remove default cassandra user from superuser

[4nt01ne]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.25.1
• Ruby: 2.5.9
• Distribution: RHEL 8
• Module version: 3.1.0

How to reproduce (e.g Puppet code you use)

class profile::cassandra {
  $_baseline = {
    'authenticator'                               => 'PasswordAuthenticator',
    'auto_bootstrap'                              => false,
    'auto_snapshot'                               => false,
    'broadcast_rpc_address'                       => $facts['networking']['ip'],
    'cluster_name'                                => 'Test_Cluster',
    'commitlog_directory'                         => '/var/lib/cassandra/commitlog',
    'commitlog_sync'                              => 'periodic',
    'commitlog_sync_period_in_ms'                 => 10000,
    'compaction_throughput_mb_per_sec'            => 16,
    'concurrent_reads'                            => 64,
    'concurrent_writes'                           => 32,
    'data_file_directories'                       => ['/var/lib/cassandra/data'],
    'dynamic_snitch_badness_threshold'            => '0.1',
    'endpoint_snitch'                             => 'GossipingPropertyFileSnitch',
    'internode_compression'                       => 'dc',
    'listen_interface'                            => $facts['networking']['primary'],
    'memtable_flush_writers'                      => 4,
    'memtable_heap_space_in_mb'                   => 2048,
    'num_tokens'                                  => 32,
    'partitioner'                                 => 'org.apache.cassandra.dht.Murmur3Partitioner',
    'rpc_address'                                 => '0.0.0.0',
    'saved_caches_directory'                      => '/var/lib/cassandra/saved_caches',
    'seed_provider'                               => [
      {
        'class_name' => 'org.apache.cassandra.locator.SimpleSeedProvider',
        'parameters' => [{ 'seeds' => join($seeds, ', ') }],
      },
    ],
    'start_native_transport'                      => true,
    'stream_throughput_outbound_megabits_per_sec' => 0,
  }

  class { 'cassandra':
    baseline_settings => $_baseline,
    package_ensure    => '2.2.19-1',
    package_name      => 'cassandra',
    dc                => 'DC1',
    rack              => 'RACK1',
    prefer_local      => true,
    service_enable    => true,
    service_ensure    => 'running',
    settings          => {
      'authorizer' => 'CassandraAuthorizer',
    },
  }
  class { 'cassandra::schema':
    cqlsh_password => 'cassandra',
    cqlsh_user     => 'cassandra',
    cqlsh_host     => $facts['networking']['ip'],
    indexes        => undef,
    keyspaces      => undef,
    users          => {
      'newuser' => {
        password  => 'nicepassword',
        superuser => true,
      },
    },
  }

  $_drop_default_su_cqlsh = "cqlsh -u newuser -p nicepassword --execute=\"ALTER USER cassandra NOSUPERUSER\" ${cassandra::schema::cqlsh_conn}" # lint:ignore:140chars
  $_default_su_roles_cqlsh = "cqlsh -u newuser -p nicepassword --execute=\"LIST ROLES OF cassandra\" ${cassandra::schema::cqlsh_conn}"

  exec { 'drop cassandra user from superuser':
    command => $_drop_default_su_cqlsh,
    path    => '/usr/bin',
    onlyif  => "${_default_su_roles_cqlsh} | grep -E 'cassandra.*(True).*(True|False)'",
    require => Class['cassandra::schema'],
  }
}

What are you seeing

Once the cassandra user has lost its superuser privilege the next puppet agent run fails on executing the 'cassandra::schema' class

What behaviour did you expect instead

To be able to provide a non default super user to run the cassandra::schema or at least a way to change the default cassandra user's password

Output log

1st puppet run

Notice: /Stage[main]/Cassandra/Package[cassandra]/ensure: created
Info: /Stage[main]/Cassandra/Package[cassandra]: Scheduling refresh of Exec[cassandra_reload_systemctl]
Info: /Stage[main]/Cassandra/Package[cassandra]: Scheduling refresh of Service[cassandra]
Notice: /Stage[main]/Cassandra/Exec[cassandra_reload_systemctl]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf]/owner: owner changed 'root' to 'cassandra'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf]/group: group changed 'root' to 'cassandra'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]/content:
--- /etc/cassandra/default.conf/cassandra.yaml  2020-10-29 11:49:35.000000000 +0100
+++ /tmp/puppet-file20220208-343687-1r5v2pg     2022-02-08 15:28:39.401894745 +0100
[very long diff omitted for clarity]
Info: Computing checksum on file /etc/cassandra/default.conf/cassandra.yaml
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]: Filebucketed /etc/cassandra/default.conf/cassandra.yaml to puppet with sum 92a23b8db27d99e9b50767e5bfcbcd05
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]/content: content changed '{md5}92a23b8db27d99e9b50767e5bfcbcd05' to '{md5}1cf09e4874815d1b687601446b4df4a1'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]/owner: owner changed 'root' to 'cassandra'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]/group: group changed 'root' to 'cassandra'
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]: Scheduling refresh of Service[cassandra]
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]: Scheduling refresh of Service[cassandra]
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra.yaml]: Scheduling refresh of Service[cassandra]
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]/content:
--- /etc/cassandra/default.conf/cassandra-rackdc.properties     2020-10-29 11:47:19.000000000 +0100
+++ /tmp/puppet-file20220208-343687-1jnef34     2022-02-08 15:28:39.470893789 +0100
@@ -16,12 +16,12 @@

