[pull] master from cube-js:master#375
Merged
pull[bot] merged 4 commits intocode:masterfrom Apr 1, 2026
Merged
Conversation
… access policies (#10590) * fix(api-gateway): cache unfiltered GraphQL schema with RBAC enforced at query time Instead of adding JS-side member validation for GraphQL RBAC enforcement, rely on the existing Rust-side validation in query_result_transform.rs. The Rust transform layer already checks if requested members are present in the RBAC-filtered annotation map and throws 'You requested hidden member' errors for inaccessible members. Changes: - Build GraphQL schema from unfiltered metadata (skipVisibilityPatch) so it can be safely cached across security contexts sharing a CompilerApi - Add skipVisibilityPatch option to CompilerApi.metaConfig() to bypass RBAC visibility patching when building the shared GraphQL schema - Add integration test verifying RBAC enforcement through GraphQL Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * ci: add smoke:rbac-graphql test to CI pipeline Add the new RBAC GraphQL integration test to: - packages/cubejs-testing/package.json as smoke:rbac-graphql script - .github/actions/smoke.sh to run in integration-smoke CI job Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * fix(cubeorchestrator): validate query members against annotation even with empty results When RBAC denies access to a member, the query gets a '1=0' filter that returns zero rows. Previously, the Rust get_members() function would short-circuit on empty columns (derived from zero rows) without checking if the requested members were actually accessible. Now validate_query_members_in_annotation() checks the query's measures, dimensions, segments, and time dimensions against the annotation map even when db_data.columns is empty. This ensures 'You requested hidden member' errors are returned for RBAC-denied members regardless of whether the query returns data. Also adds a test for the hidden member + empty dataset scenario. Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * fix(cubeorchestrator): exclude segments from empty-result member validation Segments are not included in the annotation map (which only contains measures, dimensions, and time dimensions). The rlsAccessDenied synthetic segment added by RBAC denial would incorrectly trigger the hidden member error when validated against the annotation. Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * test(testing): update smoke-rbac tests for hidden member error behavior Now that the Rust transform validates query members against the annotation even with empty results, RBAC-denied members return 'You requested hidden member' errors instead of silently returning empty data. Updated tests: - line_items hidden price_dim: expect error instead of empty result - orders_view and cube with default policy: expect error for orders_view.count when user has no matching access policy on the view Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * test(testing): remove obsolete orders_view_rest snapshot The orders_view_rest snapshot is no longer used after updating the test to expect a hidden member error instead of empty results. Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> * refactor(cubeorchestrator): extract ensure_member_in_annotation to deduplicate hidden member checks The hidden member error was duplicated in three places: - get_members (column-based check for non-empty results) - get_vanilla_row (per-row alias check) - validate_query_members_in_annotation (query member check for empty results) Extract ensure_member_in_annotation() and use it in all three places. Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>
…-to-data rename (#10594) - Move analytics/ to docs/explore-analyze/ - Move data-modeling recipes to recipes/data-modeling/ - Move pre-aggregation recipes to recipes/pre-aggregations/ - Move configuration recipes to recipes/configuration/ - Move API recipes to recipes/core-data-api/ - Rename admin/configuration to admin/connect-to-data - Add overview pages for connect-to-data and data sources - Consolidate all recipes under Recipes tab with Topics group - Update all internal links and docs.json references Made-with: Cursor
Generated-By: mintlify-agent Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
github-actions
bot
added
pr:community
rust
data source driver
cubejs-jdbc-driver
driver:athena
driver:bigquery
driver:clickhouse
driver:crate
driver:databricks
driver:dremio
driver:druid
driver:duckdb
driver:elasticsearch
driver:firebolt
driver:hive
driver:materialize
driver:mongodb
driver:mssql
driver:mysql
driver:mysql-aurora-serverless
driver:oracle
driver:pinot
driver:postgres
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )