基于queryRewrite 我们可以做强大的安全控制,比如基于角色的访问控制以及基于列的访问控制
基于角色的访问控制
module.exports = {
queryRewrite: (query, { securityContext }) => {
if (!securityContext.role) {
throw new Error('No role found in Security Context!');
}
if (securityContext.role == 'manager') {
query.filters.push({
member: 'Orders.status',
operator: 'equals',
values: ['shipped', 'completed'],
});
}
if (securityContext.role == 'operator') {
query.filters.push({
member: 'Orders.status',
operator: 'equals',
values: ['processing'],
});
}
return query;
},
};
基于列的访问控制
module.exports = {
queryRewrite: (query, { securityContext }) => {
const cubeNames = [
...Array.from(query.measures, (e) => e.split('.')[0]),
...Array.from(query.dimensions, (e) => e.split('.')[0]),
];
if (cubeNames.includes('Products')) {
if (!securityContext.email) {
throw new Error('No email found in Security Context!');
}
query.filters.push({
member: `Suppliers.email`,
operator: 'equals',
values: [securityContext.email],
});
}
return query;
},
};
说明
以上内容是基于官方文档的,是一个不错的资料
参考资料
https://cube.dev/docs/recipes/column-based-access
https://cube.dev/docs/recipes/role-based-access