Fix query rewrite rules to match by source table, not cube name#34
Merged
Fix query rewrite rules to match by source table, not cube name#34
Conversation
Rules target table names (e.g. "semantic_events") but buildCubeToTableMap only mapped cubes that had meta.source_table set. Cubes like SemanticEvents with sql: "SELECT * FROM cst.semantic_events" but no meta.source_table were falling back to the cube name, which didn't match the rule. New extractTableName() resolves the table from: 1. meta.source_table (explicit) 2. sql_table property (strip schema prefix) 3. sql FROM clause (regex parse) Also: if a cube is backed by a ruled table but lacks the required dimension, the query is now blocked instead of silently skipping the rule — dropping a dimension must not bypass access control. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
firsi
approved these changes
Mar 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
extractTableName(): New function that resolves the source table frommeta.source_table→sql_table→ SQLFROMclause. This ensures rules likesemantic_events.partition = team.partitionapply to ALL cubes backed by that table (e.g.SemanticEvents,semantic_events,RentalEvent) regardless of cube naming.Problem
Rules stored
cube_name = "semantic_events"(the table name). ButbuildCubeToTableMaponly mapped cubes withmeta.source_tableset. The hand-writtenSemanticEventscube (capital S, no meta) fell back to using the cube name for rule lookup —SemanticEvents!=semantic_events— so the partition filter was never applied. Teams like somi.is could see bluecar.is data and vice versa.Test plan
extractTableNameresolvesSemanticEvents(sql:SELECT * FROM cst.semantic_events) →semantic_eventsSemanticEvents.partition equals ["somi.is"]partitiondimension → query blocked (not skipped)🤖 Generated with Claude Code