.test

@@ -89,7 +89,9 @@ disconnect mcph2;
 connect (mcph3, localhost, mysqltest_1,,);
 # Cleanup
 connection default;
+--disable_warnings
 drop user mysqltest_1@localhost;
+--enable_warnings
 
 # Test of MAX_USER_CONNECTIONS limit
 # We need this to reset internal mqh_used variable
@@ -135,7 +137,9 @@ connect (muc5, localhost, mysqltest_1,,);
 disconnect muc2;
 disconnect muc3;
 disconnect muc4;
+--disable_warnings
 drop user mysqltest_1@localhost;
+--enable_warnings
 
 # Now let us test interaction between global and per-account
 # max_user_connections limits
@@ -201,7 +205,9 @@ connect (muca2, localhost, mysqltest_1,,);
 connect (muca3, localhost, mysqltest_1,,);
 disconnect muca2;
 connection default;
+--disable_warnings
 drop user mysqltest_1@localhost;
+--enable_warnings
 
 # Final cleanup
 drop table t1;

mysql-test/main/view_grant.result

@@ -789,6 +789,8 @@ CREATE VIEW v1 AS SELECT * FROM t1;
 connection root;
 GRANT SELECT ON db17254.v1 TO inv_17254@localhost;
 DROP USER def_17254@localhost;
+Warnings:
+Note	4227	Dropped users 'def_17254'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 connect  inv,localhost,inv_17254,,db17254;
 connection inv;
 for a user without SET USER

mysql-test/suite/binlog/t/binlog_grant.test

@@ -195,7 +195,9 @@ call mtr.add_suppression("Access denied; you need (at least one of) the BINLOG R
 --remove_file $MYSQLTEST_VARDIR/tmp/mysqlbinlog.sql
 --disconnect user1
 DROP TABLE t2,t1;
+--disable_warnings
 DROP USER user1@localhost;
+--enable_warnings
 
 --echo #
 --echo # End of 10.5 test

mysql-test/suite/binlog_encryption/rpl_ssl.result

@@ -46,6 +46,8 @@ Master_SSL_Key = 'MYSQL_TEST_DIR/std_data/client-key.pem'
 include/check_slave_is_running.inc
 connection master;
 drop user replssl@localhost;
+Warnings:
+Note	4227	Dropped users 'replssl'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 drop table t1;
 connection slave;
 include/stop_slave.inc

mysql-test/suite/engines/funcs/r/rpl_slave_status.result

@@ -30,6 +30,8 @@ n
 ==== Delete new replication user ====
 connection master;
 DROP USER rpl@127.0.0.1;
+Warnings:
+Note	4240	Dropped users 'rpl'@'127.0.0.1' have active connections. Use KILL CONNECTION if they should not be used anymore.
 FLUSH PRIVILEGES;
 connection slave;
 ==== Restart slave without privileges =====

mysql-test/suite/events/events_bugs.result

@@ -659,6 +659,8 @@ Expect 1
 1
 connection default;
 DROP USER evtest1@localhost;
+Warnings:
+Note	4227	Dropped users 'evtest1'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 Sleep 4 seconds
 SELECT COUNT(*) INTO @row_cnt FROM events_test.event_log;
 Sleep 4 seconds

mysql-test/suite/federated/federated_bug_25714.test

@@ -57,7 +57,9 @@ SELECT LAST_INSERT_ID();
 SELECT * from federated.t1;
 
 DROP TABLE federated.t1;
+--disable_warnings
 drop user fed@127.0.0.1;
+--enable_warnings
 SET @@GLOBAL.CONCURRENT_INSERT= @OLD_MASTER_CONCURRENT_INSERT;
 connection slave;
 DROP TABLE federated.t1;

mysql-test/suite/federated/federated_server.test

@@ -274,7 +274,9 @@ select * from federated.t1;
 
 # clean up test
 connection slave;
+disable_warnings;
 drop user test_fed@localhost;
+enable_warnings;
 drop database db_legitimate;
 drop database db_bogus;
 

mysql-test/suite/federated/update.test

@@ -25,7 +25,9 @@ drop table tt1;
 
 connection slave;
 drop database db1;
+disable_warnings;
 drop user my@localhost;
+enable_warnings;
 
 source include/federated_cleanup.inc;
 

mysql-test/suite/galera/r/MW-416.result

@@ -92,6 +92,8 @@ UNINSTALL PLUGIN plg;
 Got one of the listed errors
 connection node_1;
 DROP USER 'userMW416'@'localhost';
+Warnings:
+Note	4226	Dropped users 'userMW416'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 SHOW DATABASES;
 Database
 information_schema

mysql-test/suite/galera/r/galera_read_only.result

@@ -33,3 +33,5 @@ DROP TABLE t2;
 SET GLOBAL read_only=FALSE;
 DROP TABLE t1;
 DROP USER foo@localhost;
+Warnings:
+Note	4226	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.

