When authentication is enabled on a new Cassandra cluster, a default (super)user and corresponding password is automatically created. RESTBase currently makes use of this default. RESTBase requires a broad set of permissions to operate, but it does not require superuser (it does not need to add or remove other users, nor grant/revoke permissions). Additionally, authentication of the default user is performed at QUORUM, where all other users (even manually created superusers) are authenticated at ONE, which could cause serious problems when we are deployed across multiple datacenters.
I've added some documentation to https://wikitech.wikimedia.org/wiki/Cassandra#Authentication for what I think should be done to the existing (and any future clusters).
We need to replace the default cassandra superuser with one of our own, and create an application user for RESTBase.