Auth#hasExistingUsers() itself can be improved - should do the first SELECT query with CL.ONE first, before trying QUORUM.
There is no good reason to limit setup to
If there was one, it's a leftover from 1.1 private implementation era.
Finally, the setup write itself should happen at CL.ONE. The logged warning would be a lie in the QUORUM case if at least one node got the write ("skipped default user setup: some nodes were not ready")