diff --git a/auth/allow_all_authorizer.hh b/auth/allow_all_authorizer.hh
index 83f59c3e59..e51ea9172a 100644
--- a/auth/allow_all_authorizer.hh
+++ b/auth/allow_all_authorizer.hh
@@ -60,17 +60,16 @@ public:
         return make_ready_future<permission_set>(permissions::ALL);
     }
 
-    virtual future<> grant(const authenticated_user&, permission_set, resource, sstring) override {
+    virtual future<> grant(permission_set, resource, sstring) override {
         throw exceptions::invalid_request_exception("GRANT operation is not supported by AllowAllAuthorizer");
     }
 
-    virtual future<> revoke(const authenticated_user&, permission_set, resource, sstring) override {
+    virtual future<> revoke(permission_set, resource, sstring) override {
         throw exceptions::invalid_request_exception("REVOKE operation is not supported by AllowAllAuthorizer");
     }
 
     virtual future<std::vector<permission_details>> list(
             service&,
-            const authenticated_user& performer,
             permission_set,
             std::optional<resource>,
             std::optional<sstring>) const override {
diff --git a/auth/authorizer.hh b/auth/authorizer.hh
index f1de1e3891..6615776070 100644
--- a/auth/authorizer.hh
+++ b/auth/authorizer.hh
@@ -57,8 +57,6 @@ namespace auth {
 
 class service;
 
-class authenticated_user;
-
 struct permission_details {
     sstring user;
     ::auth::resource resource;
@@ -95,12 +93,12 @@ public:
     ///
     /// Grant a set of permissions to a user for a particular \ref resource.
     ///
-    virtual future<> grant(const authenticated_user& performer, permission_set, resource, sstring to) = 0;
+    virtual future<> grant(permission_set, resource, sstring to) = 0;
 
     ///
     /// Revoke a set of permissions from a user for a particular \ref resource.
     ///
-    virtual future<> revoke(const authenticated_user& performer, permission_set, resource, sstring from) = 0;
+    virtual future<> revoke(permission_set, resource, sstring from) = 0;
 
     ///
     /// Query for granted permissions.
@@ -112,12 +110,7 @@ public:
     /// If `user` is empty, query for permissions of all users. Otherwise, query for permissions specific to that user.
     ///
     virtual future<std::vector<permission_details>>
-    list(
-            service&,
-            const authenticated_user& performer,
-            permission_set matching,
-            std::optional<resource> resource,
-            std::optional<sstring> user) const = 0;
+    list(service&, permission_set matching, std::optional<resource> resource, std::optional<sstring> user) const = 0;
 
     ///
     /// Revoke all permissions granted to a particular user.
diff --git a/auth/default_authorizer.cc b/auth/default_authorizer.cc
index 95a19e350f..2c545de4dc 100644
--- a/auth/default_authorizer.cc
+++ b/auth/default_authorizer.cc
@@ -167,12 +167,7 @@ future<auth::permission_set> auth::default_authorizer::authorize(
     });
 }
 
-future<> auth::default_authorizer::modify(
-        const authenticated_user& performer,
-        permission_set set,
-        resource resource,
-        sstring user,
-        sstring op) {
+future<> auth::default_authorizer::modify(permission_set set, resource resource, sstring user, sstring op) {
     // TODO: why does this not check super user?
     auto query = sprint(
             "UPDATE %s.%s SET %s = %s %s ? WHERE %s = ? AND %s = ?",
@@ -191,25 +186,16 @@ future<> auth::default_authorizer::modify(
 }
 
 
-future<> auth::default_authorizer::grant(
-        const authenticated_user& performer,
-        permission_set set,
-        resource resource,
-        sstring to) {
-    return modify(performer, std::move(set), std::move(resource), std::move(to), "+");
+future<> auth::default_authorizer::grant(permission_set set, resource resource, sstring to) {
+    return modify(std::move(set), std::move(resource), std::move(to), "+");
 }
 
