Antalya 26.3: Add OAuth2 login to clickhouse-client (--login / --login=device)

[zvonand]

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Add OAuth2 login flow to clickhouse-client (#1606 by @BorisTyshkevich).

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

Cherry-picked from #1606.

[github-actions]

Workflow [PR], commit [1dceb7c]

[Selfeer]

PR #1749 CI Triage

PR: #1749 - Antalya 26.3: Add OAuth2 login to clickhouse-client (--login / --login=device)
CI report: ci_run_report.html
Date: 2026-05-14

PR Change Scope

This PR is focused on OAuth/client login functionality:

• programs/client/Client.cpp
• src/Client/OAuth*
• src/Access/TokenProcessorsOpaque.cpp
• integration tests/docs for Keycloak/OAuth flows

No changes were made in regression-suite areas tied to current failures (iceberg, parquet, s3_export_partition, swarms).

Summary

Category	Count	Checks
PR-caused regression	0	-
Unrelated regression-suite failures	10	Regression{Release,Aarch64} / {Iceberg(1), Iceberg(2), Parquet, S3Export(partition), Swarms}
Infrastructure issue	0	-
Cascade failures	0	-

Evidence from CI Metadata

• CI report section New Fails in PR says: Nothing to report.
• CI report section Checks New Fails says: Nothing to report.
• All failing jobs are in regression suites unrelated to OAuth/client login code paths.
• The same failure signatures appear across both x86_64 and aarch64 jobs, consistent with known suite-level issues rather than a targeted OAuth regression.

Root Cause Classification

1) Regression* / S3Export (partition) / s3_export_partition — Unrelated

Observed signature:

• Code: 344 ... Exporting merge tree partition is experimental ... allow_experimental_export_merge_tree_partition ... (SUPPORT_IS_DISABLED)

This is a feature-flag/configuration issue in export-partition regression tests, not related to OAuth login/client auth logic.

2) Regression* / Parquet / parquet — Unrelated

Observed signatures:

• snapshot mismatch: DateTime vs DateTime64(0)
• snapshot mismatch: Nullable(Date) vs Nullable(Date32)

These are parquet type/snapshot drift issues. They do not map to OAuth flow or client authentication changes.

3) Regression* / Iceberg (1|2) — Unrelated

Observed signatures:

• Unknown setting 'object_storage_cluster' (UNKNOWN_SETTING)
• Unrecognized option '--iceberg_partition_timezone' (UNRECOGNIZED_ARGUMENTS)

These failures are in Iceberg/object-storage settings paths and test options, outside PR #1749 scope.

4) Regression* / Swarms / swarms — Unrelated

Observed signatures:

• Unexpected value of ObjectStorageClusterJoinMode: 'swarm_cluster...' ... Must be one of ['allow', 'global', 'local'] (BAD_ARGUMENTS)

These failures are in swarms/object-storage cluster behavior and unrelated to OAuth client login implementation.

Verdict

There is no evidence that PR #1749 caused or is related to the observed CI failures.

All failed checks are in known unstable or independently broken regression suites (iceberg, parquet, s3_export_partition, swarms) and do not intersect with the PR's OAuth/client login code changes.