Additionally, a dedicated application user should be created, with corresponding access rights to the allocated table.

This seems like the Right Way™, but the Puppet code we use for templating a CQL flat file assumes a 1:1 relationship between a Cassandra cluster and an application. Either we come up with another way and refactor, or use the restb user and corresponding password here.

Additionally, a dedicated application user should be created, with corresponding access rights to the allocated table.

This part of the requirements is a little problematic. The Puppet module ([[ https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/production/modules/cassandra/ | operations/puppet/modules/cassandra ]]) assumes a 1:1 relationship between a Cassandra cluster and an application hosted on it. This issue sets a precedent for multi-tenant Cassandra access.

Fixing this shouldn't be complicated per say, but will be somewhat invasive, and effects all wmf cassandra clusters. I recommend that we forego this requirement for now, configuring echostore to use RESTBase's credentials, and accept that this user has GRANTs that cover every table. This should be considered temporary; We can setup the tasks to follow through with a permanent solution.

The following has been created on the RESTBase cluster:

CREATE KEYSPACE echostore WITH replication = { 'class': 'NetworkTopologyStrategy', 'eqiad': 3, 'codfw': 3 };
CREATE TABLE echostore.values (key text PRIMARY KEY, value blob);

Change 541911 had a related patch set uploaded (by Eevans; owner: Eevans):
[operations/puppet@production] restbase: Cassandra client access from k8s

https://gerrit.wikimedia.org/r/541911

Change 541911 merged by Alexandros Kosiaris:
[operations/puppet@production] restbase: Cassandra client access from k8s

https://gerrit.wikimedia.org/r/541911

T235299: Cassandra cluster management support for multi-tenancy has been created for follow-up, this issue is otherwise complete.