From d79481e9673c96512ba5e6eb929a5dfe69c0b58a Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Fri, 12 Jun 2026 11:14:56 -0700 Subject: [PATCH 1/2] docs: add access control page referencing shared STAC API auth The eoAPI deployment shared with the Resource Discovery BB is protected by stac-auth-proxy. This page summarizes the policy model and links to the full documentation in the Resource Discovery BB docs. Refs EOEPCA/resource-discovery#203 --- docs/admin/auth.md | 13 +++++++++++++ mkdocs.yml | 1 + 2 files changed, 14 insertions(+) create mode 100644 docs/admin/auth.md diff --git a/docs/admin/auth.md b/docs/admin/auth.md new file mode 100644 index 0000000..f6af2be --- /dev/null +++ b/docs/admin/auth.md @@ -0,0 +1,13 @@ +# Access Control + +The Data Access building block shares its eoAPI deployment with the [Resource Discovery building block](https://eoepca.readthedocs.io/projects/resource-discovery/). The STAC API of that deployment is protected by [STAC Auth Proxy](https://github.com/developmentseed/stac-auth-proxy), which validates OIDC tokens issued by the IAM building block and enforces collection-level access policies by injecting CQL2 filters into every request. + +In brief: + +- Collections without a `.` in their ID (e.g. `sentinel-2-l2a`) are **public**: anyone can read them, and only the `stac_editor` service role can write them. +- Collections named `.` are readable and writable by that user. +- Collections named `.` are readable and writable by that group's members; a `-ro` group variant grants read-only access. + +Since read responses depend on the caller's identity, clients should send their `Authorization: Bearer ` header on all STAC API requests, not only on writes. [STAC Manager](https://github.com/developmentseed/stac-manager), the basis of the data administration interface, does this as of `v1.0.0`. + +The policy model, enforcement details, and configuration are documented in the Resource Discovery building block: see [Data Catalogue — Access Control](https://eoepca.readthedocs.io/projects/resource-discovery/en/latest/design/data-catalogue/auth/). The policy implementation lives in the [`eoepca-plus` deployment repository](https://github.com/EOEPCA/eoepca-plus/tree/deploy-develop/argocd/eoepca/data-access/parts/stac-auth-proxy). diff --git a/mkdocs.yml b/mkdocs.yml index 3b48f60..a4284d2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -14,6 +14,7 @@ nav: - api/endpoint-specification.md - api/health-checks.md - Administration: + - admin/auth.md - admin/autoscaling.md theme: From 39d1de3d97f4add0dfcd5ccd969ddddb5746aeb6 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Fri, 12 Jun 2026 15:55:55 -0700 Subject: [PATCH 2/2] docs: scope access control page to the STAC API --- docs/admin/auth.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/admin/auth.md b/docs/admin/auth.md index f6af2be..cb0b13f 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -1,6 +1,6 @@ -# Access Control +# STAC API Access Control -The Data Access building block shares its eoAPI deployment with the [Resource Discovery building block](https://eoepca.readthedocs.io/projects/resource-discovery/). The STAC API of that deployment is protected by [STAC Auth Proxy](https://github.com/developmentseed/stac-auth-proxy), which validates OIDC tokens issued by the IAM building block and enforces collection-level access policies by injecting CQL2 filters into every request. +The Data Access building block shares its eoAPI deployment with the [Resource Discovery building block](https://eoepca.readthedocs.io/projects/resource-discovery/). The STAC API of that deployment is protected by [STAC Auth Proxy](https://github.com/developmentseed/stac-auth-proxy), which validates OIDC tokens issued by the IAM building block and enforces collection-level access policies by injecting CQL2 filters into every request. These policies apply to the STAC API only — the raster, vector, and multidimensional APIs are not covered by them. In brief: @@ -8,6 +8,6 @@ In brief: - Collections named `.` are readable and writable by that user. - Collections named `.` are readable and writable by that group's members; a `-ro` group variant grants read-only access. -Since read responses depend on the caller's identity, clients should send their `Authorization: Bearer ` header on all STAC API requests, not only on writes. [STAC Manager](https://github.com/developmentseed/stac-manager), the basis of the data administration interface, does this as of `v1.0.0`. +Since read responses depend on the caller's identity, clients should send their `Authorization: Bearer ` header on all STAC API requests, not only on writes. [STAC Manager](https://github.com/developmentseed/stac-manager), the basis of the data administration interface, does this automatically. The policy model, enforcement details, and configuration are documented in the Resource Discovery building block: see [Data Catalogue — Access Control](https://eoepca.readthedocs.io/projects/resource-discovery/en/latest/design/data-catalogue/auth/). The policy implementation lives in the [`eoepca-plus` deployment repository](https://github.com/EOEPCA/eoepca-plus/tree/deploy-develop/argocd/eoepca/data-access/parts/stac-auth-proxy).