-future<> auth::default_authorizer::revoke(
-        const authenticated_user& performer,
-        permission_set set,
-        resource resource,
-        sstring from) {
-    return modify(performer, std::move(set), std::move(resource), std::move(from), "-");
+future<> auth::default_authorizer::revoke(permission_set set, resource resource, sstring from) {
+    return modify(std::move(set), std::move(resource), std::move(from), "-");
 }
 
 future<std::vector<auth::permission_details>> auth::default_authorizer::list(
         service& ser,
-        const authenticated_user&,
         permission_set set,
         std::optional<resource> resource,
         std::optional<sstring> role) const {
diff --git a/auth/default_authorizer.hh b/auth/default_authorizer.hh
index fde7713c74..04c95d38cc 100644
--- a/auth/default_authorizer.hh
+++ b/auth/default_authorizer.hh
@@ -71,17 +71,12 @@ public:
 
     virtual future<permission_set> authorize(service&, sstring, resource) const override;
 
-    virtual future<> grant(const authenticated_user&, permission_set, resource, sstring) override;
+    virtual future<> grant(permission_set, resource, sstring) override;
 
-    virtual future<> revoke(const authenticated_user&, permission_set, resource, sstring) override;
+    virtual future<> revoke(permission_set, resource, sstring) override;
 
     virtual future<std::vector<permission_details>>
-    list(
-            service&,
-            const authenticated_user&,
-            permission_set,
-            std::optional<resource>,
-            std::optional<sstring>) const override;
+    list(service&, permission_set, std::optional<resource>, std::optional<sstring>) const override;
 
     virtual future<> revoke_all(sstring) override;
 
@@ -90,7 +85,7 @@ public:
     virtual const resource_set& protected_resources() override;
 
 private:
-    future<> modify(const authenticated_user& performer, permission_set, resource, sstring, sstring);
+    future<> modify(permission_set, resource, sstring, sstring);
 
     ///
     /// Permissions granted directly to a role, rather than those inherited.
diff --git a/auth/role_manager.hh b/auth/role_manager.hh
index 9de9360489..b822438712 100644
--- a/auth/role_manager.hh
+++ b/auth/role_manager.hh
@@ -37,8 +37,6 @@
 
 namespace auth {
 
-class authenticated_user;
-
 struct role_config final {
     bool is_superuser{false};
     bool can_login{false};
@@ -141,31 +139,27 @@ public:
     virtual future<> stop() = 0;
 
     // Must throw `role_already_exists` for a role that has previously been created.
-    virtual future<>
-    create(const authenticated_user& performer, stdx::string_view role_name, const role_config&) = 0;
+    virtual future<> create(stdx::string_view role_name, const role_config&) = 0;
 
     // Must throw `nonexistant_role` if the role does not exist.
-    virtual future<> drop(const authenticated_user& performer, stdx::string_view role_name) = 0;
+    virtual future<> drop(stdx::string_view role_name) = 0;
 
     // Must throw `nonexistant_role` if the role does not exist.
-    virtual future<>
-    alter(const authenticated_user& performer, stdx::string_view role_name, const role_config_update&) = 0;
+    virtual future<> alter(stdx::string_view role_name, const role_config_update&) = 0;
 
     // Grant `role_name` to `grantee_name`.
     //
     // Must throw `nonexistant_role` if either the role or the grantee do not exist.
     //
     // Must throw `role_already_included` if granting the role would be redundant, or create a cycle.
-    virtual future<>
-    grant(const authenticated_user& performer, stdx::string_view grantee_name, stdx::string_view role_name) = 0;
+    virtual future<> grant(stdx::string_view grantee_name, stdx::string_view role_name) = 0;
 
     // Revoke `role_name` from `revokee_name`.
     //
     // Must throw `nonexistant_role` if either the role or the revokee do not exist.
     //
     // Must throw `revoke_ungranted_role` if the role was not granted.
-    virtual future<>
-    revoke(const authenticated_user& performer, stdx::string_view revokee_name, stdx::string_view role_name) = 0;
+    virtual future<> revoke(stdx::string_view revokee_name, stdx::string_view role_name) = 0;
 
