Root Cause Analysis of MySQL sha256_password Deprecation Warning Triggered by Non‑existent Users

During performance testing of a system, developers observed that the MySQL error log repeatedly contained the warning "Plugin sha256_password reported: 'sha256_password' is deprecated and will be removed in a future release. Please use caching_sha2_password instead" despite normal operation of the business system.

Environment details include MySQL 8.0.27 on RHEL 7.3, single‑node test deployment, log_error_verbosity set to 2, and the default authentication plugin caching_sha2_password .

Initial analysis suggested that outdated client tools might be using the deprecated plugin, but reproducing the warning through manual client connections failed, indicating the source was not a client‑side issue.

Enabling the general log revealed that a user named dbuser2 from IP 10.x.y.43 was attempting to connect, although this user does not exist in mysql.user and no skip‑grant‑tables configuration is present.

Further investigation showed that the application configuration mistakenly referenced a non‑existent database user, causing periodic connection attempts that generated the warning.

Source‑code analysis examined the normal authentication flow, showing the sequence from handle_connection to caching_sha2_password_authenticate . When the user is absent, MySQL creates a temporary decoy_user object whose plugin field is chosen randomly from the cached authentication plugins. Approximately one‑third of the time this random choice selects PLUGIN_SHA256_PASSWORD , which triggers the deprecation warning before the authentication ultimately fails.

The root cause is therefore a combination of (1) an application configuration error referencing a non‑existent user and (2) MySQL’s authentication logic that may select the deprecated sha256_password plugin for such phantom users.

Solutions include correcting the application’s connection credentials, suppressing the specific warning via the log_error_suppression_list variable (as a temporary measure), or fixing the MySQL source to avoid selecting PLUGIN_SHA256_PASSWORD for unknown accounts (a bug has been filed as #109635).

Key function locations for further reference are: find_mpvio_user() (./sql/auth/sql_authentication.cc:2084) parse_client_handshake_packet() (./sql/auth/sql_authentication.cc:2990) server_mpvio_read_packet() (./sql/auth/sql_authentication.cc:3282) caching_sha2_password_authenticate() (./sql/auth/sha2_password.cc:955) do_auth_once() (./sql/auth/sql_authentication.cc:3327) acl_authenticate() (./sql/auth/sql_authentication.cc:3799) check_connection() (./sql/sql_connect.cc:651) login_connection() (./sql/sql_connect.cc:716) thd_prepare_connection() (./sql/sql_connect.cc:889) handle_connection() (./sql/conn_handler/connection_handler_per_thread.cc:298)