24.8.14 Backport of #65277: Multi auth methods

[zvonand]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Allow a user to have multiple authentication methods instead of only one. Allow authentication methods to be reset to most recently added method. (ClickHouse#65277 by @arthurpassos)

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• Tiered Storage (2h)

[altinity-robot]

This is an automated comment for commit 6feef96 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check name	Description	Status
Sign aarch64	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	❌ error
Sign release	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	❌ error

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
Builds	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Grype Scan altinityinfra/clickhouse-keeper:1371-24.8.14.10527.altinitytest	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Grype Scan altinityinfra/clickhouse-server:1371-24.8.14.10527.altinitytest-alpine	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Grype Scan altinityinfra/clickhouse-server:1371-24.8.14.10527.altinitytest	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Ready for release	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Alter attach partition 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Alter attach partition 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Alter move partition	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Alter replace partition	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Benchmark aws_s3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Benchmark gcs	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Benchmark minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Clickhouse Keeper no_ssl 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Clickhouse Keeper no_ssl 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Clickhouse Keeper ssl 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Clickhouse Keeper ssl 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 LDAP authentication	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 LDAP external_user_directory	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 LDAP role_mapping	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Parquet aws_s3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Parquet minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Parquet	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 aws_s3-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 aws_s3-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 azure-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 azure-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 gcs-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 gcs-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 minio-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 minio-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 S3 minio-3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Tiered Storage minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 Tiered Storage s3amazon	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 aes_encryption	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 aggregate_functions-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 aggregate_functions-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 atomic_insert	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 base_58	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 data_types	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 datetime64_extended_range	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 disk_level_encryption	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 dns	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 engines	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 example	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 extended_precision_data_types	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 functions	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 kafka	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 kerberos	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 key_value	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 lightweight_delete	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 memory	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 part_moves_between_shards	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 rbac	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 selects	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 session_timezone	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 ssl_server-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 ssl_server-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 ssl_server-3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 tiered_storage	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 version	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression aarch64 window_functions	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Alter attach partition 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Alter attach partition 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Alter move partition	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Benchmark aws_s3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Benchmark gcs	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Benchmark minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Clickhouse Keeper no_ssl 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Clickhouse Keeper no_ssl 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Clickhouse Keeper ssl 1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Clickhouse Keeper ssl 2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release LDAP authentication	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release LDAP external_user_directory	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release LDAP role_mapping	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Parquet aws_s3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Parquet minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Parquet	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 aws_s3-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 aws_s3-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 azure-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 azure-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 gcs-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 gcs-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 minio-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 minio-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release S3 minio-3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Tiered Storage minio	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release Tiered Storage s3amazon	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release aes_encryption	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release aggregate_functions-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release aggregate_functions-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release aggregate_functions-3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release atomic_insert	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release base_58	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release data_types	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release datetime64_extended_range	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release disk_level_encryption	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release dns	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release engines	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release example	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release extended_precision_data_types	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release functions	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release kafka	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release kerberos	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release key_value	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release lightweight_delete	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release memory	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release part_moves_between_shards	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release rbac	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release selects	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release session_timezone	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release ssl_server-1	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release ssl_server-2	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release ssl_server-3	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release tiered_storage	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release version	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Regression release window_functions	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success

[ianton-ru]

Looks the same as Arthur's PR in upstream, plus CI and test fix.

[Selfeer]

PR #1371 CI Verification Report

CI Triage Summary

Category	Count	Details
PR-caused regressions	0	None
Cascade failures	0	None
Pre-existing known fails	6	2 tests x 3 build types
Infrastructure issues	3	Sign job errors + CI running meta-job

Verdict: PASS

No failures are attributable to this PR. All test suites passed successfully.

---

Detailed Analysis

New Fails in PR: 0

The CI report explicitly states: "Nothing to report" when comparing against base SHA 6d9bede8cdb6e6c130b0c9a07156112618bed093.

