OAuth Passthrough For Snowflake (and other DB)

Is your feature request related to a problem? Please describe. In larger organizations, we often manage data permissions within the database itself as this is the best way to control data access centrally and in a way that all BI tools, ad-hoc querying and applications can pass through a central permissioning control plane. I know Cube has some ACL features but we're not ready, and it's not feasible to commit to it as a single front for all DWH access.

Describe the solution you'd like Cube should support OAuth for interacting with the DB (snowflake in my case) so that querying can be done on behalf of the user, and obey their permissions as stored and managed by the database, rather than with a service account which can only reflect a single set of permissions.

Describe alternatives you've considered One possible alternative is to have everyone run cube locally with their own db credentials to use it as a metric explorer/designer of sorts, but this would not help us to front BI tools as a single-source-of-truth metric definition layer.

Another idea which we will actually use in some in-house apps is to use Cube's APIs (v1/sql) to generate SQL, but then run the SQL from the downstream application using user/service account creds instead of the cube creds.

Additional context I think there are also implications for caching and pre-agg. If Cube is storing/pre-aggregating, we might want to disable this for OAuth queries, as it would defeat the purpose is privileged user A requests some data which gets cached, and unprivileged user B is able to access a cached version of it through Cube. It might make sense to have env vars available to disbale pre-agg and caching.

cube-js / cube

OAuth Passthrough For Snowflake (and other DB) #7836