     // Must throw `nonexistant_role` if the role does not exist.
     virtual future<std::unordered_set<sstring>> query_granted(stdx::string_view grantee, recursive_role_query) const = 0;
diff --git a/auth/service.cc b/auth/service.cc
index a2dc62fe45..a3b6130572 100644
--- a/auth/service.cc
+++ b/auth/service.cc
@@ -322,14 +322,10 @@ static void validate_authentication_options_are_supported(
 
 future<> create_role(
         service& ser,
-        const authenticated_user& performer,
         stdx::string_view name,
         const role_config& config,
         const authentication_options& options) {
-    return ser.underlying_role_manager().create(
-            performer,
-            name,
-            config).then([&ser, &performer, name, &options] {
+    return ser.underlying_role_manager().create(name, config).then([&ser, name, &options] {
         if (!auth::any_authentication_options(options)) {
             return make_ready_future<>();
         }
@@ -339,9 +335,9 @@ future<> create_role(
                 options,
                 ser.underlying_authenticator().supported_options()).then([&ser, name, &options] {
             return ser.underlying_authenticator().create(sstring(name), options);
-        }).handle_exception([&ser, &performer, &name](std::exception_ptr ep) {
+        }).handle_exception([&ser, &name](std::exception_ptr ep) {
             // Roll-back.
-            return ser.underlying_role_manager().drop(performer, name).then([ep = std::move(ep)] {
+            return ser.underlying_role_manager().drop(name).then([ep = std::move(ep)] {
                 std::rethrow_exception(ep);
             });
         });
@@ -350,11 +346,10 @@ future<> create_role(
 
 future<> alter_role(
         service& ser,
-        const authenticated_user& performer,
         stdx::string_view name,
         const role_config_update& config_update,
         const authentication_options& options) {
-    return ser.underlying_role_manager().alter(performer, name, config_update).then([&ser, name, &options] {
+    return ser.underlying_role_manager().alter(name, config_update).then([&ser, name, &options] {
         if (!any_authentication_options(options)) {
             return make_ready_future<>();
         }
@@ -368,12 +363,12 @@ future<> alter_role(
     });
 }
 
-future<> drop_role(service& ser, const authenticated_user& performer, stdx::string_view name) {
-    return do_with(sstring(name), [&ser, &performer](const auto& name) {
+future<> drop_role(service& ser, stdx::string_view name) {
+    return do_with(sstring(name), [&ser](const auto& name) {
         return ser.underlying_authorizer().revoke_all(name).then([&ser, &name] {
             return ser.underlying_authenticator().drop(name);
-        }).then([&ser, &performer, &name] {
-            return ser.underlying_role_manager().drop(performer, name);
+        }).then([&ser, &name] {
+            return ser.underlying_role_manager().drop(name);
         });
     });
 }
diff --git a/auth/service.hh b/auth/service.hh
index 8985a221b5..65a5076a20 100644
--- a/auth/service.hh
+++ b/auth/service.hh
@@ -29,7 +29,6 @@
 
 #include "auth/authenticator.hh"
 #include "auth/authorizer.hh"
-#include "auth/authenticated_user.hh"
 #include "auth/permission.hh"
 #include "auth/permissions_cache.hh"
 #include "auth/role_manager.hh"
@@ -190,7 +189,6 @@ bool is_enforcing(const service&);
 ///
 future<> create_role(
         service&,
-        const authenticated_user& performer,
         stdx::string_view name,
         const role_config&,
         const authentication_options&);
@@ -204,7 +202,6 @@ future<> create_role(
 ///
 future<> alter_role(
         service&,
-        const authenticated_user& performer,
         stdx::string_view name,
         const role_config_update&,
         const authentication_options&);
@@ -214,7 +211,7 @@ future<> alter_role(
 ///
 /// \returns an exceptional future with \ref nonexistant_role if the named role does not exist.
 ///
-future<> drop_role(service&, const authenticated_user& performer, stdx::string_view name);
+future<> drop_role(service&, stdx::string_view name);
 
