25.3.8-fips Backport of #1533 - Add guard for local data lakes

[mkmkme]

25.3.8 Stable: Add guard for local data lakes

Changelog category (leave one):

• Critical Bug Fix (crash, data loss, RBAC) or LOGICAL_ERROR

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Add setting allow_local_data_lakes. Off by default (#1533 by @zvonand)

Documentation entry for user-facing changes

...

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• S3 Export (2h)
• Swarms (30m)
• Tiered Storage (2h)

[mkmkme]

AI audit note: This review comment was generated by AI (claude-4.6-sonnet).

Audit for PR #1625 (25.3.8-fips backport of #1533 — Add guard for local data lakes):

---

Confirmed defects

Low: Redundant setting in integration test users.xml

• Impact: No runtime impact today, but creates maintenance confusion. The setting is applied in both <users><default> and <profiles><default>. If one block is removed in a future edit without awareness of the other, the intent becomes unclear.
• Anchor: tests/integration/test_storage_iceberg/configs/users.d/users.xml
• Trigger: Future config editing.
• Why defect: Per-user settings in <users> override <profiles>; having the setting in both is redundant and obscures where the canonical default lives.
• Fix direction: Remove the setting from <users><default>, keep only <profiles><default>.
• Regression test direction: Verify integration tests pass with the user-level override removed.

---

Coverage summary

• Scope reviewed: allow_local_data_lakes — setting declaration, SettingsChangesHistory entry, IcebergLocal storage factory guard, icebergLocal() table function guard (all 3 call sites), test config; backport diff vs. original PR 25.3.8 Stable: Add guard for local data lakes #1533; guard coverage against all local data lake engines present in the FIPS codebase.
• Categories failed: Test config hygiene.
• Categories passed: Backport completeness (diff is identical to 25.3.8 Stable: Add guard for local data lakes #1533 across all 5 files), guard coverage (only IcebergLocal exists in the FIPS codebase — DeltaLakeLocal is absent — guard is complete), SettingsChangesHistory correctness (old_value = false is intentional: the setting is new and keeping it false under compatibility is the correct FIPS-safe choice), setting description accuracy (DeltaLakeLocal does exist in the non-FIPS codebase so the description is accurate and forward-looking), error-code consistency (SUPPORT_IS_DISABLED used uniformly), no concurrency/lifetime/C++ safety issues (read-only settings access under existing context lock).
• Notable future risk (not a current defect): The guard uses a definition-specific std::is_same_v<Definition, IcebergLocalDefinition> check, while the non-FIPS codebase has since evolved to a general is_data_lake template parameter that covers all local data lake types automatically. When DeltaLakeLocal is eventually ported to the FIPS build, this guard will need a manual extension.
• Assumptions/limits: Static analysis only; FIPS working tree is on backports/25.3.8-fips/1533 (the PR source branch) — target branch releases/25.3.8-fips does not yet contain these changes.

[mkmkme]

Self-verifying since this is just a backport

[DimensionWieldr]

Verified.

AI audit returned no other major defects.