pingcap · jackysp · Feb 21, 2019 · Jan 7, 2019 · Jan 7, 2019 · Jan 7, 2019
diff --git a/executor/builder.go b/executor/builder.go
@@ -525,6 +525,9 @@ func (b *executorBuilder) buildShow(v *plannercore.Show) Executor {
 	if e.Tp == ast.ShowGrants && e.User == nil {
 		e.User = e.ctx.GetSessionVars().User
 	}
+	if e.Tp == ast.ShowCreateUser && e.User == nil {
+		e.User = e.ctx.GetSessionVars().User
+	}
 	if e.Tp == ast.ShowMasterStatus {
 		// show master status need start ts.
 		if _, err := e.ctx.Txn(true); err != nil {

diff --git a/executor/show.go b/executor/show.go
@@ -107,6 +107,8 @@ func (e *ShowExec) fetchAll() error {
 		return e.fetchShowColumns()
 	case ast.ShowCreateTable:
 		return e.fetchShowCreateTable()
+	case ast.ShowCreateUser:
+		return e.fetchShowCreateUser()
 	case ast.ShowCreateDatabase:
 		return e.fetchShowCreateDatabase()
 	case ast.ShowDatabases:
@@ -839,6 +841,22 @@ func (e *ShowExec) fetchShowCollation() error {
 	return nil
 }
 
+// fetchShowCreateUser composes show create create user result.
+func (e *ShowExec) fetchShowCreateUser() error {
+	// Get checker
+	checker := privilege.GetPrivilegeManager(e.ctx)
+	if checker == nil {
+		return errors.New("miss privilege checker")
+	}
+	//password is encoded, like "*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B"(root)
+	password := checker.GetEncodedPassword(e.User.Username, e.User.Hostname)
+	option := "REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK"
+	showStr := fmt.Sprintf("CREATE USER '%s'@'%s' IDENTIFIED WITH 'mysql_native_password' AS '%s' %s",
+		e.User.Username, e.User.Hostname, password, option)
+	e.appendRow([]interface{}{showStr})
+	return nil
+}
+
 func (e *ShowExec) fetchShowGrants() error {
 	// Get checker
 	checker := privilege.GetPrivilegeManager(e.ctx)

diff --git a/executor/show_test.go b/executor/show_test.go
@@ -201,6 +201,14 @@ func (s *testSuite2) TestShow2(c *C) {
 	tk.MustQuery("show grants for current_user").Check(testkit.Rows(`GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'`))
 }
 
+func (s *testSuite2) TestShow3(c *C) {
+	tk := testkit.NewTestKit(c, s.store)
+	// Create a new user.
+	createUserSQL := `CREATE USER 'test_show_create_user'@'%' IDENTIFIED BY 'root';`
+	tk.MustExec(createUserSQL)
+	tk.MustQuery("show create user 'test_show_create_user'@'%'").Check(testkit.Rows(`CREATE USER 'test_show_create_user'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B' REQUIRE NONE PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK`))
+}
+
 func (s *testSuite2) TestUnprivilegedShow(c *C) {
 
 	tk := testkit.NewTestKit(c, s.store)

diff --git a/planner/core/planbuilder.go b/planner/core/planbuilder.go
@@ -1739,6 +1739,10 @@ func buildShowSchema(s *ast.ShowStmt, isView bool) (schema *expression.Schema) {
 		} else {
 			names = []string{"View", "Create View", "character_set_client", "collation_connection"}
 		}
+	case ast.ShowCreateUser:
+		if s.User != nil {
+			names = []string{fmt.Sprintf("CREATE USER for %s", s.User)}
+		}
 	case ast.ShowCreateDatabase:
 		names = []string{"Database", "Create Database"}
 	case ast.ShowGrants:

diff --git a/planner/core/planbuilder_test.go b/planner/core/planbuilder_test.go
@@ -41,6 +41,7 @@ func (s *testPlanBuilderSuite) TestShow(c *C) {
 		ast.ShowStatus,
 		ast.ShowCollation,
 		ast.ShowCreateTable,
+		ast.ShowCreateUser,
 		ast.ShowGrants,
 		ast.ShowTriggers,
 		ast.ShowProcedureStatus,

diff --git a/privilege/privilege.go b/privilege/privilege.go
@@ -31,6 +31,9 @@ type Manager interface {
 	// ShowGrants shows granted privileges for user.
 	ShowGrants(ctx sessionctx.Context, user *auth.UserIdentity) ([]string, error)
 
+	// GetEncodedPassword shows the encoded password for user.
+	GetEncodedPassword(user, host string) string
+
 	// RequestVerification verifies user privilege for the request.
 	// If table is "", only check global/db scope privileges.
 	// If table is not "", check global/db/table scope privileges.

diff --git a/privilege/privileges/privileges.go b/privilege/privileges/privileges.go
@@ -57,6 +57,22 @@ func (p *UserPrivileges) RequestVerification(db, table, column string, priv mysq
 	return mysqlPriv.RequestVerification(p.user, p.host, db, table, column, priv)
 }
 
+// GetEncodedPassword implements the Manager interface.
+func (p *UserPrivileges) GetEncodedPassword(user, host string) string {
+	mysqlPriv := p.Handle.Get()
+	record := mysqlPriv.connectionVerification(user, host)
+	if record == nil {
+		log.Errorf("Get user privilege record fail: user %v, host %v", user, host)
+		return ""
+	}
+	pwd := record.Password
+	if len(pwd) != 0 && len(pwd) != mysql.PWDHashLen+1 {
+		log.Errorf("User [%s] password from SystemDB not like a sha1sum", user)
+		return ""
+	}
+	return pwd
+}
+
 // ConnectionVerification implements the Manager interface.
 func (p *UserPrivileges) ConnectionVerification(user, host string, authentication, salt []byte) (u string, h string, success bool) {