[pull] master from cube-js:master#433
Merged
pull[bot] merged 2 commits intocode:masterfrom Apr 29, 2026
Merged
Conversation
* feat: add RBAC smoke test for group-based conditional region row filtering
Add a test that verifies group-based conditional row filtering:
- region_test cube backed by users table (id, city, count)
- region_test_view with an access policy for user_group that
conditionally applies a row filter based on region_group membership
- region_user (user_group + region_group): sees only San Francisco rows
- region_user_no_filter (user_group only): sees all rows
The access policy checks security_context.auth.groups for region_group
membership. If present, it filters rows by the user's region attribute.
If absent, it grants allow_all (no row filter).
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* fix: use line_items table, group-based conditions, and MEASURE syntax
- Switch region_test cube to use public.line_items table to avoid
cross-contamination from the users cube's RBAC city filter
- Add cube-level allowAll access policy so view policies can layer
on top correctly
- Use group-based (user_group) policies with conditions to check
hasRegionFilter user attribute for conditional row filtering
- Use MEASURE() syntax for aggregate count queries
- Both users have groups only (no roles needed) β view policy uses
group: 'user_group' with conditions for mutual exclusivity
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* feat: allow security_context evaluation at rowLevel in access policies
Enable security_context to be used directly at the rowLevel property
of access policies, allowing the entire filter structure to be
controlled dynamically based on the user's security context.
Changes:
- CubePropContextTranspiler: add special handling to transpile
rowLevel/row_level when its value is an expression (not an object
literal), wrapping it in an arrow function with securityContext
- CubeValidator: accept Joi.func() as alternative for rowLevel,
alongside the existing RowLevelPolicySchema object
- CompilerApi: resolve rowLevel via evaluateContextFunction when it
is a function, and process the returned raw filters through a new
evaluateRawFilter method that handles uncompiled member references
- Update test to use the cleaner syntax where security_context
controls the rowLevel structure directly via groups.includes()
This enables patterns like:
rowLevel: security_context.auth?.groups?.includes('region_group')
? { filters: [{ member: 'col', operator: 'equals', values: ... }] }
: { allowAll: true }
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* refactor: convert region_test_view from JS to YAML
Replace the JS view with a YAML view that uses two mutually exclusive
conditions on the user_group access policy:
- hasRegionFilter (truthy) -> filters by allowedProductIds
- noRegionFilter (truthy) -> allow_all
Users carry complementary boolean attributes so the YAML conditions
(which only support truthy checks, not comparisons or negation) can
distinguish the two cases without policy overlap.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* refactor: use group-based policies instead of attribute-based conditions
Replace attribute-based conditions (hasRegionFilter/noRegionFilter) with
pure group-based policy scoping:
- group: region_group β row filter by allowedProductIds
- group: user_group β allow_all
Each user belongs to exactly one group so only one policy matches,
avoiding the union overlap problem without needing conditions.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* refactor: revert core changes, use conditions with groups.includes() check
Revert all changes to cubejs-schema-compiler and cubejs-server-core.
Use standard access policy conditions to check security context groups:
- Two mutually exclusive user_group policies with conditions:
- if: security_context.auth?.groups?.includes('region_group')
β filters by allowedProductIds
- if: !security_context.auth?.groups?.includes('region_group')
β allowAll
- region_user has both ['user_group', 'region_group'] and is
correctly filtered because the condition routes to the filter
policy, not the allowAll policy.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* refactor: convert region_test_view to YAML with group-scoped policies
Replace JS view with YAML view using two group-scoped policies:
- group: region_group β filters by allowedProductIds
- group: user_group β allow_all
Users belong to exactly one group to avoid the union-overlap problem
where allow_all would override the filter. No core changes.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* fix: use JS view with groups.includes() conditions for both-groups support
A user with both user_group and region_group must be filtered by
region_group. This requires mutually exclusive conditions checking
groups.includes('region_group') β which needs JS (not YAML, since
the YAML Python parser cannot express negation).
Single user_group policy with two condition branches:
- groups.includes('region_group') β filter by allowedProductIds
- !groups.includes('region_group') β allowAll
No core changes. region_user now has ['user_group', 'region_group']
and is correctly filtered.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
* feat: add not/and/or support to YAML Python parser, convert view to YAML
Add support for Python boolean operators in the YAML expression parser:
- not β JS ! (unary negation)
- and β JS && (logical AND)
- or β JS || (logical OR)
This enables YAML access policy conditions like:
if: "{ not (security_context.auth.groups and security_context.auth.groups.includes('region_group')) }"
Convert region_test_view from JS to YAML using the new operators
for null-safe group membership checks in conditions.
Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* docs: rename deployment types to Shared and Dedicated
Renames the Cube Cloud deployment types in the Mintlify docs:
Development -> Shared (compute shared with other Cube customers)
Production -> Dedicated (compute dedicated to your deployment)
Multi-cluster keeps its short name; the legacy "Production
multi-cluster" form becomes "Multi-cluster deployment" /
"Dedicated multi-cluster" since multi-cluster scales Dedicated
deployments.
The canonical deployment-types page gets explicit heading IDs
({#shared}, {#dedicated}, {#multi-cluster}) and a brief
high-level explanation of what "shared" vs "dedicated" means
for compute, in the intro bullets and at the top of each
section.
All in-repo cross-references (pricing, deployment admin pages,
monitoring, semantic-layer-sync, refreshing pre-aggregations)
are updated to the new anchors. Internal markdown link-reference
keys (e.g. ref-production-cluster) are kept as-is to minimize
churn; only the URL fragments change.
Out of scope: legacy /docs Next.js site, .cursor/rules/namings-rule.mdc,
docs.json redirects, and the Contentful screenshots that still
show the old names visually (alt text is updated).
Made-with: Cursor
* docs: clarify Shared deployment compute wording
Per Pavel's feedback, "shared with other Cube customers" is
inaccurate (in dedicated-infra setups it's only shared within
the account) and uncomfortable for customers with dedicated
infrastructure. Reword to "shared with other deployments within
the selected region", which is accurate in both cases.
Made-with: Cursor
* docs: remove outdated screenshots and CLI deploy section
- deployment-types.mdx: drop the three Settings screenshots; the
surrounding instructions read fine without them.
- continuous-deployment.mdx: drop the entire "Deploy with CLI"
section (Manual Deploys + Continuous Deployment subsections,
and the orphan ref-workspace-cli link); the CLI deploy flow
is no longer recommended.
Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? π Please sponsor : )