Skip to content

Antalya 26.3: OAuth improvements#1799

Merged
zvonand merged 3 commits into
antalya-26.3from
improvement/antalya-26.3/oauth-polish
May 21, 2026
Merged

Antalya 26.3: OAuth improvements#1799
zvonand merged 3 commits into
antalya-26.3from
improvement/antalya-26.3/oauth-polish

Conversation

@zvonand

@zvonand zvonand commented May 15, 2026

Copy link
Copy Markdown
Member

Follow-up for #1784

Changelog category (leave one):

  • Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Various token-based auth improvements

CI/CD Options

Exclude tests:

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Performance tests
  • All with ASAN
  • All with TSAN
  • All with MSAN
  • All with UBSAN
  • All with Coverage
  • All with Aarch64
  • All Regression
  • Disable CI Cache

Regression jobs to run:

  • Fast suites (mostly <1h)
  • Aggregate Functions (2h)
  • Alter (1.5h)
  • Benchmark (30m)
  • ClickHouse Keeper (1h)
  • Iceberg (2h)
  • LDAP (1h)
  • Parquet (1.5h)
  • RBAC (1.5h)
  • SSL Server (1h)
  • S3 (2h)
  • S3 Export (2h)
  • Swarms (30m)
  • Tiered Storage (2h)

zvonand and others added 2 commits May 15, 2026 13:00
@zvonand @claude
docs: explain how to get human-readable group names from entra
706eeb3 
Add a "Mapping groups to ClickHouse roles" subsection under Entra that
covers the three practical paths: App Roles (preferred), formatting the
`groups` claim via `optionalClaims` (`sam_account_name`,
`cloud_displayname`, etc.), and `roles_mapping` as a GUID-only fallback.
Note the `roles_filter` retuning needed when switching from GUIDs to names.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@zvonand @claude
add RFC 7662 token introspection to the openid processor
dc80518 
When `token_introspection_endpoint` is configured together with
`introspection_client_id` / `introspection_client_secret`, the openid
processor sends an RFC 7662 introspection probe before falling through
to `/userinfo`. The response is authoritative for liveness (`active`),
expiry (`exp` bounds the cache TTL), and operator-pinned `iss`/`aud`
bindings. The probe runs whenever it's configured, including alongside
the JWT fast-path -- JWT validates signature and `exp`, introspection
adds the revocation check the JWT path cannot do.

Also adds `Accept: application/json` to the userinfo GET, surfaces
introspection HTTP failures at WARNING (was TRACE), and warns when the
IdP returns a malformed `exp` instead of silently dropping it.

Parser: new keys `introspection_client_id` / `introspection_client_secret`
(both must be set together); `expected_issuer` / `expected_audience` are
now accepted in manual mode when introspection is wired (they're
enforced against the introspection response). The manual-mode branch
also rejects keys that would silently no-op (`jwks_uri`,
`allow_no_expiration`, `verifier_leeway`, `jwks_cache_lifetime`).

Tests: three new Keycloak integration tests, each on a dedicated
single-processor node so successful auth is provably the introspection
path:
- manual-mode happy-path + revocation
- discovery-mode happy-path + revocation, using a tiny nginx-served
  mock OIDC doc that points back at real Keycloak but omits `jwks_uri`
  (Keycloak always advertises one, so the JWKS-less discovery branch
  is otherwise unreachable end-to-end)
- bad-secret rejection (strict default: no silent fallback to userinfo)

Test helpers pin `Host: keycloak:8080` on the backchannel calls so
Keycloak issues tokens whose `iss` matches the URL ClickHouse uses to
introspect them; existing tests keep the host-mapped URL so the
device-flow HTML traversal still works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@zvonand zvonand added port-antalya PRs to be ported to all new Antalya releases antalya-26.3 labels May 15, 2026
@github-actions

github-actions Bot commented May 15, 2026
edited
Loading

Copy link
Copy Markdown

Workflow [PR], commit [0c986db]

@zvonand zvonand mentioned this pull request May 18, 2026
Merged
1 task
@zvonand @claude
Fix tsan lock-order-inversion between TokenAccessStorage and AccessCh…
0c986db 
…angesNotifier

`TokenAccessStorage::authenticateImpl` held the storage mutex while
calling `AccessChangesNotifier::sendNotifications` (M1 -> M0), while
`AccessControl::insertImpl` drives notifications and re-enters the
storage via `processRoleChange` in the opposite order (M0 -> M1).
Under tsan this surfaces as a lock-order-inversion when `CREATE ROLE`
races with token auth.

Release the storage mutex before flushing notifications; the values
used afterwards (`id`, `user`) are locals.

Observed in: https://altinity-build-artifacts.s3.amazonaws.com/json.html?PR=1804&sha=9966fee1dfebe2ec4cad30dd6d001d9d81279c6e&name_0=PR&name_1=Integration%20tests%20%28amd_tsan%2C%202%2F6%29

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@zvonand zvonand added the verified Approved for release label May 21, 2026
@zvonand zvonand marked this pull request as ready for review May 21, 2026 09:05
@zvonand zvonand merged commit de91906 into antalya-26.3 May 21, 2026
288 of 313 checks passed
subkanthi pushed a commit that referenced this pull request May 26, 2026
@zvonand
Merge pull request #1799 from Altinity/improvement/antalya-26.3/oauth…
da39b8b 
…-polish

Antalya 26.3: OAuth improvements
This was referenced Jun 2, 2026
Open
Open
@svb-alt svb-alt added the roadmap Key features and improvements for Antalya project label Jun 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

antalya antalya-26.3 antalya-26.3.10.20001 port-antalya PRs to be ported to all new Antalya releases roadmap Key features and improvements for Antalya project verified Approved for release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zvonand @svb-alt