 ///
 /// Check if `grantee` has been granted the named role.
diff --git a/auth/standard_role_manager.cc b/auth/standard_role_manager.cc
index 4b507b8044..00f3d85300 100644
--- a/auth/standard_role_manager.cc
+++ b/auth/standard_role_manager.cc
@@ -240,7 +240,7 @@ future<> standard_role_manager::stop() {
 }
 
 future<>
-standard_role_manager::create(const authenticated_user& performer, stdx::string_view role_name, const role_config& c) {
+standard_role_manager::create(stdx::string_view role_name, const role_config& c) {
     static const sstring query = sprint(
             "INSERT INTO %s (%s, is_superuser, can_login) VALUES (?, ?, ?)",
             meta::roles_table::qualified_name(),
@@ -260,7 +260,7 @@ standard_role_manager::create(const authenticated_user& performer, stdx::string_
 }
 
 future<>
-standard_role_manager::alter(const authenticated_user&, stdx::string_view role_name, const role_config_update& u) {
+standard_role_manager::alter(stdx::string_view role_name, const role_config_update& u) {
     static const auto build_column_assignments = [](const role_config_update& u) -> sstring {
         std::vector<sstring> assignments;
 
@@ -291,7 +291,7 @@ standard_role_manager::alter(const authenticated_user&, stdx::string_view role_n
     });
 }
 
-future<> standard_role_manager::drop(const authenticated_user&, stdx::string_view role_name) {
+future<> standard_role_manager::drop(stdx::string_view role_name) {
     return this->exists(role_name).then([this, role_name](bool role_exists) {
         if (!role_exists) {
             throw nonexistant_role(role_name);
@@ -400,10 +400,7 @@ standard_role_manager::modify_membership(
 }
 
 future<>
-standard_role_manager::grant(
-        const authenticated_user&,
-        stdx::string_view grantee_name,
-        stdx::string_view role_name) {
+standard_role_manager::grant(stdx::string_view grantee_name, stdx::string_view role_name) {
     const auto check_redundant = [this, role_name, grantee_name] {
         return this->query_granted(
                 grantee_name,
@@ -434,10 +431,7 @@ standard_role_manager::grant(
 }
 
 future<>
-standard_role_manager::revoke(
-        const authenticated_user&,
-        stdx::string_view revokee_name,
-        stdx::string_view role_name) {
+standard_role_manager::revoke(stdx::string_view revokee_name, stdx::string_view role_name) {
     return this->exists(role_name).then([this, revokee_name, role_name](bool role_exists) {
         if (!role_exists) {
             throw nonexistant_role(sstring(role_name));
diff --git a/auth/standard_role_manager.hh b/auth/standard_role_manager.hh
index b210f84609..663ec97924 100644
--- a/auth/standard_role_manager.hh
+++ b/auth/standard_role_manager.hh
@@ -64,19 +64,15 @@ public:
 
     virtual future<> stop() override;
 
-    virtual future<>
-    create(const authenticated_user& performer, stdx::string_view role_name, const role_config&) override;
+    virtual future<> create(stdx::string_view role_name, const role_config&) override;
 
-    virtual future<> drop(const authenticated_user& performer, stdx::string_view role_name) override;
+    virtual future<> drop(stdx::string_view role_name) override;
 
-    virtual future<>
-    alter(const authenticated_user& performer, stdx::string_view role_name, const role_config_update&) override;
+    virtual future<> alter(stdx::string_view role_name, const role_config_update&) override;
 
-    virtual future<>
-    grant(const authenticated_user& performer, stdx::string_view grantee_name, stdx::string_view role_name) override;
+    virtual future<> grant(stdx::string_view grantee_name, stdx::string_view role_name) override;
 
-    virtual future<>
-    revoke(const authenticated_user& performer, stdx::string_view revokee_name, stdx::string_view role_name) override;
+    virtual future<> revoke(stdx::string_view revokee_name, stdx::string_view role_name) override;
 
     virtual future<std::unordered_set<sstring>>
     query_granted(stdx::string_view grantee_name, recursive_role_query) const override;
diff --git a/auth/transitional.cc b/auth/transitional.cc
index 1ba809320b..52f2c84aa7 100644
--- a/auth/transitional.cc
+++ b/auth/transitional.cc
@@ -218,22 +218,21 @@ public:
         });
     }
 
