After a chat with @JAllemandou and @Eevans we agreed that the AQS clusters should migrate to a better user management scheme. We are currently using the admin 'cassandra' user for Restbase reads and also for writes, that has multiple downsides:
- requires QUORUM during user authentication, not really great for performances (as opposed to local one for simple users);
- does not protect the system.auth table properly.
The migration procedure should be something like:
- Set an new application_username and application_password (to create $CASSANDRA_CONF/user_aqs.cql on nodes)
- Run cqlsh -u cassandra -f $CASSANDRA_CONF/user_aqs.cql $HOSTNAME (creates user)
- Change restbase::cassandra_user (configuring AQS service to use the aqs user)
- Set a new super_password for the Cassandra username (in private.git) for templating of $CASSANDRA_CONF/cqlshrc
- Update the super password in Cassandra to match $CASSANDRA_CONF/cqlshrc
- Set an new application_username and application_password (to create $CASSANDRA_CONF/user_aqsloader.cql on nodes)
We definitely want to do it for aqs100 but aqs100 will need extra care because live.