[pull] master from cube-js:master

CHANGELOG.md

@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.6.19](https://github.com/cube-js/cube/compare/v1.6.18...v1.6.19) (2026-03-03)
+
+### Bug Fixes
+
+- **api-gateway:** Accept `cache` parameter in WebSocket requests, fix [#10451](https://github.com/cube-js/cube/issues/10451) ([#10453](https://github.com/cube-js/cube/issues/10453)) ([5e8d0eb](https://github.com/cube-js/cube/commit/5e8d0ebf96e93afe5d8e7c1a5f2ae278b1671c17))
+- **api-gateway:** Remove Transfer-Encoding header on /cubesql error responses, fix [#10450](https://github.com/cube-js/cube/issues/10450) ([#10455](https://github.com/cube-js/cube/issues/10455)) ([1b4f137](https://github.com/cube-js/cube/commit/1b4f1375233cf3064f7d9cf909f053b9fc195541))
+- **query-orchestrator:** Queue - improve performance for high concurrency ([#9705](https://github.com/cube-js/cube/issues/9705)) ([7a3c1a6](https://github.com/cube-js/cube/commit/7a3c1a6dababeca87ec0279f168657c0742d9137))
+
 ## [1.6.18](https://github.com/cube-js/cube/compare/v1.6.17...v1.6.18) (2026-03-02)
 
 ### Bug Fixes

docs/content/product/administration/sso/okta/_meta.js

@@ -0,0 +1,4 @@
+export default {
+  "saml": "SAML",
+  "scim": "SCIM"
+}

docs/content/product/administration/sso/okta/index.mdx

@@ -0,0 +1,32 @@
+---
+asIndexPage: true
+---
+
+# Okta
+
+Cube Cloud supports authenticating users through [Okta][ext-okta],
+which is useful when you want your users to access Cube Cloud using
+single sign-on.
+
+<InfoBox>
+
+Available on [Enterprise and above plans](https://cube.dev/pricing).
+
+</InfoBox>
+
+## Setup guides
+
+<Grid imageSize={[56, 56]}>
+  <GridItem
+    url="okta/saml"
+    imageUrl="https://static.cube.dev/icons/okta.svg"
+    title="SAML"
+  />
+  <GridItem
+    url="okta/scim"
+    imageUrl="https://static.cube.dev/icons/okta.svg"
+    title="SCIM"
+  />
+</Grid>
+
+[ext-okta]: https://www.okta.com/

docs/content/product/administration/sso/okta.mdx → docs/content/product/administration/sso/okta/saml.mdx

@@ -42,7 +42,7 @@ Okta][okta-docs-create-saml-app].
 
 2.  Click <Btn>Applications > Applications</Btn> from the navigation on the left
     of the screen, then click <Btn>Create App Integration</Btn>, then
-    select <Btn>SAML 2.0</Btn> and click <Btn>Next</Btn>.
+    select <Btn>SAML 2.0</Btn> and click <Btn>Next</Btn>.
 