-    virtual future<> grant(const authenticated_user& user, permission_set ps, resource r, sstring s) override {
-        return _authorizer->grant(user, std::move(ps), std::move(r), std::move(s));
+    virtual future<> grant(permission_set ps, resource r, sstring s) override {
+        return _authorizer->grant(std::move(ps), std::move(r), std::move(s));
     }
 
-    virtual future<> revoke(const authenticated_user& user, permission_set ps, resource r, sstring s) override {
-        return _authorizer->revoke(user, std::move(ps), std::move(r), std::move(s));
+    virtual future<> revoke(permission_set ps, resource r, sstring s) override {
+        return _authorizer->revoke(std::move(ps), std::move(r), std::move(s));
     }
 
     virtual future<std::vector<permission_details>>
     list(
             service& ser,
-            const authenticated_user& user,
             permission_set ps,
             std::optional<resource> r,
             std::optional<sstring> s) const override {
-        return _authorizer->list(ser, user, std::move(ps), std::move(r), std::move(s));
+        return _authorizer->list(ser, std::move(ps), std::move(r), std::move(s));
     }
 
     virtual future<> revoke_all(sstring s) override {
diff --git a/cql3/statements/grant_statement.cc b/cql3/statements/grant_statement.cc
index b2da5940be..9ee251f723 100644
--- a/cql3/statements/grant_statement.cc
+++ b/cql3/statements/grant_statement.cc
@@ -44,12 +44,9 @@
 
 future<::shared_ptr<cql_transport::messages::result_message>>
 cql3::statements::grant_statement::execute(distributed<service::storage_proxy>& proxy, service::query_state& state, const query_options& options) {
-    auto& client_state = state.get_client_state();
-    auto& auth_service = *client_state.get_auth_service();
+    auto& auth_service = *state.get_client_state().get_auth_service();
 
-    return make_ready_future<>().then([this, &auth_service, user = client_state.user()] {
-        return auth_service.underlying_authorizer().grant(*user, _permissions, _resource, _username).finally([user] {});
-    }).then([] {
+    return auth_service.underlying_authorizer().grant(_permissions, _resource, _username).then([] {
         return make_ready_future<::shared_ptr<cql_transport::messages::result_message>>();
     });
 }
diff --git a/cql3/statements/list_permissions_statement.cc b/cql3/statements/list_permissions_statement.cc
index 44029ac6f0..ba1ca65e36 100644
--- a/cql3/statements/list_permissions_statement.cc
+++ b/cql3/statements/list_permissions_statement.cc
@@ -155,18 +155,7 @@ cql3::statements::list_permissions_statement::execute(
             resources,
             [&state, this](opt_resource r) {
                 auto& auth_service = *state.get_client_state().get_auth_service();
-                return make_ready_future<>().then([
-                        this,
-                        r = std::move(r),
-                        &auth_service,
-                        user = state.get_client_state().user()] {
-                    return auth_service.underlying_authorizer().list(
-                            auth_service,
-                            *user,
-                            _permissions,
-                            std::move(r),
-                            _username).finally([user] {});
-                });
+                return auth_service.underlying_authorizer().list(auth_service, _permissions, std::move(r), _username);
             },
             std::vector<auth::permission_details>(),
             [](std::vector<auth::permission_details> details, std::vector<auth::permission_details> pd) {
diff --git a/cql3/statements/revoke_statement.cc b/cql3/statements/revoke_statement.cc
index 111cfac105..9df94d8a5c 100644
--- a/cql3/statements/revoke_statement.cc
+++ b/cql3/statements/revoke_statement.cc
@@ -44,12 +44,9 @@
 
 future<::shared_ptr<cql_transport::messages::result_message>>
 cql3::statements::revoke_statement::execute(distributed<service::storage_proxy>& proxy, service::query_state& state, const query_options& options) {
-    auto& client_state = state.get_client_state();
-    auto& auth_service = *client_state.get_auth_service();
+    auto& auth_service = *state.get_client_state().get_auth_service();
 
