diff --git a/deployment/puppet/osnailyfacter/manifests/database/database.pp b/deployment/puppet/osnailyfacter/manifests/database/database.pp
index 6013bd03bb..2fcc0d0968 100644
--- a/deployment/puppet/osnailyfacter/manifests/database/database.pp
+++ b/deployment/puppet/osnailyfacter/manifests/database/database.pp
@@ -19,7 +19,7 @@ class osnailyfacter::database::database {
   $haproxy_stats_port   = '10000'
   $haproxy_stats_url    = "http://${database_vip}:${haproxy_stats_port}/;csv"
 
-  $mysql_database_password   = $mysql_hash['root_password']
+  $mysql_root_password       = $mysql_hash['root_password']
   $enabled                   = pick($mysql_hash['enabled'], true)
 
   $galera_node_address       = get_network_role_property('mgmt/database', 'ipaddr')
@@ -45,7 +45,7 @@ class osnailyfacter::database::database {
 
   #############################################################################
   validate_string($status_password)
-  validate_string($mysql_database_password)
+  validate_string($mysql_root_password)
   validate_string($status_password)
 
   if $enabled {
@@ -212,13 +212,16 @@ class osnailyfacter::database::database {
         'wsrep_provider_options'         => $wsrep_provider_options,
         'wsrep_slave_threads'            => $wsrep_slave_threads,
         'wsrep_sst_method'               => 'xtrabackup-v2',
-        'wsrep_sst_auth'                 => "\"root:${mysql_database_password}\"", #TODO fix this, should be a specific user not root
+        #TODO (sgolovatiuk): fix this, should be a specific user not root
+        'wsrep_sst_auth'                 => "\"root:${mysql_root_password}\"",
         'wsrep_node_address'             => $galera_node_address,
         'wsrep_node_incoming_address'    => $galera_node_address,
         'wsrep_sst_receive_address'      => $galera_node_address,
       },
       'xtrabackup' => {
-        'parallel' => inline_template("<%= [[${::processorcount}, 2].max, 6].min %>"),
+        'parallel' => inline_template(
+                        "<%= [[${::processorcount}, 2].max, 6].min %>"
+                      ),
       },
       'sst'        => {
         'streamfmt'   => 'xbstream',
@@ -248,9 +251,10 @@ class osnailyfacter::database::database {
       galera_package_name   => $galera_package_name,
       client_package_name   => $client_package_name,
       galera_servers        => $galera_nodes,
-      galera_master         => false, # NOTE: we don't want the galera module to boostrap
+      # NOTE: we don't want the galera module to boostrap
+      galera_master         => false,
       mysql_port            => $backend_port,
-      root_password         => $mysql_database_password,
+      root_password         => $mysql_root_password,
       create_root_user      => $primary_controller,
       create_root_my_cnf    => true,
       configure_repo        => false, # NOTE: repos should be managed via fuel
@@ -322,20 +326,23 @@ class osnailyfacter::database::database {
     # TODO: (sgolovatiuk): This class should be removed once
     # https://github.com/puppetlabs/puppetlabs-mysql/pull/801/files is accepted
     class { '::osnailyfacter::mysql_access':
-      db_password => $mysql_database_password,
+      db_password => $mysql_root_password,
+      require     => Class['::galera'],
     }
 
     # this sets up remote grants for use with detached db
-    class { '::osnailyfacter::mysql_user_access':
-      db_user          => 'root',
-      db_password_hash => mysql_password($mysql_database_password),
-      access_networks  => $access_networks,
+    if $primary_controller {
+      # We do not need to create users on all controllers as
+      # whole /var/lib/mysql will be transferred during SST
+      # Also this leads to split brain as MyISAM tables are got diverged
+      class { '::osnailyfacter::mysql_user_access':
+        db_user          => 'root',
+        db_password_hash => mysql_password($mysql_root_password),
+        access_networks  => $access_networks,
+        require          => Class['::osnailyfacter::mysql_access'],
+      }
     }
 
-    Class['::galera'] ->
-      Class['::osnailyfacter::mysql_access'] ->
-        Class['::osnailyfacter::mysql_user_access']
-
     Class['::openstack::galera::status'] ->
       ::Osnailyfacter::Wait_for_backend['mysql']
   }
diff --git a/tests/noop/spec/hosts/database/database_spec.rb b/tests/noop/spec/hosts/database/database_spec.rb
index 393bb358c4..78b41b9e70 100644
--- a/tests/noop/spec/hosts/database/database_spec.rb
+++ b/tests/noop/spec/hosts/database/database_spec.rb
@@ -156,12 +156,16 @@ describe manifest do
       )
     end
 
-    it 'should setup additional root grants from other hosts' do
-      should contain_class('osnailyfacter::mysql_user_access').with(
-        :db_user          => 'root',
-        :db_password_hash => mysql_database_password_hash,
-        :access_networks  => access_networks
-      )
+    it 'should setup additional root grants from other hosts only on primary controller' do
+      if primary_controller
+        should contain_class('osnailyfacter::mysql_user_access').with(
+          :db_user          => 'root',
+          :db_password_hash => mysql_database_password_hash,
+          :access_networks  => access_networks
+        )
+      else
+        should_not contain_class('osnailyfacter::mysql_user_access')
+      end
     end
 
     it 'should remove package provided wsrep.cnf' do