mysql 5.7.9-log set session mode gives warning about NO_AUTO_CREATE_USER is deprecated

When changing the session mode in mysql 5.7 I get the following warning.

"(Code 3090): Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release."

I don't exactly understand what it means. Is mysql removing the ability to be able to set a session mode?

Mysql terminal

mysql> \W
Show warnings enabled.
mysql> SET SESSION sql_mode="NO_ENGINE_SUBSTITUTION";
Query OK, 0 rows affected, 1 warning (0.00 sec)

Warning (Code 3090): Changing sql mode 'NO_AUTO_CREATE_USER' is deprecated. It will be removed in a future release.
mysql>

"Deprecated" means that the feature works as intended, but it is not recommended anymore because it will probably be disabled in a future realease. MySQL backwards compatibility works usually by deprecating, showing a warning on version X+1 (e.g. 5.7) an an error on the next one (e.g. 5.8). That way you have time to adapt your database and scripts.

In particular, your error is that you are not using NO_AUTO_CREATE_USER as the SQL Mode. In other words, NO_AUTO_CREATE_USER should be enabled by default and you should not change it (disable it) because the option will probably disappear in 5.8, being always enabled.

As a consequence, you cannot any more assume that GRANT creates a user automatically, and instead you should execute explicit CREATE USER statements. This is done because if you run:

CREATE USER root@'10.0.0.11' IDENTIFIED BY 'secret';
GRANT SELECT ON 'wordpress.%' TO root@'10.0.1.1';

You would not have created a user with a password and provided him with access to the wordpress database - you have created a user with a password, and then created another, different user without password with access to that database. That is a security issue so NO_AUTO_CREATE_USER is a very recommended configuration.

I would not recommend you to set the sql mode at session level, but if you do, write:

SET SESSION sql_mode="NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER";

or an ever more strict mode.

The reason why I do not recommend this is double:

-
You are disabling the stricter defaults (stric_trans_tables, etc.):

mysql> SET SESSION sql_mode=DEFAULT; SELECT @@sql_mode\G

Query OK, 0 rows affected (0.00 sec)

1. row

@@sql_mode: ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

1 row in set (0.00 sec)

-
This is unnecessary if you were able to do it globally (SET GLOBAL or on configuration file). Adding it on session level means you have an extra roundtrip to the database, adding latency. Executing one SET takes very little time, but if you do it on every single query/session, the time adds up. However, if you cannot change it at server level, the session change is the only way to do it.

StackExchange Database Administrators Q#120421, answer score: 4