mysql-test/suite/galera/r/galera_roles.result

@@ -167,6 +167,8 @@ disconnect foo_node_2;
 # Connect with node_1
 connection node_1;
 DROP USER foo@localhost;
+Warnings:
+Note	4226	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 DROP DATABASE test1;
 #
 # MDEV-10566: Create role statement replicated inconsistently in Galera Cluster

mysql-test/suite/galera/r/rename.result

@@ -44,5 +44,7 @@ i
 1
 connection node_1;
 DROP USER foo@localhost;
+Warnings:
+Note	4226	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 DROP TABLE t2;
 # End of tests

mysql-test/suite/plugins/t/multiauth.test

@@ -1,4 +1,5 @@
 --source include/not_ubsan.inc
+--source include/count_sessions.inc
 
 let $REGEX_VERSION_ID=/$mysql_get_server_version/VERSION_ID/;
 let $REGEX_PASSWORD_LAST_CHANGED=/password_last_changed": [0-9]*/password_last_changed": #/;
@@ -48,6 +49,7 @@ show create user mysqltest1;
 --echo # name does not match, password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -68,6 +70,7 @@ show create user mysqltest1;
 --echo # name does not match, password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -88,6 +91,7 @@ show create user mysqltest1;
 --echo # name does not match, password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -108,6 +112,7 @@ show create user mysqltest1;
 --echo # name does not match, password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -130,6 +135,7 @@ show create user mysqltest1;
 --echo # name does not match, password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -146,6 +152,7 @@ show create user mysqltest1;
 --echo # password bad = failure
 --error 1
 --exec $try_auth -u mysqltest1 -pbad
+--source include/wait_until_count_sessions.inc
 drop user mysqltest1;
 
 #
@@ -198,6 +205,7 @@ show create user mysqltest1;
 --echo # SET PASSWORD helps
 set password for mysqltest1 = password('bla');
 --exec $try_auth -u mysqltest1 -pbla
+--source include/wait_until_count_sessions.inc
 --replace_result $dreplace "drop user 'USER'"
 eval $dreplace, mysqltest1;
 
@@ -219,6 +227,7 @@ show create user mysqltest1;
 --exec $try_auth -u mysqltest1 -pgood --plugin-dir=$plugindir/no
 --echo # no plugin, second password works = ok
 --exec $try_auth -u mysqltest1 -pworks --plugin-dir=$plugindir/no
+--source include/wait_until_count_sessions.inc
 drop user mysqltest1;
 
 uninstall soname 'auth_ed25519';

mysql-test/suite/plugins/t/pam.test

@@ -1,5 +1,6 @@
 let $PAM_PLUGIN_VERSION= $AUTH_PAM_SO;
 --source pam_init.inc
+--source include/count_sessions.inc
 
 --write_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
 not very secret challenge
@@ -83,6 +84,7 @@ alter user test_pam password expire;
 --error 1
 --exec $MYSQL_TEST -u test_pam -pgoodpassword < $MYSQLTEST_VARDIR/tmp/pam_good2.txt
 
+--source include/wait_until_count_sessions.inc
 drop user test_pam;
 drop user pam_test;
 create user PAM_TEST identified via pam using 'mariadb_mtr';
@@ -104,6 +106,7 @@ set global pam_winbind_workaround=1;
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_good2.txt
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt
 --remove_file $MYSQLTEST_VARDIR/tmp/pam_ugly.txt
+--source include/wait_until_count_sessions.inc
 drop user PAM_TEST;
 
