docs: document STAC API access control with STAC Auth Proxy#167
Open
alukach wants to merge 2 commits into
Open
docs: document STAC API access control with STAC Auth Proxy#167alukach wants to merge 2 commits into
alukach wants to merge 2 commits into
Conversation
Adds a section to the Data Access page describing how to protect the STAC API with stac-auth-proxy and the EOEPCA collection-prefix access policies, as deployed in the EOEPCA+ demo cluster: enabling the proxy subchart, mounting the policy filter factories via ConfigMap, Keycloak configuration, ingress routing, and validation steps. Refs EOEPCA/resource-discovery#203
…tion Reframe the section as complementary to ingress-level OPA rather than a strict alternative, warn that the sample collection must be loaded before enabling the proxy (anonymous writes are rejected once active), demote step headings below the page's main deployment-step numbering, and point group naming and suffix semantics at the Resource Discovery policy docs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I'm changing
Per @rconway's comment on EOEPCA/resource-discovery#203, the STAC API access-control approach implemented in EOEPCA/eoepca-plus#118 should be documented in the Deployment Guide.
This adds a STAC API Access Control (STAC Auth Proxy) section to the Data Access page, covering:
stac-auth-proxysubchart in the eoAPI Helm valuesstac_editorclient role for service accounts, groups claim mapper)/stacingress path through the proxyAlso adds STAC Auth Proxy to the components overview, optional prerequisites, and further reading.
Scope note
This is docs-only:
configure-data-access.shand the values/IAM templates underscripts/data-access/do not yet template the proxy configuration, and the page's IAM sections still describe the Keycloak+OPA approach. The new section is positioned as an alternative and flags the manual steps explicitly. Updating the scripts (and deciding whether stac-auth-proxy supersedes the OPA path) is left to maintainers — happy to help with that as a follow-up if useful.How you can test it
Builds cleanly — the 5 reported issues are pre-existing anchors in
oapip-engine.md/workspace.md, untouched by this PR.Note
Merge order: the new section links to the Resource Discovery Access Control docs added in EOEPCA/resource-discovery#257 — that PR should merge (and ReadTheDocs rebuild) first, or the link will 404.