 <Screenshot src="https://ucarecdn.com/16c9a49c-727f-46de-aa06-9534f92d3104/" />
 

docs/content/product/administration/sso/okta/scim.mdx

@@ -0,0 +1,122 @@
+# SCIM provisioning with Okta
+
+With SCIM (System for Cross-domain Identity Management) enabled, you can
+automate user provisioning in Cube Cloud and keep user groups synchronized
+with Okta.
+
+<InfoBox>
+
+Available on [Enterprise and above plans](https://cube.dev/pricing).
+
+</InfoBox>
+
+## Prerequisites
+
+Before proceeding, ensure you have the following:
+
+- Okta SAML authentication already configured. If not, complete
+  the [SAML setup][ref-saml] first.
+- Admin permissions in Cube Cloud.
+- Admin permissions in Okta to manage application integrations.
+
+## Enable SCIM provisioning in Cube Cloud
+
+Before configuring SCIM in Okta, you need to enable SCIM
+provisioning in Cube Cloud:
+
+1. In Cube, navigate to <Btn>Admin → Settings</Btn>.
+2. In the <Btn>SAML</Btn> section, enable <Btn>SCIM Provisioning</Btn>.
+
+## Generate an API key in Cube Cloud
+
+To allow Okta to communicate with Cube Cloud via SCIM, you'll need to
+create a dedicated API key:
+
+1. In Cube Cloud, navigate to <Btn>Settings → API Keys</Btn>.
+2. Create a new API key. Give it a descriptive name such as **Okta SCIM**.
+3. Copy the generated key and store it securely — you'll need it in the
+   next step.
+
+## Enable SCIM provisioning in Okta
+
+This section assumes you already have a Cube Cloud SAML app integration
+in Okta. If you haven't created one yet, follow the
+[SAML setup guide][ref-saml] first.
+
+1. In the Okta Admin Console, go to <Btn>Applications → Applications</Btn>
+   and open your Cube Cloud application.
+2. On the <Btn>General</Btn> tab, click <Btn>Edit</Btn> in the
+   <Btn>App Settings</Btn> section.
+3. Set the <Btn>Provisioning</Btn> field to **SCIM** and click
+   <Btn>Save</Btn>.
+
+## Configure SCIM connection in Okta
+
+1. Navigate to the <Btn>Provisioning</Btn> tab of your Cube Cloud application.
+2. In the <Btn>Settings → Integration</Btn> section, click <Btn>Edit</Btn>.
+3. Fill in the following fields:
+   - **SCIM connector base URL** — Your Cube Cloud deployment URL with
+     `/api/scim/v2` appended. For example:
+     `https://your-deployment.cubecloud.dev/api/scim/v2`
+   - **Unique identifier field for users** — `userName`
+   - **Supported provisioning actions** — Select **Push New Users**,
+     **Push Profile Updates**, and **Push Groups**.
+   - **Authentication Mode** — Select **HTTP Header**.
+4. In the <Btn>HTTP Header</Btn> section, paste the API key you generated
+   earlier into the <Btn>Authorization</Btn> field.
+5. Click <Btn>Test Connector Configuration</Btn> to verify that Okta can
+   reach Cube Cloud. Proceed once the test is successful.
+6. Click <Btn>Save</Btn>.
+
+## Configure provisioning actions
+
+After saving the SCIM connection, configure which provisioning actions
+are enabled for your application:
+
+1. On the <Btn>Provisioning</Btn> tab, go to <Btn>Settings → To App</Btn>.
+2. Click <Btn>Edit</Btn> and enable the actions you want:
+   - **Create Users** — Automatically create users in Cube Cloud when
+     they are assigned in Okta.
+   - **Update User Attributes** — Synchronize profile changes from Okta
+     to Cube Cloud.
+   - **Deactivate Users** — Deactivate users in Cube Cloud when they are
+     unassigned or deactivated in Okta.
+3. Click <Btn>Save</Btn>.
+
+## Assign users and groups
+
+For users and groups to be provisioned in Cube Cloud, you need to assign
+them to your Cube Cloud application in Okta. This is also required for
+group memberships to be correctly synchronized — pushing a group alone
+does not assign its members to the application.
+
+1. In your Cube Cloud application, navigate to the <Btn>Assignments</Btn> tab.
+2. Click <Btn>Assign</Btn> and choose <Btn>Assign to Groups</Btn> (or
+   <Btn>Assign to People</Btn> for individual users).
+3. Select the groups or users you want to provision and click <Btn>Assign</Btn>,
+   then click <Btn>Done</Btn>.
+
+<WarningBox>
+
+If users were assigned to the application before SCIM provisioning was enabled,
+Okta will show the following message in the <Btn>Assignments</Btn> tab:
+*"User was assigned this application before Provisioning was enabled and not
+provisioned in the downstream application. Click Provision User."*
+
+To resolve this, click <Btn>Provision User</Btn> next to each affected user.
+This will trigger SCIM provisioning for them without needing to remove and
+re-add their assignment.
+
+</WarningBox>
+
+## Push groups to Cube Cloud
+
+To synchronize groups from Okta to Cube Cloud, you need to select which
+groups to push:
+
+1. In your Cube Cloud application, navigate to the <Btn>Push Groups</Btn> tab.
+2. Click <Btn>Push Groups</Btn> and choose how to find your groups — you can
+   search by name or rule.
+3. Select the groups you want to push to Cube Cloud and click <Btn>Save</Btn>.
+
+[ref-saml]: /product/administration/sso/okta/saml

docs/redirects.json

@@ -1,4 +1,9 @@
 [
+  {
+    "source": "/product/administration/sso/okta",
+    "destination": "/product/administration/sso/okta/saml",
+    "permanent": true
+  },
   {
     "source": "/product/administration/workspace/saved-reports",
     "destination": "/product/administration/workspace",

lerna.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.6.18",
+  "version": "1.6.19",
   "npmClient": "yarn",
   "command": {
     "bootstrap": {

