Access policy with row level filter defined through JS variable throws compilation error

[HrisIord]

Describe the bug
When defining an access policy with a row level filter the server fails to compile the Cube and throws an error. The exact same access policy works as expected when in-lined into the Cube. Cube definitions support the use of variables in dimensions and measures, and even though this syntax isn't documented I expected it to work, and allow for DRY-ing up schema definitions.

To Reproduce
Use the minimally reproducible Cube Schema, then make a load request to the REST API for any of the cube's dimensions. The query will generate the following error:

Compiling schema error: 004a058c-1e31-4fd5-a7fd-c4131cb87a36-span-1 (50ms)
{
  "version": "default_schema_version_b865a63ed1e9d34856f6c6116c0490a8"
} 
Error: Compile errors:
Task cube: (accessPolicy[0].rowLevel.filters[0] = [object Object]) does not match any of the allowed types
    at ErrorReporter.throwIfAny (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/ErrorReporter.ts:139:13)
    at DataSchemaCompiler.throwIfAnyErrors (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:422:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:240:16
    at CompilerApi.compileSchema (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:99:25)
    at CompilerApi.applyRowLevelSecurity (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:302:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1256:58
    at async Promise.all (index 0)
    at ApiGateway.getNormalizedQueries (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1244:48)
    at ApiGateway.load (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1845:9)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:307:7
Internal Server Error: 004a058c-1e31-4fd5-a7fd-c4131cb87a36-span-1 (82ms)
--
{
  "dimensions": [
    "Task.id",
    "Task.title",
    "Task.description"
  ]
}
--
{} 
Error: Compile errors:
Task cube: (accessPolicy[0].rowLevel.filters[0] = [object Object]) does not match any of the allowed types
    at ErrorReporter.throwIfAny (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/ErrorReporter.ts:139:13)
    at DataSchemaCompiler.throwIfAnyErrors (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:422:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/schema-compiler/src/compiler/DataSchemaCompiler.js:240:16
    at CompilerApi.compileSchema (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:99:25)
    at CompilerApi.applyRowLevelSecurity (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/server-core/src/core/CompilerApi.js:302:23)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1256:58
    at async Promise.all (index 0)
    at ApiGateway.getNormalizedQueries (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1244:48)
    at ApiGateway.load (/home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:1845:9)
    at /home/myuser/workspace/cube-debug/node_modules/@cubejs-backend/api-gateway/src/gateway.ts:307:7

Expected behavior
The schema should compile and the query should return a result as it does when the access policy is in-lined.

Minimally reproducible Cube Schema
In case your bug report is data modelling related please put your minimally reproducible Cube Schema here.
You can use selects without tables in order to achieve that as follows.

const myAccessPolicy = {
  role: "*",
  memberLevel: { includes: `*` },
  rowLevel: {
    filters: [
      {
        member: `priority`,
        operator: `equals`,
        values: [9],
      },
    ],
  },
};

const description = {
  sql: () => `text`,
  type: `string`,
};

cube(`Task`, {
  sql: `select * from task`,

  dimensions: {
    id: {
      sql: `id`,
      type: `number`,
    },
    title: {
      sql: `title`,
      type: `string`,
    },
    priority: {
      sql: `priority`,
      type: `number`,
    },
    description,
  },

  accessPolicy: [myAccessPolicy],
});

Version:
[e.g. v1.2.34]
The version above is the version I got the exact error log from, but I also tried upgrading to v1.3 and got a similar error.

Additional context
I assume the syntax for extracting access policies into a variable will need to be slightly different than the in-line syntax, as with dimensions. If you could provide details on the differences that'd be really useful.

Thank you for looking at this!

[igorlukanin]

Hi @HrisIord 👋

Thanks for the question! You need to update your filter as follows. Note that both member and values are functions now. Also, note that values should return an array of strings at all times.

      {
        member: () => `priority`,
        operator: `equals`,
        values: () => ["9"],
      },

With that, it now compiles and generates SQL as expected:

I would suggest taking a look at https://github.com/cube-js/cube/blob/5453581b719713024d958c333318d0b70e21adf0/packages/cubejs-schema-compiler/src/compiler/CubeValidator.ts. As you can see in this part, member and values indeed need to be functions.

Actually, when anything is extracted into a variable for reuse, it should adhere to validations from that file.

I hope this is helpful.