-    return make_ready_future<>().then([this, &auth_service, user = client_state.user()] {
-        return auth_service.underlying_authorizer().revoke(*user, _permissions, _resource, _username).finally([user] {});
-    }).then([] {
+    return auth_service.underlying_authorizer().revoke(_permissions, _resource, _username).then([] {
         return make_ready_future<::shared_ptr<cql_transport::messages::result_message>>();
     });
 }
diff --git a/cql3/statements/role-management-statements.cc b/cql3/statements/role-management-statements.cc
index 9243bb689a..b5c275c410 100644
--- a/cql3/statements/role-management-statements.cc
+++ b/cql3/statements/role-management-statements.cc
@@ -111,10 +111,9 @@ create_role_statement::execute(distributed<service::storage_proxy>&,
             std::move(config),
             extract_authentication_options(_options),
             [this, &state](const auth::role_config& config, const auth::authentication_options& authen_options) {
-        auto& cs = state.get_client_state();
-        auto& as = *cs.get_auth_service();
+        auto& as = *state.get_client_state().get_auth_service();
 
-        return auth::create_role(as, *cs.user(), _role, config, authen_options).then([] {
+        return auth::create_role(as, _role, config, authen_options).then([] {
             return void_result_message();
         }).handle_exception_type([this](const auth::role_already_exists& e) {
             if (!_if_not_exists) {
@@ -186,10 +185,9 @@ alter_role_statement::execute(distributed<service::storage_proxy>&, service::que
             std::move(update),
             extract_authentication_options(_options),
             [this, &state](const auth::role_config_update& update, const auth::authentication_options& authen_options) {
-        auto& cs = state.get_client_state();
-        auto& as = *cs.get_auth_service();
+        auto& as = *state.get_client_state().get_auth_service();
 
-        return auth::alter_role(as, *cs.user(), _role, update, authen_options).then([] {
+        return auth::alter_role(as, _role, update, authen_options).then([] {
             return void_result_message();
         }).handle_exception_type([](const auth::roles_argument_exception& e) {
             return make_exception_future<result_message_ptr>(exceptions::invalid_request_exception(e.what()));
@@ -238,10 +236,9 @@ future<result_message_ptr>
 drop_role_statement::execute(distributed<service::storage_proxy>&, service::query_state& state, const query_options&) {
     unimplemented::warn(unimplemented::cause::ROLES);
 
-    auto& cs = state.get_client_state();
-    auto& as = *cs.get_auth_service();
+    auto& as = *state.get_client_state().get_auth_service();
 
-    return auth::drop_role(as, *cs.user(), _role).then([] {
+    return auth::drop_role(as, _role).then([] {
         return void_result_message();
     }).handle_exception_type([this](const auth::nonexistant_role& e) {
         if (!_if_exists) {
@@ -378,10 +375,9 @@ future<result_message_ptr>
 grant_role_statement::execute(distributed<service::storage_proxy>&, service::query_state& state, const query_options&) {
     unimplemented::warn(unimplemented::cause::ROLES);
 
-    auto& cs = state.get_client_state();
-    auto& as = *cs.get_auth_service();
+    auto& as = *state.get_client_state().get_auth_service();
 
-    return as.underlying_role_manager().grant(*cs.user(), _grantee, _role).then([] {
+    return as.underlying_role_manager().grant(_grantee, _role).then([] {
         return void_result_message();
     }).handle_exception_type([](const auth::roles_argument_exception& e) {
         throw exceptions::invalid_request_exception(e.what());
@@ -405,10 +401,9 @@ revoke_role_statement::execute(
         const query_options&) {
     unimplemented::warn(unimplemented::cause::ROLES);
 
-    auto& cs = state.get_client_state();
-    auto& rm = cs.get_auth_service()->underlying_role_manager();
+    auto& rm = state.get_client_state().get_auth_service()->underlying_role_manager();
 
-    return rm.revoke(*cs.user(), _revokee, _role).then([] {
+    return rm.revoke(_revokee, _role).then([] {
         return void_result_message();
     }).handle_exception_type([](const auth::roles_argument_exception& e) {
         throw exceptions::invalid_request_exception(e.what());
diff --git a/tests/cql_test_env.cc b/tests/cql_test_env.cc
index e527a4868c..d2644a020c 100644
--- a/tests/cql_test_env.cc
+++ b/tests/cql_test_env.cc
@@ -371,7 +371,6 @@ public:
 
                 auth::create_role(
                     auth_service->local(),
-                    auth::authenticated_user(),
                     testing_superuser,
                     config,
                     auth::authentication_options()).get0();
diff --git a/tests/role_manager_test.cc b/tests/role_manager_test.cc
index e9eeb5154c..19d9bf1e2e 100644
--- a/tests/role_manager_test.cc
+++ b/tests/role_manager_test.cc
@@ -23,7 +23,6 @@
 