packages/cubejs-api-gateway/CHANGELOG.md

@@ -3,6 +3,13 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.6.19](https://github.com/cube-js/cube/compare/v1.6.18...v1.6.19) (2026-03-03)
+
+### Bug Fixes
+
+- **api-gateway:** Accept `cache` parameter in WebSocket requests, fix [#10451](https://github.com/cube-js/cube/issues/10451) ([#10453](https://github.com/cube-js/cube/issues/10453)) ([5e8d0eb](https://github.com/cube-js/cube/commit/5e8d0ebf96e93afe5d8e7c1a5f2ae278b1671c17))
+- **api-gateway:** Remove Transfer-Encoding header on /cubesql error responses, fix [#10450](https://github.com/cube-js/cube/issues/10450) ([#10455](https://github.com/cube-js/cube/issues/10455)) ([1b4f137](https://github.com/cube-js/cube/commit/1b4f1375233cf3064f7d9cf909f053b9fc195541))
+
 ## [1.6.18](https://github.com/cube-js/cube/compare/v1.6.17...v1.6.18) (2026-03-02)
 
 **Note:** Version bump only for package @cubejs-backend/api-gateway

packages/cubejs-api-gateway/package.json

@@ -2,7 +2,7 @@
   "name": "@cubejs-backend/api-gateway",
   "description": "Cube.js API Gateway",
   "author": "Cube Dev, Inc.",
-  "version": "1.6.18",
+  "version": "1.6.19",
   "repository": {
     "type": "git",
     "url": "https://github.com/cube-js/cube.git",
@@ -27,9 +27,9 @@
     "dist/src/*"
   ],
   "dependencies": {
-    "@cubejs-backend/native": "1.6.18",
-    "@cubejs-backend/query-orchestrator": "1.6.18",
-    "@cubejs-backend/shared": "1.6.18",
+    "@cubejs-backend/native": "1.6.19",
+    "@cubejs-backend/query-orchestrator": "1.6.19",
+    "@cubejs-backend/shared": "1.6.19",
     "@ungap/structured-clone": "^0.3.4",
     "assert-never": "^1.4.0",
     "body-parser": "^1.19.0",
@@ -53,7 +53,7 @@
     "zod": "^4.1.13"
   },
   "devDependencies": {
-    "@cubejs-backend/linter": "1.6.18",
+    "@cubejs-backend/linter": "1.6.19",
     "@types/express": "^4.17.21",
     "@types/jest": "^29",
     "@types/jsonwebtoken": "^9.0.2",

packages/cubejs-api-gateway/src/gateway.ts

@@ -453,6 +453,11 @@ class ApiGateway {
 
           await this.sqlServer.execSql(req.body.query, res, req.context?.securityContext, req.body.cache, req.body.timezone);
         } catch (e: any) {
+          // Quickfix for https://github.com/cube-js/cube/issues/10450,
+          // Right now, it's too complicated to fix the issue correctly, because
+          // native side control stream, without understanding that it's Express.response
+          res.removeHeader('Transfer-Encoding');
+
           this.handleError({
             e,
             query: {

packages/cubejs-api-gateway/src/ws/message-schema.ts

@@ -14,6 +14,7 @@ export const unsubscribeMessageSchema = z.object({
 const queryParams = z.object({
   query: z.unknown(),
   queryType: z.string().optional(),
+  cache: z.string().optional(),
 }).strict();
 
 const queryOnlyParams = z.object({

packages/cubejs-api-gateway/src/ws/subscription-server.ts

@@ -15,11 +15,11 @@ import type { ApiGateway } from '../gateway';
 import type { LocalSubscriptionStore } from './local-subscription-store';
 
 const methodParams: Record<string, string[]> = Object.freeze({
-  load: ['query', 'queryType'],
+  load: ['query', 'queryType', 'cache'],
   sql: ['query'],
   'dry-run': ['query'],
   meta: [],
-  subscribe: ['query', 'queryType'],
+  subscribe: ['query', 'queryType', 'cache'],
   unsubscribe: [],
 });
 
@@ -183,6 +183,11 @@ export class SubscriptionServer {
         }
       }
 
+      if (collectedParams.cache !== undefined) {
+        collectedParams.cacheMode = collectedParams.cache;
+        delete collectedParams.cache;
+      }
+
       const method = message.method.replace(/[^a-z]+(.)/g, (_m, chr) => chr.toUpperCase());
       await this.apiGateway[method]({
         ...collectedParams,

packages/cubejs-api-gateway/test/ws/subscription-server.test.ts

@@ -248,6 +248,51 @@ describe('SubscriptionServer', () => {
       );
     });
 
