Multi auth methods

[arthurpassos]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Allow a user to have multiple authentication methods instead of only one. Allow authentication methods to be reset to most recently added method. If you want to run instances on 24.8 and one on 24.9 for some time, it's better to set max_authentication_methods_per_user = 1 for that period to avoid potential errors.

CREATE USER user1 IDENTIFIED WITH plaintext_password BY '1', plaintext_password BY '2', sha256_password BY '3' -- user can authenticate with 1, 2 or 3.

Same logic applies to ALTER statements.

ALTER USER user1 RESET AUTHENTICATION METHODS TO NEW -- clears all authentication methods and keeps only the most recent

ALTER USER user1 IDENTIFIED WITH plaintext_password by '1' -- should remain working as it works nowadays, it'll clear all authentication methods and keep only the on found in the query.

Closes #65136

Documentation entry for user-facing changes

• Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

CI Settings (Only check the boxes if you know what you are doing):

• Allow: All Required Checks
• Allow: Stateless tests
• Allow: Stateful tests
• Allow: Integration Tests
• Allow: Performance tests
• Allow: Normal Builds
• Allow: Special Builds
• Allow: All NOT Required Checks
• Allow: batch 1, 2 for multi-batch jobs
• Allow: batch 3, 4, 5, 6 for multi-batch jobs

---

• Exclude: Style check
• Exclude: Fast test
• Exclude: All with ASAN
• Exclude: All with TSAN, MSAN, UBSAN, Coverage
• Exclude: All with aarch64, release, debug

---

• Do not test
• Upload binaries for special builds
• Disable merge-commit
• Disable CI cache

[robot-clickhouse-ci-1]

This is an automated comment for commit 5f464a6 with description of existing statuses. It's updated for the latest CI running

✅ Click here to open a full report in a separate page

Successful checks

Check name	Description	Status
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
Builds	There's no description for the check yet, please add it to tests/ci/ci_config.py:CHECK_DESCRIPTIONS	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

[Avogar]

Test 03036_dynamic_read_subcolumns was failing in master, but it's fixed. Please, update the branch with recent changes in master

[alexey-milovidov]

This is from another PR, but I just leave it here.
A test for multiple PTR records has failed: https://s3.amazonaws.com/clickhouse-test-reports/60197/11d54f4809a8b58773f13664e6b842cb6c7dce48/integration_tests__aarch64__[2_6].html

[arthurpassos]

This is from another PR, but I just leave it here. A test for multiple PTR records has failed: https://s3.amazonaws.com/clickhouse-test-reports/60197/11d54f4809a8b58773f13664e6b842cb6c7dce48/integration_tests__aarch64__[2_6].html

@alexey-milovidov Will look into it soon

[arthurpassos]

@alexey-milovidov do you think we could divide this work into two PRs? First one to support multiple authentication methods and second one to add expiration time?

[alexey-milovidov]

Totally ok, but we already have support for expiration time (for about half a year).

[arthurpassos]

Removed stateless ssh tests because it depends on openssl being built added it back, let's see

[arthurpassos]

@arthurpassos We can accept this PR only in case if it is 100% green with all 200+ checks passed. We should carefully iterate over all tests that failed, try to fix them or create a very informative issue to make other contributors lives easier (there two issues #69127 #69126 are not very helpful, because they don't tell which tests failed).

is it green enoug now?

[arthurpassos]

@alexey-milovidov @nikitamikhaylov ping

[nikitamikhaylov]

Looks much greener, yes!

[arthurpassos]

Looks much greener, yes!

@nikitamikhaylov Good, can we merge it now?

[nikitamikhaylov]

The CI says it is not ready yet.

[arthurpassos]

The CI says it is not ready yet.

Is this about performance check failure? It has been some time since I worked on a repo I had merge permissions, so I can't really tell what it is complaining about

[arthurpassos]

**Mergeable Check ** Pending — pending: Cloud fork sync (only for ClickHouse Inc. employees)

@nikitamikhaylov is this what is blocking the merge? If so, what needs to be done? Anything I should do on my side?

[arthurpassos]

@pufit kind ping

[pufit]

@pufit kind ping

The only thing left is to fix conflicts in the cloud repo on our side. I will do it by the end of Friday. Sorry for waiting

[arthurpassos]

@pufit kind ping

The only thing left is to fix conflicts in the cloud repo on our side. I will do it by the end of Friday. Sorry for waiting

#68236 has been merged and introduced some conflicts on my side. Just fixed them.

[arthurpassos]

Got CI/CD green again