Checks New Fails: 0

No new test failures in any stateless, integration, or regression test suites.

Regression New Fails: 0

No new regression test failures. Notably, the RBAC regression suite -- the most relevant suite for this authentication change -- passed cleanly on both architectures:

• aarch64 RBAC: 1,277 suites (1,271 ok, 4 skipped, 2 xfail), 138 features (133 ok, 4 skipped, 1 xfail)
• release RBAC: 1,281 suites (1,279 ok, 2 xfail), 138 features (133 ok, 4 skipped, 1 xfail)

---

Pre-existing Known Fails (6)

These are pre-existing broken tests, unrelated to this PR. The same 2 tests fail across 3 build types:

Job	Test Name	Status	Reason
Stateless tests (aarch64)	02815_no_throw_in_simple_queries	BROKEN	Fails on asan, msan, tsan, debug, aarch64
Stateless tests (aarch64)	03206_no_exceptions_clickhouse_local	BROKEN	Fails on asan, msan, tsan, debug, aarch64
Stateless tests (debug) [1/2]	02815_no_throw_in_simple_queries	BROKEN	Fails on asan, msan, tsan, debug, aarch64
Stateless tests (debug) [1/2]	03206_no_exceptions_clickhouse_local	BROKEN	Fails on asan, msan, tsan, debug, aarch64
Stateless tests (release)	02815_no_throw_in_simple_queries	BROKEN	Fails on asan, msan, tsan, debug, aarch64
Stateless tests (release)	03206_no_exceptions_clickhouse_local	BROKEN	Fails on asan, msan, tsan, debug, aarch64

These are the same known-broken tests observed across other PRs on this branch (e.g., PR #1373) and are unrelated to multi-auth changes.

---

Infrastructure Issues (3)

Job	Status	Message
Sign aarch64	error	Error: Unknown, exit_code 0
Sign release	error	Error: Unknown, exit_code 0
CI running	failure	All checks finished. 2 jobs failed

The Sign aarch64 and Sign release jobs failed with unknown errors (exit code 0) -- a transient infrastructure/signing issue. The CI running meta-job simply reports that the 2 signing jobs failed. None of these affect test results.

---

Recommendations

1. No action required for this PR -- all tests pass, no regressions detected.
2. The Sign aarch64 / Sign release infrastructure errors are transient and unrelated; they should be monitored at the CI infrastructure level.
3. The 2 pre-existing broken tests (02815_no_throw_in_simple_queries, 03206_no_exceptions_clickhouse_local) should be tracked/fixed separately as they affect all PRs on this branch.

[Selfeer]

PR #1371 Audit Review

AI audit note: This review was generated by AI (gpt-5.3-codex).

Audit update for PR #1371 (24.8.14 Backport of ClickHouse#65277: Multi auth methods)

---

Confirmed defects

Medium: ALTER USER bypasses allow_no_password / allow_plaintext_password policy checks

• Impact: ALTER USER ... IDENTIFIED ... can persist auth methods disallowed by server policy, creating policy-violating users and (for some configs) users that then cannot authenticate.
• Anchor: src/Interpreters/Access/InterpreterCreateUserQuery.cpp / updateUserFromQueryImpl()
• Trigger: Set allow_no_password=0 or allow_plaintext_password=0, then run ALTER USER with corresponding disallowed auth method.
• Affected transition: ALTER USER AST -> updateUserFromQueryImpl() method merge/replace -> user entity write.
• Why defect: The policy gate is only executed under if (!query.alter), so all alter flows skip auth-type policy enforcement.
• Smallest logical reproduction: (1) disable one of these auth types in server config; (2) create user with allowed method; (3) run ALTER USER ... IDENTIFIED WITH no_password (or plaintext_password); (4) alter succeeds despite policy.
• Fix direction (short): Apply the allow/disallow auth-type validation when auth methods are explicitly changed on ALTER USER too.
• Regression test direction (short): Add integration test asserting ALTER USER ... IDENTIFIED ... rejects disallowed auth types under both config flags.
• Affected subsystem / blast radius: Access control DDL interpreter; all clusters relying on auth-type hardening via those config flags.

