Ok having looked into this a little further, in ipv4 mode we do not acquire a grant for the vip but his does not appear to be a problem as long as the primary (non-vip) address of all units have grants. With ipv6 if we do the same i.e. acquire a grant for each base address, all is fine unless the node connecting has a second/vip address configured in which case the connection to mysql appears to come from the vip which has no grant and therefore fails e.g.
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:1:0:f816:3eff:fec6:2a3c/64 scope global dynamic
valid_lft 86189sec preferred_lft 14189sec
inet6 fe80::f816:3eff:fec6:2a3c/64 scope link
valid_lft forever preferred_lft forever
vs.
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:1:0:d0cf:528c:23eb:5001/64 scope global
valid_lft forever preferred_lft forever
inet6 2001:db8:1:0:f816:3eff:fe7e:a3b/64 scope global dynamic
valid_lft 86203sec preferred_lft 14203sec
inet6 fe80::f816:3eff:fe7e:a3b/64 scope link
valid_lft forever preferred_lft forever
with grants:
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe73:cd5f';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fe7e:a3b';
-- Grants for 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c'
GRANT USAGE ON *.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c' IDENTIFIED BY PASSWORD '*D76D690319879C126E329CD6616F0ABC447EA717';
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'2001:db8:1:0:f816:3eff:fec6:2a3c';
gives:
OperationalError: (OperationalError) (1130, "Host '2001:db8:1:0:d0cf:528c:23eb:5001' is not allowed to connect to this MySQL server") None None
If I set a grant for the vip all is good. Perhaps this has something to do with scope global addresses taking precedence over scope global dynamic ones?
Ok having looked into this a little further, in ipv4 mode we do not acquire a grant for the vip but his does not appear to be a problem as long as the primary (non-vip) address of all units have grants. With ipv6 if we do the same i.e. acquire a grant for each base address, all is fine unless the node connecting has a second/vip address configured in which case the connection to mysql appears to come from the vip which has no grant and therefore fails e.g.
2: eth0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1500 qlen 1000 1:0:f816: 3eff:fec6: 2a3c/64 scope global dynamic 3eff:fec6: 2a3c/64 scope link
inet6 2001:db8:
valid_lft 86189sec preferred_lft 14189sec
inet6 fe80::f816:
valid_lft forever preferred_lft forever
vs.
2: eth0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1500 qlen 1000 1:0:d0cf: 528c:23eb: 5001/64 scope global 1:0:f816: 3eff:fe7e: a3b/64 scope global dynamic 3eff:fe7e: a3b/64 scope link
inet6 2001:db8:
valid_lft forever preferred_lft forever
inet6 2001:db8:
valid_lft 86203sec preferred_lft 14203sec
inet6 fe80::f816:
valid_lft forever preferred_lft forever
with grants:
-- Grants for 'keystone' @'2001: db8:1:0: f816:3eff: fe73:cd5f' @'2001: db8:1:0: f816:3eff: fe73:cd5f' IDENTIFIED BY PASSWORD '*D76D690319879 C126E329CD6616F 0ABC447EA717' ; @'2001: db8:1:0: f816:3eff: fe73:cd5f' ; @'2001: db8:1:0: f816:3eff: fe7e:a3b' @'2001: db8:1:0: f816:3eff: fe7e:a3b' IDENTIFIED BY PASSWORD '*D76D690319879 C126E329CD6616F 0ABC447EA717' ; @'2001: db8:1:0: f816:3eff: fe7e:a3b' ; @'2001: db8:1:0: f816:3eff: fec6:2a3c' @'2001: db8:1:0: f816:3eff: fec6:2a3c' IDENTIFIED BY PASSWORD '*D76D690319879 C126E329CD6616F 0ABC447EA717' ; @'2001: db8:1:0: f816:3eff: fec6:2a3c' ;
GRANT USAGE ON *.* TO 'keystone'
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'
-- Grants for 'keystone'
GRANT USAGE ON *.* TO 'keystone'
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'
-- Grants for 'keystone'
GRANT USAGE ON *.* TO 'keystone'
GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'
gives:
OperationalError: (OperationalError) (1130, "Host '2001:db8: 1:0:d0cf: 528c:23eb: 5001' is not allowed to connect to this MySQL server") None None
If I set a grant for the vip all is good. Perhaps this has something to do with scope global addresses taking precedence over scope global dynamic ones?