26.1 Antalya backport of #90825: Add role-based access to Glue catalog

[zvonand]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Add role-based access to Glue catalog. Use settings aws_role_arn and, optionally, aws_role_session_name. (ClickHouse#90825 by @antonio2368

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• Tiered Storage (2h)

[github-actions]

Workflow [PR], commit [9070f73]

[alsugiliazova]

PR #1427 — Verification Report

Summary of Test Results

#	Test	Type	Category	Related to PR
1	test_storage_delta/test.py::test_network_activity_with_system_tables	Integration	Pre-existing flaky since 2026-02-27	No
2	test_backup_restore_on_cluster/test_cancel_backup.py::test_shutdown_cancels_backup	Integration	Pre-existing flaky (known issue: #80359)	No
3	test_backup_restore_on_cluster/test_different_versions.py::test_different_versions	Integration	Pre-existing flaky (known issue: #80359)	No
4	03211_nested_json_merges_small	Stateless	Flaky (timeout, environment-sensitive)	No
5	Stateless AsyncInsert job	Infrastructure	Infrastructure issue (Docker 502)	No

None of the observed failures are related to this PR.

---

Manual Verification

The PR was verified through manual testing using AWS Glue.

Test Setup

The AWS user was configured with the following policy only:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::407099639081:role/glue-reader"
    }
  ]
}

The glue-reader role policy was modified during testing (e.g. AmazonS3FullAccess, AmazonGlacierFullAccess, and a custom policy).
Verification confirmed that ClickHouse can only list and query tables permitted by the role’s policy.

Important Notes

1. Changes to the IAM role policy are not reflected immediately in ClickHouse; a delay of up to 5 minutes is expected.
2. Restarting ClickHouse forces the policy changes to take effect immediately.
3. Recreating the database with a different aws_role_session_name also applies policy changes immediately.

Regression Testing

Regression run:
https://github.com/Altinity/clickhouse-regression/actions/runs/22577467785/job/65400340538

Full analysis of the regression results is not possible because this PR does not include all Antalya features.

Conclusion: PR #1427 was verified. All observed issues are pre-existing or infrastructure-related and are not caused by this change.