 #include <seastar/tests/test-utils.hh>
 
-#include "auth/authenticated_user.hh"
 #include "service/migration_manager.hh"
 #include "tests/cql_test_env.hh"
 
@@ -51,7 +50,7 @@ SEASTAR_TEST_CASE(create_role) {
         auth::role_config c;
         c.is_superuser = true;
 
-        m->create(anon, "admin", c).get();
+        m->create("admin", c).get();
         BOOST_REQUIRE_EQUAL(m->exists("admin").get0(), true);
         BOOST_REQUIRE_EQUAL(m->can_login("admin").get0(), false);
         BOOST_REQUIRE_EQUAL(m->is_superuser("admin").get0(), true);
@@ -64,7 +63,7 @@ SEASTAR_TEST_CASE(create_role) {
         // Creating a role that already exists is an error.
         //
 
-        BOOST_REQUIRE_THROW(m->create(anon, "admin", c).get0(), auth::role_already_exists);
+        BOOST_REQUIRE_THROW(m->create("admin", c).get0(), auth::role_already_exists);
     });
 }
 
@@ -79,28 +78,28 @@ SEASTAR_TEST_CASE(drop_role) {
         // Create a role, then drop it, then verify it's gone.
         //
 
-        m->create(anon, "lord", auth::role_config()).get();
-        m->drop(anon, "lord").get();
+        m->create("lord", auth::role_config()).get();
+        m->drop("lord").get();
         BOOST_REQUIRE_EQUAL(m->exists("lord").get0(), false);
 
         //
         // Dropping a role revokes it from other roles and revokes other roles from it.
         //
 
-        m->create(anon, "peasant", auth::role_config()).get0();
-        m->create(anon, "lord", auth::role_config()).get0();
-        m->create(anon, "king", auth::role_config()).get0();
+        m->create("peasant", auth::role_config()).get0();
+        m->create("lord", auth::role_config()).get0();
+        m->create("king", auth::role_config()).get0();
 
         auth::role_config tim_config;
         tim_config.is_superuser = false;
         tim_config.can_login = true;
-        m->create(anon, "tim", tim_config).get0();
+        m->create("tim", tim_config).get0();
 
-        m->grant(anon, "lord", "peasant").get0();
-        m->grant(anon, "king", "lord").get0();
-        m->grant(anon, "tim", "lord").get0();
+        m->grant("lord", "peasant").get0();
+        m->grant("king", "lord").get0();
+        m->grant("tim", "lord").get0();
 
-        m->drop(anon, "lord").get0();
+        m->drop("lord").get0();
 
         BOOST_REQUIRE_EQUAL(
                 m->query_granted("tim", auth::recursive_role_query::yes).get0(),
@@ -114,7 +113,7 @@ SEASTAR_TEST_CASE(drop_role) {
         // Dropping a role that does not exist is an error.
         //
 
-        BOOST_REQUIRE_THROW(m->drop(anon, "emperor").get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->drop("emperor").get0(), auth::nonexistant_role);
     });
 }
 
@@ -128,17 +127,17 @@ SEASTAR_TEST_CASE(grant_role) {
         auth::role_config jsnow_config;
         jsnow_config.is_superuser = false;
         jsnow_config.can_login = true;
-        m->create(anon, "jsnow", jsnow_config).get0();
+        m->create("jsnow", jsnow_config).get0();
 
-        m->create(anon, "lord", auth::role_config()).get0();
-        m->create(anon, "king", auth::role_config()).get0();
+        m->create("lord", auth::role_config()).get0();
+        m->create("king", auth::role_config()).get0();
 
         //
         // All kings have the rights of lords, and 'jsnow' is a king.
         //
 