 --echo #
@@ -121,6 +124,7 @@ show create user;
 EOF
 --exec $MYSQL_TEST -u pam_test < $MYSQLTEST_VARDIR/tmp/setpwd.txt
 --remove_file $MYSQLTEST_VARDIR/tmp/setpwd.txt
+--source include/wait_until_count_sessions.inc
 drop user pam_test;
 
 let $count_sessions= 1;

mysql-test/suite/plugins/t/parsec.test

@@ -1,5 +1,6 @@
 source include/platform.inc;
 source include/not_embedded.inc;
+source include/count_sessions.inc;
 
 if (`select count(*) = 0 from information_schema.plugins where plugin_name = 'parsec'`)
 {
@@ -41,6 +42,7 @@ if ($MTR_COMBINATION_WIN) {
 --echo # mysql -utest1 -ppwd --ssl-verify-server-cert -e "select test.have_ssl()"
 --exec $MYSQL --protocol tcp $host -utest1 -ppwd --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 
+source include/wait_until_count_sessions.inc;
 drop function have_ssl;
 drop user test1@'%';
 
@@ -57,4 +59,5 @@ disconnect con4;
 --error ER_ACCESS_DENIED_ERROR
 connect con5, localhost, test2, "wrong_pwd";
 connection default;
+source include/wait_until_count_sessions.inc;
 drop user test2@'%';

mysql-test/suite/roles/create_and_drop_current.result

@@ -10,6 +10,8 @@ ERROR 42000: You have an error in your SQL syntax; check the manual that corresp
 create role current_role;
 ERROR HY000: Operation CREATE ROLE failed for CURRENT_ROLE
 drop user current_user;
+Warnings:
+Note	4227	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 drop user current_role;
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'current_role' at line 1
 drop role current_user;

mysql-test/suite/roles/definer.result

@@ -620,6 +620,8 @@ drop view test.v1, test.v2, test.v3, test.v4, test.v5;
 drop table t1, t2;
 drop role role1, role2;
 drop user foo@localhost;
+Warnings:
+Note	4227	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 drop database mysqltest1;
 use test;
 create user utest;

mysql-test/suite/roles/definer.test

@@ -327,7 +327,9 @@ drop view test.v1, test.v2, test.v3, test.v4, test.v5;
 drop table t1, t2;
 drop role role1, role2;
 drop user foo@localhost;
+--disable_warnings
 drop database mysqltest1;
+--enable_warnings
 use test;
 
 ##################################################

mysql-test/suite/roles/drop_current_user-5176.result

@@ -2,6 +2,8 @@ create user foo@localhost;
 grant create user on *.* to foo@localhost;
 connect  foo,localhost,foo,,;
 drop user foo@localhost;
+Warnings:
+Note	4227	Dropped users 'foo'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 select * from information_schema.applicable_roles;
 GRANTEE	ROLE_NAME	IS_GRANTABLE	IS_DEFAULT
 show grants;

mysql-test/suite/rpl/r/rpl_password_boundaries.result

@@ -54,6 +54,8 @@ ERROR HY000: String 'воттакойужпарольвоттакойужпар
 connection master;
 set sql_log_bin=0;
 drop user rpl32@127.0.0.1, rpl33@127.0.0.1, rpl16cyr@127.0.0.1, rpl17mix@127.0.0.1;
+Warnings:
+Note	4227	Dropped users 'rpl16cyr'@'127.0.0.1' have active connections. Use KILL CONNECTION if they should not be used anymore.
 set sql_log_bin=1;
 connection slave;
 change master to master_user='root',master_password='';

mysql-test/suite/rpl/r/rpl_perfschema_connect_config.result

@@ -57,6 +57,8 @@ include/assert.inc [Value returned by SSS and PS table for SSL_Key should be sam
 include/assert.inc [Value returned by SSS and PS table for SSL_Verify_Server_Certificate should be same.]
 connection master;
 drop user replssl@localhost;
+Warnings:
+Note	4227	Dropped users 'replssl'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 connection slave;
 include/stop_slave.inc
 CHANGE MASTER TO

mysql-test/suite/rpl/r/rpl_slave_alias_replica.result

@@ -22,6 +22,8 @@ connection slave;
 connection master;
 "Command: SHOW SLAVE HOSTS --> SHOW REPLICA HOSTS"
 DROP USER 'repl_user';
+Warnings:
+Note	4227	Dropped users 'repl_user'@'%' have active connections. Use KILL CONNECTION if they should not be used anymore.
 connection slave;
 "Command: SHOW SLAVE IO/SQL THREAD --> SHOW REPLICA IO/SQL THREAD"
 STOP REPLICA IO_THREAD;