        for (const auto & authentication_method : authentication_methods)
        {
            user.authentication_methods.emplace_back(authentication_method);
        }
        ...
        if (!query.alter)
        {
            for (const auto & authentication_method : user.authentication_methods)
            {
                auto auth_type = authentication_method.getType();
                if (((auth_type == AuthenticationType::NO_PASSWORD) && !allow_no_password) ||
                    ((auth_type == AuthenticationType::PLAINTEXT_PASSWORD)  && !allow_plaintext_password))
                {
                    throw Exception(ErrorCodes::BAD_ARGUMENTS, ...);
                }
            }
        }

Low: SQL formatter drops comma between auth methods when highlighting is enabled

• Impact: Formatted CREATE/ALTER USER ... IDENTIFIED WITH ... output can be malformed in highlighted formatting mode (missing comma separator between methods), affecting readability and copy/paste reliability.
• Anchor: src/Parsers/Access/ASTCreateUserQuery.cpp / formatAuthenticationData()
• Trigger: Render query AST with settings.hilite=true and multiple authentication methods.
• Affected transition: AST serialization -> SQL string emission for multi-method auth list.
• Why defect: The separator branch emits IAST::hilite_keyword instead of emitting the comma token.
• Smallest logical reproduction: Parse a multi-method CREATE USER ... IDENTIFIED WITH ... , ...; serialize with hilite enabled; separator is not emitted as ,.
• Fix direction (short): Emit comma regardless of highlight mode and wrap highlight markers separately.
• Regression test direction (short): Add parser/formatter unit test with hilite-enabled formatting for multi-method auth list and assert comma-preserving output.
• Affected subsystem / blast radius: SQL AST formatting path (SHOW CREATE/formatted query output), user-facing diagnostics.

        for (std::size_t i = 0; i < authentication_methods.size(); i++)
        {
            authentication_methods[i]->format(settings);

            bool is_last = i < authentication_methods.size() - 1;
            if (is_last)
            {
                settings.ostr << (settings.hilite ? IAST::hilite_keyword : ",");
            }
        }

---

Coverage summary

• Scope reviewed: PR 24.8.14 Backport of #65277: Multi auth methods #1371 core auth-path changes in src/Access/* (Authentication, IAccessStorage, User), DDL parsing/serialization (ParserCreateUserQuery, ASTCreateUserQuery, InterpreterCreateUserQuery), protocol entrypoints (TCPHandler, MySQLHandler, PostgreSQLProtocol), session logging, and system users exposure (StorageSystemUsers), plus test deltas.
• Categories failed: Policy enforcement consistency (CREATE USER vs ALTER USER auth-type restrictions); formatter token emission for multi-method auth serialization.
• Categories passed: Call-graph/transition coverage across authentication dispatch, parser->AST->interpreter flow, storage writes and protocol dispatch; error-contract consistency in main auth failure path (AccessControl normalization to AUTHENTICATION_FAILED); multi-thread/concurrency review found no new lock-order/shared-state defects in touched paths; rollback/partial-update and C++ lifetime/iterator/signedness checks on reviewed mutations.
• Assumptions/limits: Static code audit only (no runtime execution/fault injection); conclusions are bounded to PR 24.8.14 Backport of #65277: Multi auth methods #1371 diff and directly connected call paths in current branch state.

[Selfeer]

@zvonand can you please check the audit report if it makes sense?

[zvonand]

this is a question to @arthurpassos . But I think it does not really matter -- this is only a backport, not original code

[arthurpassos]

• e policy gate is only executed under if (!query.alter), so all alter flows skip auth-type policy enforcement.

At a first glance, it seems to be true - but also not sure we want to fix it right now. Perhaps create an issue so we can track it, tho I suspect it will just die in the backlog