After a chat with @JAllemandou and @Eevans we agreed that the AQS clusters should migrate to a better user management scheme. We are currently using the admin 'cassandra' user for Restbase reads and also for writes, that has multiple downsides:
- requires QUORUM during user authentication, not really great for performances (as opposed to local one for simple users);
- does not protect the system.auth table properly.
The migration procedure should be something like:
(a) Set a new application_username and application_password.
- This will allow the creation of /etc/cassandra/adduser.cql on each node.
(b) cqlsh -u cassandra -f /etc/cassandra/adduser.cql $HOSTNAME (type passsword when promptedd)
- will just create the new user on the cluster
(c) Change restbase::cassandra_user
- will reconfigure Restbase to use it
(d) Set a new super_password for the Cassandra username.
(e) Change the super password in Cassandra to match (d)
We definitely want to do it for aqs100 but aqs100 will need extra care because live.