As we move towards galera+haproxy for the openstack database, most host-specific grants will be moot, as mysql sees all connections as coming in from the haproxy host.
It would still be good to restrict access to certain hosts, though; that probably needs to happen via an haproxy ACL.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T242455 Investigate options to improve CloudVPS backend database architecture | |||
| Invalid | Andrew | T255806 Add haproxy ACLs for mysql access |
Thinking about this more, I don't think that haproxy can do anything that a firewall can't do -- it certainly doesn't know username/database for a mysql access so all it can really do is enforce based on originating IP, and we already have a firewall to handle that.