Undefined Security Context in extended cube using AbstractCube.sql(). CubeJS

Question

I have an Extended Cube that the sql attribute is based on the BaseCube/AbstractCube. The Base Cube uses the SECURITY_CONTEXT in its sql attribute. When I query the extended cube I get TypeError: Cannot read property 'tenantId' of undefined

The SECURITY_CONTEXT is the following:

{
    "tenantId": 1,
    "iat": 1630526261,
    "exp": 1808403576,
    ...
}

The cube definitions are something like this:

const BaseOrders = cube({
  sql: `SELECT * FROM orders WHERE ${SECURITY_CONTEXT.tenantId.requiredFilter('tenantId')}`

  measures: {
    count: {
      type: `count`,
      sql: `id`
    }
  }
});

cube(`RestrictedOrderFacts`, {
  extends: BaseOrders,
  sql: `
    SELECT * FROM (${BaseOrders.sql()}) AS bo WHERE status = 'RESTRICTED'
  `,
  measures: {
    doubleCount: {
      type: `number`,
      sql: `${count} * 2`
    }
  }
});

When querying the RestrictedOrderFacts, it seems that the SQL Compiler has not available the security context. Am I doing something that is not supposed to be? How can I add additional filters to an Abstract Cube depending the use case?

Note: The idea of the Abstract Cube is to provide the row level security for all of the Extended Cubes. So, we can centralize the tenant row level permissions on the Abstract Cube.

Answer 1

We don't recommend using SECURITY_CONTEXT and abstract cubes to manage data access. For this, we recommend using queryRewrite.
These documentation pages might be helpful:

• https://cube.dev/docs/security/context#using-query-rewrite
• https://cube.dev/docs/recipes/column-based-access