cube icon indicating copy to clipboard operation
cube copied to clipboard
Published 1 month ago • verified publisher icon cube-js

Security Context empty when using Python config

Open sabinevidal opened this issue 1 year ago • 3 comments

Describe the bug When using Cube Cloud, and sending additional information in the Cube Token via the API, the Security Context in driver_factory is empty. This was working in Javascript. We need to pass additional dynamic data in order to set up multitenancy and would prefer to use the Python implementation. Edit: this does work in Dev Mode

To Reproduce

  1. Create an encoded JWT with the following in the payload, and set the secret to your configured CUBE_API_SECRET 
{
  "iat": 1719909131,
  "user_id": 28
}
  1. Create the following Cube.py
from cube import config

@config('driver_factory')
def driver_factory(ctx: dict) -> None:
    try:
        print(ctx)
        user = default_userId
        warehouse = default_warehouse
        account = default_account
        database = default_database

        if not user or not warehouse:
            raise ValueError("Missing userId or warehouse in securityContext")

        return {
            'type': 'snowflake',
            'user': user,
            'private_key': private_key_content,
            'database': database,
            'warehouse': warehouse
        }
    except Exception as e:
        print(f"Error in driver_factory: {e}")
        return None
  1. Run a curl request with the created JWT and your REST API url.

Expected behavior Printing ctx in the logs shows "securityContext":{"iat":1719909131,"user_id":28}

Results From logs

{"message":"REST API Request","path":"/cubejs-api/v1/load?query={omitted}","method":"GET","status":200,"ip":"::ffff:1234567","time":"2024-07-02T11111Z","securityContext":{"iat":1719909131,"user_id":28},"requestId":"12345-span-1"}
{'requestId': 'scheduler-54321', 'dataSource': 'default', 'securityContext': {}, 'authInfo': None}

Version: [e.g. 0.35.55]

Additional context Possibly related to https://github.com/cube-js/cube/issues/8133

sabinevidal avatar Jul 02 '24 09:07 sabinevidal

Hi @sabinevidal 👋

I tried my best to reproduce this but I wasn't able to. Here's my exact cube.py file:

from cube import config

@config('driver_factory')
def driver_factory(ctx: dict) -> None:
    default_userId = 'default_userId'
    default_warehouse = 'default_warehouse'
    default_account = 'default_account'
    default_database = 'default_database'
    private_key_content = 'private_key_content'

    try:
        print(ctx)
        user = default_userId
        warehouse = default_warehouse
        account = default_account
        database = default_database

        if not user or not warehouse:
            raise ValueError("Missing userId or warehouse in securityContext")

        return {
            'type': 'snowflake',
            'user': user,
            'private_key': private_key_content,
            'database': database,
            'warehouse': warehouse
        }
    except Exception as e:
        print(f"Error in driver_factory: {e}")
        return None

I've tried to set the security context both through Playground and via a JWT when querying the REST API. I was able to see the security context printed in both cases.

Does this reproduce for you? It would be great if you can provide a link to a Cube Cloud deployment where this reproduces. You can email me a link to [email protected].

igorlukanin avatar Aug 14 '24 09:08 igorlukanin

Hi @igorlukanin, thanks for looking into this! I will try reproduce it asap, but we have since moved to cube.js per your recommendation in #8133 so do not currently have a deployment with this in place. Will update when I have done this.

sabinevidal avatar Aug 20 '24 11:08 sabinevidal

I see. BTW, #8133 might be getting fixed really soon. There's a PR prepared by @mcheshkov already 😄

igorlukanin avatar Aug 20 '24 13:08 igorlukanin

#8133 is long resolved. Closing this issue due to inactivity too.

igorlukanin avatar Nov 01 '24 13:11 igorlukanin