Undefined Security Context in extended cube using AbstractCube.sql(). CubeJS

Question

I have an Extended Cube that the sql attribute is based on the BaseCube/AbstractCube. The Base Cube uses the SECURITY_CONTEXT in its sql attribute. When I query the extended cube I get TypeError: Cannot read property 'tenantId' of undefined

The SECURITY_CONTEXT is the following:

{
    "tenantId": 1,
    "iat": 1630526261,
    "exp": 1808403576,
    ...
}

The cube definitions are something like this:

const BaseOrders = cube({
  sql: `SELECT * FROM orders WHERE ${SECURITY_CONTEXT.tenantId.requiredFilter('tenantId')}`

  measures: {
    count: {
      type: `count`,
      sql: `id`
    }
  }
});

cube(`RestrictedOrderFacts`, {
  extends: BaseOrders,
  sql: `
    SELECT * FROM (${BaseOrders.sql()}) AS bo WHERE status = 'RESTRICTED'
  `,
  measures: {
    doubleCount: {
      type: `number`,
      sql: `${count} * 2`
    }
  }
});

When querying the RestrictedOrderFacts, it seems that the SQL Compiler has not available the security context. Am I doing something that is not supposed to be? How can I add additional filters to an Abstract Cube depending the use case?

Note: The idea of the Abstract Cube is to provide the row level security for all of the Extended Cubes. So, we can centralize the tenant row level permissions on the Abstract Cube.

score 2 · Accepted Answer · answered Sep 02 '21 at 11:32

2

We don't recommend using SECURITY_CONTEXT and abstract cubes to manage data access. For this, we recommend using queryRewrite.
These documentation pages might be helpful:

answered Sep 02 '21 at 11:32

Anton Rychkov

81
3

Hi Anton, Thanks for your fast response and help! I have some questions regarding the queryRewrite. With `queryRewrite` can I edit each cube or is it a general filter applied to all the Cubes? I mean we need to do some internal subquery logic using the SecurityContext according to each Cube. Ex: Use the security context as input for some SQL Functions, A CASE that changes according to the SecurityContext, etc. – Camilo Velasquez Sep 02 '21 at 14:22
We were looking at [this](https://cube.dev/docs/multitenancy-setup#security-context-vs-multitenant-compile-context). I know that below it, they recommend `queryRewrite`, but I don't know how to use it for a particular Cube and inside a subquery. – Camilo Velasquez Sep 02 '21 at 14:58
@CamiloVelasquez, by default, `queryRewrite` is applied to all queries, but you can analyze a query on the fly and change the behavior depending on the cube name. Please see this [recipe](https://cube.dev/docs/recipes/column-based-access) where we get the cube names and adds a filter. – Anton Rychkov Sep 03 '21 at 11:12
Great! Thanks! I'm going to try that. – Camilo Velasquez Sep 03 '21 at 14:48

Undefined Security Context in extended cube using AbstractCube.sql(). CubeJS

1 Answers1