From 68fc4c6d61a63b89ba8ef58b00a781fededdd1c6 Mon Sep 17 00:00:00 2001
From: Marcin Maliszkiewicz <marcinmal@scylladb.com>
Date: Wed, 30 Apr 2025 11:24:55 +0200
Subject: [PATCH] auth: wait for default role creation before starting
 authorizer and authenticator

There is a hidden dependency: the creation of the default superuser role
is split between the password authenticator and the role manager.
To work correctly, they must start in the right order: role manager first,
then password authenticator.
---
 auth/service.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/auth/service.cc b/auth/service.cc
index 2b78c0a149..ea3bc1abf7 100644
--- a/auth/service.cc
+++ b/auth/service.cc
@@ -240,6 +240,13 @@ future<> service::start(::service::migration_manager& mm, db::system_keyspace& s
         });
     }
     co_await _role_manager->start();
+    if (this_shard_id() == 0) {
+        // Role manager and password authenticator have this odd startup
+        // mechanism where they asynchronously create the superuser role
+        // in the background. Correct password creation depends on role
+        // creation therefore we need to wait here.
+        co_await _role_manager->ensure_superuser_is_created();
+    }
     co_await when_all_succeed(_authorizer->start(), _authenticator->start()).discard_result();
     _permissions_cache = std::make_unique<permissions_cache>(_loading_cache_config, *this, log);
     co_await once_among_shards([this] {