mysql-test/suite/rpl/r/rpl_slave_restart_long_password.result

@@ -18,6 +18,8 @@ include/check_slave_param.inc [Slave_IO_Running]
 connection master;
 SET SQL_LOG_BIN=0;
 DROP USER rpl@127.0.0.1;
+Warnings:
+Note	4227	Dropped users 'rpl'@'127.0.0.1' have active connections. Use KILL CONNECTION if they should not be used anymore.
 FLUSH PRIVILEGES;
 SET SQL_LOG_BIN=1;
 connection slave;

mysql-test/suite/rpl/r/rpl_slave_status.result

@@ -30,6 +30,8 @@ n
 ==== Delete new replication user ====
 connection master;
 DROP USER rpl@127.0.0.1;
+Warnings:
+Note	4227	Dropped users 'rpl'@'127.0.0.1' have active connections. Use KILL CONNECTION if they should not be used anymore.
 FLUSH PRIVILEGES;
 connection slave;
 ==== Restart slave without privileges =====

mysql-test/suite/rpl/r/rpl_ssl.result

@@ -46,6 +46,8 @@ Master_SSL_Key = 'MYSQL_TEST_DIR/std_data/client-key.pem'
 include/check_slave_is_running.inc
 connection master;
 drop user replssl@localhost;
+Warnings:
+Note	4227	Dropped users 'replssl'@'localhost' have active connections. Use KILL CONNECTION if they should not be used anymore.
 drop table t1;
 connection slave;
 include/stop_slave.inc
@@ -55,5 +57,5 @@ master_ssl = 1,
 master_ssl_ca = '',
 master_ssl_cert = '',
 master_ssl_key = '';
-End of 5.0 tests
+# End of 5.0 tests
 include/rpl_end.inc

mysql-test/suite/rpl/r/rpl_ssl1.result

@@ -112,6 +112,8 @@ master_ssl_verify_server_cert=0,
 master_ssl=1;
 connection master;
 drop user replssl@127.0.0.1;
+Warnings:
+Note	4227	Dropped users 'replssl'@'127.0.0.1' have active connections. Use KILL CONNECTION if they should not be used anymore.
 connection slave;
 drop user replssl@127.0.0.1;
 include/rpl_end.inc

mysql-test/suite/rpl/t/rpl_ssl1.test

@@ -61,7 +61,9 @@ change master to master_user='root',master_password='', master_ssl=0;
 start slave;
 --source include/wait_for_slave_to_start.inc
 connection master;
+disable_warnings;
 drop user replssl@localhost;
+enable_warnings;
 drop table t1;
 
 sync_slave_with_master;

sql/share/errmsg-utf8.txt

@@ -12329,4 +12329,6 @@ ER_WARN_MALFORMED_HINT
 ER_WARN_HINTS_ON_INSERT_PART_OF_INSERT_SELECT
         eng "Optimizer hints at the INSERT part of a INSERT..SELECT statement are not supported"
 ER_INIT_SLAVE_ERROR
-    eng "Slave SQL thread aborted. Can't execute init_slave query due to error code %u: %s"
+        eng "Slave SQL thread aborted. Can't execute init_slave query due to error code %u: %s"
+ER_ACTIVE_CONNECTIONS_FOR_USER_TO_DROP
+        eng "Dropped users %s have active connections. Use KILL CONNECTION if they should not be used anymore."

sql/sql_acl.cc

@@ -172,7 +172,7 @@ public:
   LEX_CSTRING user;
   /* list to hold references to granted roles (ACL_ROLE instances) */
   DYNAMIC_ARRAY role_grants;
-  const char *get_username() { return user.str; }
+  const char *get_username() const { return user.str; }
 };
 
 class ACL_USER_PARAM
@@ -205,6 +205,23 @@ public:
     DBUG_ASSERT(host.hostname[hostname_length] == '\0');
     return Lex_ident_host(host.hostname, hostname_length);
   }
+
+  void disable_new_connections()
+  {
+    dont_accept_conn= true;
+  }
+
+  bool dont_accept_new_connections() const
+  {
+    return dont_accept_conn;
+  }
+
+protected:
+  /*
+    Ephemeral state (meaning it is not stored anywhere in the Data Dictionary)
+    to disable establishing sessions in case the user is being dropped.
+  */
+  bool dont_accept_conn= false;
 };
 
 
@@ -11345,6 +11362,66 @@ bool mysql_create_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
   DBUG_RETURN(result);
 }
 