-        m->grant(anon, "king", "lord").get0();
-        m->grant(anon, "jsnow", "king").get0();
+        m->grant("king", "lord").get0();
+        m->grant("jsnow", "king").get0();
 
         BOOST_REQUIRE_EQUAL(
                 m->query_granted("king", auth::recursive_role_query::yes).get0(),
@@ -153,10 +152,10 @@ SEASTAR_TEST_CASE(grant_role) {
                 (std::unordered_set<sstring>{"jsnow", "king", "lord"}));
 
         // A non-existing role cannot be granted.
-        BOOST_REQUIRE_THROW(m->grant(anon, "jsnow", "doctor").get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->grant("jsnow", "doctor").get0(), auth::nonexistant_role);
 
         // A role cannot be granted to a non-existing role.
-        BOOST_REQUIRE_THROW(m->grant(anon, "hpotter", "lord").get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->grant("hpotter", "lord").get0(), auth::nonexistant_role);
     });
 }
 
@@ -170,32 +169,32 @@ SEASTAR_TEST_CASE(revoke_role) {
         auth::role_config rrat_config;
         rrat_config.is_superuser = false;
         rrat_config.can_login = true;
-        m->create(anon, "rrat", rrat_config).get0();
+        m->create("rrat", rrat_config).get0();
 
-        m->create(anon, "chef", auth::role_config()).get0();
-        m->create(anon, "sous_chef", auth::role_config()).get0();
+        m->create("chef", auth::role_config()).get0();
+        m->create("sous_chef", auth::role_config()).get0();
 
-        m->grant(anon, "chef", "sous_chef").get0();
-        m->grant(anon, "rrat", "chef").get0();
+        m->grant("chef", "sous_chef").get0();
+        m->grant("rrat", "chef").get0();
 
-        m->revoke(anon, "chef", "sous_chef").get0();
+        m->revoke("chef", "sous_chef").get0();
         BOOST_REQUIRE_EQUAL(
                 m->query_granted("rrat", auth::recursive_role_query::yes).get0(),
                 (std::unordered_set<sstring>{"chef", "rrat"}));
 
-        m->revoke(anon, "rrat", "chef").get0();
+        m->revoke("rrat", "chef").get0();
         BOOST_REQUIRE_EQUAL(
                 m->query_granted("rrat", auth::recursive_role_query::yes).get0(),
                 std::unordered_set<sstring>{"rrat"});
 
         // A non-existing role cannot be revoked.
-        BOOST_REQUIRE_THROW(m->revoke(anon, "rrat", "taster").get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->revoke("rrat", "taster").get0(), auth::nonexistant_role);
 
         // A role cannot be revoked from a non-existing role.
-        BOOST_REQUIRE_THROW(m->revoke(anon, "ccasper", "chef").get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->revoke("ccasper", "chef").get0(), auth::nonexistant_role);
 
         // Revoking a role not granted is an error.
-        BOOST_REQUIRE_THROW(m->revoke(anon, "rrat", "sous_chef").get0(), auth::revoke_ungranted_role);
+        BOOST_REQUIRE_THROW(m->revoke("rrat", "sous_chef").get0(), auth::revoke_ungranted_role);
     });
 }
 
@@ -209,17 +208,17 @@ SEASTAR_TEST_CASE(alter_role) {
         auth::role_config tsmith_config;
         tsmith_config.is_superuser = true;
         tsmith_config.can_login = true;
-        m->create(anon, "tsmith", tsmith_config).get0();
+        m->create("tsmith", tsmith_config).get0();
 
         auth::role_config_update u;
         u.can_login = false;
 
-        m->alter(anon, "tsmith", u).get0();
+        m->alter("tsmith", u).get0();
 
         BOOST_REQUIRE_EQUAL(m->is_superuser("tsmith").get0(), true);
         BOOST_REQUIRE_EQUAL(m->can_login("tsmith").get0(), false);
 
         // Altering a non-existing role is an error.
-        BOOST_REQUIRE_THROW(m->alter(anon, "hjones", u).get0(), auth::nonexistant_role);
+        BOOST_REQUIRE_THROW(m->alter("hjones", u).get0(), auth::nonexistant_role);
     });
 }