test: implement test_auth_password_ensured

Before fix of scylladb#20566, CQL was served irrespectively of default
superuser password creation, which led to an incorrect product behavior
and sporadic test failures. This test verifies race condition of serving
CQL and creating default superuser password. Injected failure is used to
ensure CQL use is attempted before default superuser password creation,
however, the attempt is expected to fail because scylladb#20566 is
fixed. Following that, the injected error is notified, so CQL driver can
be started correctly. Finally, CREATE USER query is executed to confirm
successful superuser authentication.

This change:
 - Implement test_auth_password_ensured.py

The test starts a server without expecting CQL serving, because
expected_server_up_state=ServerUpState.HOST_ID_QUERIED and
connect_driver=False. Error password_authenticator_start_pause is
injected to block superuser password setup during server startup.
Next, the test waits for a log to confirm that the code implementing
injected error is reached. When the server startup procedure is
unfinished, some operations might not complete on a first try, so
waiting for driver connection is wrapped in repeat_if_host_unavailable.

test/auth_cluster/test_auth_password_ensured.py

@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2025-present ScyllaDB
+#
+# SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.0
+#
+
+import pytest
+import logging
+import time
+
+from cassandra.cluster import NoHostAvailable
+from test.auth_cluster.conftest import skip_mode
+from test.pylib.manager_client import ManagerClient, ServerUpState
+from test.pylib.util import wait_for
+
+async def repeat_if_host_unavailable(f):
+    async def try_execute(f):
+        try:
+            await f()
+            return True
+        except NoHostAvailable:
+            return None
+    return await wait_for(lambda: try_execute(f), time.time() + 60)
+
+"""
+Test CQL is served only after superuser default password is created.
+After CQL is served, user is properily authenticated as superuser (not annonymous user)
+"""
+@pytest.mark.asyncio
+@skip_mode('release', 'error injection is disabled in release mode')
+async def test_auth_password_ensured(manager: ManagerClient) -> None:
+    config = {
+        'authenticator': "com.scylladb.auth.TransitionalAuthenticator",
+        'error_injections_at_startup': ['password_authenticator_start_pause'],
+    }
+    server = await manager.server_add(config=config, expected_server_up_state=ServerUpState.HOST_ID_QUERIED, connect_driver=False)
+
+    logging.info("Waiting until PasswordAuthenticator pauses on the injected error")
+    server_log = await manager.server_open_log(server.server_id)
+    await server_log.wait_for("password_authenticator_start_pause: waiting for message")
+
+    with pytest.raises(NoHostAvailable, match="Unable to connect to any servers"):
+        logging.info("Expecting driver connection failure, because password_authenticator_start_pause blocks serving CQL")
+        await manager.driver_connect()
+
+    await manager.api.message_injection(server.ip_addr, 'password_authenticator_start_pause')
+    await repeat_if_host_unavailable(manager.driver_connect)
+
+    cql, _ = await manager.get_ready_cql([server])
+
+    logging.info("Run CREATE USER to confirm successful superuser authentication")
+    await cql.run_async("CREATE USER normal WITH PASSWORD '123456' NOSUPERUSER")
+