updated change log and methods documentation

Author: chernser

CHANGELOG.md

@@ -1,7 +1,19 @@
 ## 0.9.9
 
+### Breaking Changes
+
+- **[client-v2]** `Client.Builder#build()` now throws `ClientMisconfigurationException` instead of `IllegalArgumentException` for authentication and SSL misconfiguration (missing credentials, conflicting authentication methods, missing client certificate when SSL authentication is enabled, and trust store used together with a client certificate). Callers that relied on catching `IllegalArgumentException` from `build()` for these cases must catch `ClientMisconfigurationException` (which extends `RuntimeException` via `ClientException`).
+
+- **[client-v2]** Combining `setUsername(...)` + `setPassword(...)` with a custom `Authorization` HTTP header (`httpHeader(HttpHeaders.AUTHORIZATION, ...)`) now fails at `Client.Builder#build()` with `ClientMisconfigurationException` unless HTTP Basic authentication is explicitly disabled via `useHTTPBasicAuth(false)`. Previously this combination was accepted and the custom `Authorization` header overrode the ClickHouse user/password headers at request time.
+
+- **[client-v2]** The `access_token` configuration property (set via `Client.Builder#setAccessToken(String)` or directly through `setOption`) is now actually applied to outgoing requests as the `Authorization` HTTP header value verbatim. Previously the value was stored under `access_token` but never sent on the wire, so providing it alone had no effect on authentication. Callers must include the scheme prefix themselves (e.g. `setAccessToken("Bearer <token>")`), or use `useBearerTokenAuth(String)` which prepends `Bearer ` automatically.
+
+- **[client-v2]** `Client.Builder#useBearerTokenAuth(String)` now stores the bearer token under the `access_token` configuration key (with the `Bearer ` prefix) instead of writing it directly into `http_header_authorization`. The HTTP wire format is unchanged, but the token is no longer observable through `Client#getReadOnlyConfig()` under the `http_header_authorization` key.
+
 ### New Features
 
+- **[client-v2]** Added runtime credential update APIs on `Client`: `updateUserAndPassword(String, String)`, `updateAccessToken(String)`, and `updateBearerToken(String)`. Subsequent requests on the same `Client` instance use the new credentials without rebuilding the client. The authentication method is fixed at construction time; calling a runtime updater that does not match the configured method throws `ClientMisconfigurationException`. See `docs/authentication.md` for details and migration guidance.
+
 - **[jdbc-v2]** Added `cluster_name` configuration property to specify a target cluster for statements like `KILL QUERY` that require an `ON CLUSTER` clause to execute across all nodes. (https://github.com/ClickHouse/clickhouse-java/issues/2837)
 
 ### Bug Fixes

client-v2/src/main/java/com/clickhouse/client/api/Client.java

@@ -2101,7 +2101,8 @@ public String toString() {
     }
 
     /**
-     * Returns unmodifiable map of configuration options.
+     * Returns unmodifiable map of initial configuration options.
+     * As authentication configuration values can change this map doesn't reflect them.
      * @return - configuration options
      */
     public Map<String, String> getConfiguration() {
@@ -2197,7 +2198,7 @@ public void updateBearerToken(String bearer) {
     }
 
     /**
-     * Updates the user & password for all subsequential requests.
+     * Updates the user and password for all subsequential requests.
      * This method is not thread-safe with respect to other credential updates
      * or concurrent request execution. Applications must coordinate access if
      * they require stronger consistency.

client-v2/src/main/java/com/clickhouse/client/api/internal/CredentialsManager.java

@@ -7,7 +7,8 @@
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
+import java.util.Objects;
+import java.util.concurrent.atomic.AtomicReference;
 
 /**
  * Manages mutable authentication-related client settings.
@@ -20,21 +21,19 @@ public class CredentialsManager {
             ClientConfigProperties.httpHeader(HttpHeaders.AUTHORIZATION);
     public static final String AUTH_HEADER_BEARER_PREFIX = "Bearer ";
 
-    private final Map<String, Object> authConfig = new ConcurrentHashMap<>();
-
-    private final boolean sslAuthEnabled;
+    private final AtomicReference<Map<String, Object>> authConfig = new AtomicReference<>();
 
     private final boolean hasUserPassword;
 
     private final boolean hasAccessToken;
 
-    private final boolean hasAuthHeader;
-
     public CredentialsManager(Map<String, String> config) {
         this.hasUserPassword = isUserPassword(config);
         this.hasAccessToken = isAccessToken(config);
-        this.sslAuthEnabled = isSslAuth(config);
-        this.hasAuthHeader = isCustomAuthHeader(config);
+
+        boolean sslAuthEnabled = isSslAuth(config);
+        boolean hasAuthHeader = isCustomAuthHeader(config);
+
         final long authMethodsCount = Arrays
                 .stream(new Boolean[] {hasUserPassword, hasAccessToken, sslAuthEnabled, hasAuthHeader})
                 .filter(b-> b).count();
@@ -74,7 +73,8 @@ public boolean isHasUserPassword() {
     }
 
     public void applyCredentials(Map<String, Object> target) {
-        target.putAll(authConfig);
+        Map<String, Object> properties = authConfig.get();
+        target.putAll(properties);
     }
 
     /**
@@ -98,10 +98,12 @@ public void setAccessToken(String accessToken) {
     }
 
     private void updateBackedConfig(String username, String password, boolean useSslAuth, String authHeader) {
-        authConfig.put(ClientConfigProperties.USER.getKey(), username);
-        authConfig.put(ClientConfigProperties.PASSWORD.getKey(), password);
-        authConfig.put(ClientConfigProperties.SSL_AUTH.getKey(), useSslAuth);
-        authConfig.put(AUTHORIZATION_HEADER_KEY, authHeader);
+        Map<String, Object> updated = new HashMap<>();
+        updated.put(ClientConfigProperties.USER.getKey(), username);
+        updated.put(ClientConfigProperties.PASSWORD.getKey(), password);
+        updated.put(ClientConfigProperties.SSL_AUTH.getKey(), useSslAuth);
+        updated.put(AUTHORIZATION_HEADER_KEY, authHeader);
+        authConfig.set(updated);
     }
 
     private static final String NO_AUTH_ERR_MSG = "Auth configuration is missing. At least one the following should be provided: " +