+    it('should forward cache param as cacheMode for load', async () => {
+      const { mockApiGateway, mockSubscriptionStore, mockSendMessage, mockContextAcceptor } = createMocks();
+      const server = new SubscriptionServer(mockApiGateway, mockSendMessage, mockSubscriptionStore, mockContextAcceptor);
+
+      const message = {
+        method: 'load',
+        messageId: '123',
+        params: { query: { measures: ['Orders.count'] }, cache: 'no-cache' }
+      };
+      await server.processMessage('conn-1', JSON.stringify(message));
+
+      expect(mockApiGateway.load).toHaveBeenCalledWith(
+        expect.objectContaining({
+          query: { measures: ['Orders.count'] },
+          cacheMode: 'no-cache',
+          connectionId: 'conn-1',
+          apiType: 'ws',
+        })
+      );
+      // cache should be remapped, not passed through as-is
+      expect(mockApiGateway.load).not.toHaveBeenCalledWith(
+        expect.objectContaining({ cache: 'no-cache' })
+      );
+    });
+
+    it('should forward cache param as cacheMode for subscribe', async () => {
+      const { mockApiGateway, mockSubscriptionStore, mockSendMessage, mockContextAcceptor } = createMocks();
+      const server = new SubscriptionServer(mockApiGateway, mockSendMessage, mockSubscriptionStore, mockContextAcceptor);
+
+      const message = {
+        method: 'subscribe',
+        messageId: '123',
+        params: { query: { measures: ['Orders.count'] }, cache: 'no-cache' }
+      };
+      await server.processMessage('conn-1', JSON.stringify(message));
+
+      expect(mockApiGateway.subscribe).toHaveBeenCalledWith(
+        expect.objectContaining({
+          query: { measures: ['Orders.count'] },
+          cacheMode: 'no-cache',
+          connectionId: 'conn-1',
+        })
+      );
+    });
+
     it('should call subscribe method correctly', async () => {
       const { mockApiGateway, mockSubscriptionStore, mockSendMessage, mockContextAcceptor } = createMocks();
       const server = new SubscriptionServer(mockApiGateway, mockSendMessage, mockSubscriptionStore, mockContextAcceptor);

packages/cubejs-athena-driver/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.6.19](https://github.com/cube-js/cube/compare/v1.6.18...v1.6.19) (2026-03-03)
+
+**Note:** Version bump only for package @cubejs-backend/athena-driver
+
 ## [1.6.18](https://github.com/cube-js/cube/compare/v1.6.17...v1.6.18) (2026-03-02)
 
 **Note:** Version bump only for package @cubejs-backend/athena-driver

packages/cubejs-athena-driver/package.json

@@ -2,7 +2,7 @@
   "name": "@cubejs-backend/athena-driver",
   "description": "Cube.js Athena database driver",
   "author": "Cube Dev, Inc.",
-  "version": "1.6.18",
+  "version": "1.6.19",
   "repository": {
     "type": "git",
     "url": "https://github.com/cube-js/cube.git",
@@ -30,13 +30,13 @@
   "dependencies": {
     "@aws-sdk/client-athena": "^3.22.0",
     "@aws-sdk/credential-providers": "^3.22.0",
-    "@cubejs-backend/base-driver": "1.6.18",
-    "@cubejs-backend/shared": "1.6.18",
+    "@cubejs-backend/base-driver": "1.6.19",
+    "@cubejs-backend/shared": "1.6.19",
     "sqlstring": "^2.3.1"
   },
   "devDependencies": {
-    "@cubejs-backend/linter": "1.6.18",
-    "@cubejs-backend/testing-shared": "1.6.18",
+    "@cubejs-backend/linter": "1.6.19",
+    "@cubejs-backend/testing-shared": "1.6.19",
     "@types/ramda": "^0.27.40",
     "typescript": "~5.2.2"
   },

packages/cubejs-backend-cloud/CHANGELOG.md

@@ -3,6 +3,10 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [1.6.19](https://github.com/cube-js/cube/compare/v1.6.18...v1.6.19) (2026-03-03)
+
+**Note:** Version bump only for package @cubejs-backend/cloud
+
 ## [1.6.18](https://github.com/cube-js/cube/compare/v1.6.17...v1.6.18) (2026-03-02)
 
 **Note:** Version bump only for package @cubejs-backend/cloud