26.1 Antalya: Token Authentication and Authorization

[zvonand]

Introduce authentication using access tokens.

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Introduce token-based authentication and authorization.

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• Tiered Storage (2h)

[github-actions]

Workflow [PR], commit [843bbd6]

[CarlosFelipeOR]

Integration test regression: test_storage_delta/test.py::test_network_activity_with_system_tables

PR #1430 introduced a consistent failure in the integration test test_storage_delta/test.py::test_network_activity_with_system_tables on antalya-26.1.

Evidence from CI database

• 0% failure rate before Feb 28, jumping to 100% from Mar 1 onward — exactly matching the merge of commit d742d0a
• The test never fails on upstream 26.1 (0/182 runs), which does not include this feature
• 44 fails / 9 passes across all antalya-26.1 PRs since the merge. The 9 passes are likely from PRs that had not yet merged the latest base branch and were still running on a commit before 26.1 Antalya: Token Authentication and Authorization #1430

Example failing CI run

• CI run: https://github.com/Altinity/ClickHouse/actions/runs/22582889131/job/65495335039
• CI report: https://s3.amazonaws.com/altinity-build-artifacts/PRs/1453/918ab346ed5cbead0b7d37c63b17007bfe1bf956/22582889131/ci_run_report.html#checks-fails

Root cause from failure log

assert 0 == 2
where 2 = int('2\n')
where '2\n' = query("SELECT count() FROM system.text_log
WHERE query_id = '..._query'
AND message LIKE '%Initialized scan state%'")

The test expects 0 occurrences of "Initialized scan state" in system.text_log, but finds 2. Since enable_token_auth defaults to true, the token auth code path is active for all HTTP requests — including Delta Lake storage access via HTTP/S3 — causing extra scan state initializations even when token authentication is not being used.

Note: This is separate from the defects identified in the audit review (#1446 — H1, H2, H3), which are code-level bugs that still need to be addressed independently.

[Selfeer]

PR #1430 Verification Report

ClickHouse CI Results

Builds — All Pass

Check	Result	Duration	Links
Build (amd_debug)	PASS (0/5 failures)	21m 59s	Job · Report
Build (arm_release)	PASS (0/5 failures)	33m 20s	Job · Report
Build (arm_binary)	PASS (0/4 failures)	20m 43s	Job · Report

Other CI Checks — All Pass

Check	Result	Duration	Link
Config Workflow	PASS	1m 42s	Job
DCO	PASS	1s	Check
Finish Workflow	PASS	1m 42s	Job
FinishCIReport	PASS	51s	Job
SourceUpload	PASS	9m 19s	Job

---

Regression Test Results

Run: PR #1430 (deb) | Full Regression | x86 | --use-keeper --with-analyzer
Version tested: 26.1.2.10001.altinitytest
Package: clickhouse-common-static_26.1.2.10001.altinitytest_amd64.deb
Flags: --use-keeper --with-analyzer
Overall conclusion: failure (4 pre-existing failures, see analysis below)

Job Summary

Status	Count
PASS	66
FAIL	4
SKIPPED	1
Total	71

Authentication-Related Suites — All Pass

These suites directly test authentication, authorization, and security features and are most relevant to the PR's token auth changes.

Suite	Result	Duration	Job Link	Report
jwt_authentication	PASS	3m 21s	Job	Report
oauth	PASS	2m 46s	Job	Report
rbac_1	PASS	41m 58s	Job	Report
rbac_2	PASS	1h 34m	Job	—
rbac_3	PASS	1h 25m	Job	—
ssl_server_1	PASS	35m 58s	Job	Report
ssl_server_2	PASS	50m 19s	Job	Report
ssl_server_3	PASS	1h 30m	Job	—
ldap_authentication	PASS	36m 22s	Job	Report
ldap_external_user_directory	PASS	30m 19s	Job	Report
ldap_role_mapping	PASS	47m 12s	Job	Report
kerberos	PASS	8m 17s	Job	Report
aes_encryption	PASS	1h 1m	Job	—

---

Failed Suites — Detailed Analysis (4/71)

All 4 failures are pre-existing and not introduced by this PR. Evidence is provided via cross-referencing with two independent regression runs on different PRs.

