* fix(api-gateway): cache unfiltered GraphQL schema with RBAC enforced at query time
Instead of adding JS-side member validation for GraphQL RBAC enforcement,
rely on the existing Rust-side validation in query_result_transform.rs.
The Rust transform layer already checks if requested members are present
in the RBAC-filtered annotation map and throws 'You requested hidden member'
errors for inaccessible members.
Changes:
- Build GraphQL schema from unfiltered metadata (skipVisibilityPatch) so it
can be safely cached across security contexts sharing a CompilerApi
- Add skipVisibilityPatch option to CompilerApi.metaConfig() to bypass
RBAC visibility patching when building the shared GraphQL schema
- Add integration test verifying RBAC enforcement through GraphQL
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* ci: add smoke:rbac-graphql test to CI pipeline
Add the new RBAC GraphQL integration test to:
- packages/cubejs-testing/package.json as smoke:rbac-graphql script
- .github/actions/smoke.sh to run in integration-smoke CI job
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* fix(cubeorchestrator): validate query members against annotation even with empty results
When RBAC denies access to a member, the query gets a '1=0' filter that
returns zero rows. Previously, the Rust get_members() function would
short-circuit on empty columns (derived from zero rows) without checking
if the requested members were actually accessible.
Now validate_query_members_in_annotation() checks the query's measures,
dimensions, segments, and time dimensions against the annotation map
even when db_data.columns is empty. This ensures 'You requested hidden
member' errors are returned for RBAC-denied members regardless of
whether the query returns data.
Also adds a test for the hidden member + empty dataset scenario.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* fix(cubeorchestrator): exclude segments from empty-result member validation
Segments are not included in the annotation map (which only contains
measures, dimensions, and time dimensions). The rlsAccessDenied
synthetic segment added by RBAC denial would incorrectly trigger the
hidden member error when validated against the annotation.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* test(testing): update smoke-rbac tests for hidden member error behavior
Now that the Rust transform validates query members against the annotation
even with empty results, RBAC-denied members return 'You requested hidden
member' errors instead of silently returning empty data.
Updated tests:
- line_items hidden price_dim: expect error instead of empty result
- orders_view and cube with default policy: expect error for orders_view.count
when user has no matching access policy on the view
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* test(testing): remove obsolete orders_view_rest snapshot
The orders_view_rest snapshot is no longer used after updating the test
to expect a hidden member error instead of empty results.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* refactor(cubeorchestrator): extract ensure_member_in_annotation to deduplicate hidden member checks
The hidden member error was duplicated in three places:
- get_members (column-based check for non-empty results)
- get_vanilla_row (per-row alias check)
- validate_query_members_in_annotation (query member check for empty results)
Extract ensure_member_in_annotation() and use it in all three places.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(ci): Fix codecov coverage collection within CI jobs
* fix codecov to git paths
* fix codecov flags
* another try
* another try
* remove debug
* another try
* Potential fix for code scanning alert no. 416: Workflow does not contain permissions
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix
* fix
* another fix
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* bold attempt to upgrade runners
* fix mongodb-bi version
* drop 2017-latest MSSQL from tests
* fix integrations tests CI Run
* dedup testcontainers package
* fix missed 2017-latest version
* attempt to fix Build cross image
* enable debug for mongobi
* revert mongobi
* edit to run integration tests on 2404
* try to update Build cross image to 2404
* use 22.04 for native builds
Data access policies conditions should be joined via AND operator,
but the initial implementation used OR by mistake
Also ensured that rbac smoke tests are ran as part of the CI
* fix: Non-additive pre-aggregations based on proxy dimension doesn't match anymore
* Measures can have grouped measure filters so make them flat
* prestodb-sandbox by Ahana is missing so disable test for now
* fix(databricks-jdbc-driver): Return NULL decimal as NULL instead of 0
* Release node-jdbc
* Removing failing unload as it tested by other tests
* Fix reference to node-jdbc
* Bump oracle start timeout
* Bump oracle start timeout
* Fix broken YAML indexes
* Bump startPeriod for Oracle
* Try out log wait strategy for oracle
* Show oracle container logs
* Fix rust-cache working directory
* Try to run oracle first just in case
* Try to run oracle first just in case
* Try to run oracle first just in case
* Fix working-directory for rust-cache
* Fix working-directory for rust-cache
* fix(snowflake-driver): Int is exported to pre-aggregations as decimal: Internal: Execution error: Internal: Error during planning: Extension planner for ClusterSendNode
* Fix wrong package ordering
* Touch snowflake
* Add client build
* Remove obsolete snapshot
* Fix driver test use incorrect API token
* Fix athena driver test
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* ok
* Feature: Split unit/integration tests
* Feature: Stop running MSSQL tests on Circle
* Feature: Welcome to GitHub Actions
* Feature: 60seconds will be enought to pull yandex/clickhouse-server
* Feature(ci): Pull images before running test
* Feature(ci): Cache lerna
* Fix: 20s are enought to start container, 10s to stop
* Feature(@cubejs-backend/query-orchestrator): Improve testing
* Fix: Lint issues after eslint upgrade
* Feature: Run only unit tests on Circle CI (because they offen fails)
* Fix: 20s are enought to start container, 10s to stop
* Feature(@cubejs-backend/query-orchestrator): PreAggregations test is integration, not unit