 # These properties are used with GossipingPropertyFileSnitch and will
 # indicate the rack and dc for this node
-dc=dc1
-rack=rack1
+dc=DC1
+rack=RACK1

 # Add a suffix to a datacenter name. Used by the Ec2Snitch and Ec2MultiRegionSnitch
 # to append a string to the EC2 region name.
 #dc_suffix=

 # Uncomment the following line to make this snitch prefer the internal ip when possible, as the Ec2MultiRegionSnitch does.
-# prefer_local=true
+prefer_local=true

Info: Computing checksum on file /etc/cassandra/default.conf/cassandra-rackdc.properties
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]: Filebucketed /etc/cassandra/default.conf/cassandra-rackdc.properties to puppet with sum 560a25f2805cc316a2981a50dafd4e6b
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]/content: content changed '{md5}560a25f2805cc316a2981a50dafd4e6b' to '{md5}e43732cbfe105322fb4cbc9077f259e1'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]/owner: owner changed 'root' to 'cassandra'
Notice: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]/group: group changed 'root' to 'cassandra'
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]: Scheduling refresh of Service[cassandra]
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]: Scheduling refresh of Service[cassandra]
Info: /Stage[main]/Cassandra/File[/etc/cassandra/default.conf/cassandra-rackdc.properties]: Scheduling refresh of Service[cassandra]
Notice: /Stage[main]/Cassandra/Service[cassandra]: Triggered 'refresh' from 7 events
Notice: /Stage[main]/Cassandra::Schema/Exec[::cassandra::schema connection test]/returns: executed successfully
Notice: /Stage[main]/Cassandra::Schema/Cassandra::Schema::User[newuser]/Exec[Create user (newuser)]/returns: executed successfully
Notice: /Stage[main]/Profile::Cassandra/Exec[drop cassandra user from superuser]/returns: executed successfully
Notice: Applied catalog in 105.12 seconds

2nd puppet run

Notice: /Stage[main]/Cassandra::Schema/Cassandra::Schema::User[newuser]/Exec[Create user (newuser)]/returns: <stdin>:1:Unauthorized: Error from server: code=2100 [Unauthorized] message="User cassandra does not have sufficient privileges to perform the requested operation"
Error: '/usr/bin/cqlsh -u cassandra -p cassandra  -e "CREATE ROLE IF NOT EXISTS newuser WITH PASSWORD = 'nicepassword' AND SUPERUSER = true AND LOGIN = true" 10.201.208.110 9042' returned 2 instead of one of [0]
Error: /Stage[main]/Cassandra::Schema/Cassandra::Schema::User[newuser]/Exec[Create user (newuser)]/returns: change from 'notrun' to ['0'] failed: '/usr/bin/cqlsh -u cassandra -p cassandra  -e "CREATE ROLE IF NOT EXISTS newuser WITH PASSWORD = 'nicepassword' AND SUPERUSER = true AND LOGIN = true" 10.201.208.110 9042' returned 2 instead of one of [0] (corrective)
Notice: /Stage[main]/Profile::Cassandra/Exec[drop cassandra user from superuser]: Dependency Exec[Create user (newuser)] has failures: true
Warning: /Stage[main]/Profile::Cassandra/Exec[drop cassandra user from superuser]: Skipping because of failed dependencies
Notice: Applied catalog in 9.44 seconds

Any additional information you'd like to impart

Cassandra roles after the 1st run:

$ cqlsh -u newuser -p nicepassword -e 'LIST ROLES OF cassandra' localhost 9042

 role      | super | login | options
-----------+-------+-------+---------
 cassandra | False |  True |        {}

(1 rows)

[4nt01ne]

I solved this by:

• passing a new super user to cassandra::schema for creation
• save the credential of the new super user in a file
• create a fact reading from that file. It defaults to the default user credential if the file is not found
• use the cassandra credential fact to set the cqlsh user and password
• delete the default cassandra user if the credential fact represents a different user (cassandra::schema::user with ensure => absent)

This way at the 1st run, the cassandra::schema class is called with the default credentials and from the next run it uses the new super user