1. aggregate_functions_3 — FAIL (Pre-Existing)

Job	aggregate_functions_3
Report	Report
Artifacts	Download
Duration	2h 4m
Failing test	/aggregate functions/part 3/state/rankCorrState/with group by
Error type	SnapshotError — output snapshot mismatch
Root cause	Pre-existing snapshot drift for rankCorrState aggregate function
Same failure in PR #1395?	Yes — Job
Same failure in PR #1458?	Yes
Related to PR #1430?	No

Failing test output:

✘ [ Fail ] '/aggregate functions/part 3/state/rankCorrState/with group by' (705ms)
✘ [ Fail ] '/aggregate functions/part 3/state/rankCorrState' (1m 16s)
✘ [ Fail ] '/aggregate functions/part 3/state' (1h 13m)
✘ [ Fail ] '/aggregate functions/part 3' (1h 51m)
✘ [ Fail ] '/aggregate functions' (1h 54m)

2. ice — FAIL (Pre-Existing)

Job	ice
Report	Report
Artifacts	Download
Duration	8m 4s
Failing tests	All tests under /ice/feature/export parts/ (UInt8, UInt16, ..., FixedString, etc. — 19 data types)
Error type	SYNTAX_ERROR — ALTER TABLE ... EXPORT PARTS not recognized
Root cause	The EXPORT PARTS feature is not present in this ClickHouse build
Same failure in PR #1395?	Yes — Job
Same failure in PR #1458?	Yes
Related to PR #1430?	No

Failing test output (excerpt):

✘ [ Fail ] '/ice/feature/export parts/testing UInt8' (2s 719ms)
✘ [ Fail ] '/ice/feature/export parts/testing UInt16' (1s 650ms)
✘ [ Fail ] '/ice/feature/export parts/testing UInt32' (1s 474ms)
...
✘ [ Fail ] '/ice/feature/export parts/testing FixedString（51）' (1s 629ms)

Error detail:

Expected one of: ON, a list of ALTER commands, ALTER command, ADD COLUMN, ... (SYNTAX_ERROR)

3. settings — FAIL (Pre-Existing)

Job	settings
Report	Report
Artifacts	Download
Duration	3m 47s
Failing tests	All tests under /settings/default values/ (hundreds of settings)
Error type	SnapshotNotFoundError — settings default value snapshots not baselined for this version
Root cause	Expected for new/test versions — snapshots need regeneration
Same failure in PR #1395?	Yes — Job
Same failure in PR #1458?	Yes
Related to PR #1430?	No

Failing test output (excerpt):

✘ [ Fail ] '/settings/default values/add_http_cors_header' (441ms)
✘ [ Fail ] '/settings/default values/additional_result_filter' (533ms)
✘ [ Fail ] '/settings/default values/additional_table_filters' (665ms)
✘ [ Fail ] '/settings/default values/aggregate_function_input_format' (814ms)
✘ [ Fail ] '/settings/default values/aggregate_functions_null_for_empty' (952ms)
... (hundreds more)

4. version — FAIL (Pre-Existing)

Job	version
Report	Report
Artifacts	Download
Duration	2m 57s
Failing test	/version/altinity/embedded logos
Error type	SnapshotError — embedded logo verification fails
Root cause	Expected for .altinitytest builds — test builds don't carry production Altinity branding

There are results of the very latest merge to 26.1 antalya with changes from this branch where we see the version suite being green: https://altinity-build-artifacts.s3.amazonaws.com/REFs/antalya-26.1/18ac1a47ce5d8fd0fa988828dd7b098a8dfc5bc8/regression/aarch64/with_analyzer/zookeeper/without_thread_fuzzer/version/report.html

Failing test output:

✘ [ Fail ] '/version/altinity/embedded logos' (608ms)
✘ [ Fail ] '/version/altinity' (10s 573ms)
✘ [ Fail ] '/version' (1m 20s)

---

Verdict

PASS — No regressions introduced by PR #1430.