+
+/**
+  Callback function invoked for every active THD to find a first session
+  established by specified user
+
+  @param[in] thd   Thread context
+  @param arg       Account info for that checks presence of an active
+                   connection
+
+  @return true on matching, else false
+*/
+
+static my_bool count_threads_callback(THD *thd,
+                                      LEX_USER *arg)
+{
+  if (thd->security_ctx->user)
+  {
+    /*
+      Check that hostname (if given) and user name matches.
+    */
+    if (!strcmp(arg->host.str, thd->main_security_ctx.priv_host) &&
+        !strcmp(arg->user.str, thd->main_security_ctx.priv_user) &&
+        (thd->killed & ~KILL_HARD_BIT) != KILL_CONNECTION)
+      return true;
+  }
+  return false;
+}
+
+
+/**
+  Check presence of an active connection established on behalf the user
+
+  @param[in] user  User credential for that checks presence of an active
+                   connection
+
+  @return true on presence connection, else false
+*/
+
+static bool exist_active_sessions_for_user(LEX_USER *user)
+{
+  return server_threads.iterate(count_threads_callback, user);
+}
+
+
+/**
+  Find the specified user and mark it as not accepting incoming sessions
+
+  @param user_name  the user for that accept of incoming connections
+                    should be disabled
+*/
+
+static void disable_connections_for_user(LEX_USER *user)
+{
+  ACL_USER *found_user= find_user_exact(user->host, user->user);
+
+  if (found_user != nullptr)
+    found_user->disable_new_connections();
+}
+
+
 /*
   Drop a list of users and all their privileges.
 
@@ -11381,6 +11458,11 @@ bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
   mysql_rwlock_wrlock(&LOCK_grant);
   mysql_mutex_lock(&acl_cache->lock);
 
+  /*
+    String for storing a comma separated list of users that specified
+    at the DROP USER statement being processed and have active connections
+  */
+  String connected_users;
   while ((tmp_user_name= user_list++))
   {
     int rc;
@@ -11403,6 +11485,28 @@ bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
       continue;
     }
 
+    if (!handle_as_role)
+    {
+      if (exist_active_sessions_for_user(user_name))
+      {
+
+        if ((thd->variables.sql_mode & MODE_ORACLE))
+        {
+          append_user(thd, &wrong_users, user_name);
+          result= TRUE;
+          continue;
+        }
+        else
+          append_user(thd, &connected_users, user_name);
+      }
+
+      /*
+        Prevent new connections to be established on behalf the user
+        being dropped.
+      */
+      disable_connections_for_user(user_name);
+    }
+
     if ((rc= handle_grant_data(thd, tables, 1, user_name, NULL)) > 0)
     {
       // The user or role was successfully deleted
@@ -11431,6 +11535,12 @@ bool mysql_drop_user(THD *thd, List <LEX_USER> &list, bool handle_as_role)
     result= TRUE;
   }
 
+  if (!connected_users.is_empty())
+    push_warning_printf(thd, Sql_condition::WARN_LEVEL_NOTE,
+                        ER_ACTIVE_CONNECTIONS_FOR_USER_TO_DROP,
+                        ER_THD(thd, ER_ACTIVE_CONNECTIONS_FOR_USER_TO_DROP),
+                        connected_users.c_ptr_safe());
+
   if (!handle_as_role)
   {
     /* Rebuild 'acl_check_hosts' since 'acl_users' has been modified */
@@ -13917,7 +14027,7 @@ static bool find_mpvio_user(MPVIO_EXT *mpvio)
 
   ACL_USER *user= find_user_or_anon(sctx->host, sctx->user, sctx->ip);
 
-  if (user)
+  if (user && !user->dont_accept_new_connections())
     mpvio->acl_user= user->copy(mpvio->auth_info.thd->mem_root);
 
   mysql_mutex_unlock(&acl_cache->lock);

storage/spider/mysql-test/spider/bugfix/r/direct_sql_with_comma_pwd.result

@@ -27,6 +27,8 @@ connection master_1;
 DROP DATABASE IF EXISTS auto_test_local;
 connection child2_1;
 DROP USER tu@'%';
+Warnings:
+Note	4227	Dropped users 'tu'@'%' have active connections. Use KILL CONNECTION if they should not be used anymore.
 for master_1
 for child2
 child2_1

storage/spider/mysql-test/spider/bugfix/t/mdev_34589.test

@@ -15,7 +15,9 @@ CREATE TABLE t2 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql", SRV "srv", TABLE
 CHECK TABLE t2;
 drop table t1, t2;
 drop server srv;
+--disable_warnings
 drop user spider@localhost;
+--enable_warnings
 
 --disable_query_log
 --disable_result_log