Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect eoAPI's STAC API Transaction Extension endpoints #101

Open
2 of 3 tasks
pantierra opened this issue Nov 29, 2024 · 5 comments
Open
2 of 3 tasks

Protect eoAPI's STAC API Transaction Extension endpoints #101

pantierra opened this issue Nov 29, 2024 · 5 comments
Assignees

Comments

@pantierra
Copy link

pantierra commented Nov 29, 2024

Related to issues #90 and #12

The STAC API, part of EOEPCA's eoAPI, requires protection for its CRUD operation endpoints as defined by the STAC API Transaction Extension. Authentication for these endpoints will be managed through the project's Keycloak instance.

We are currently evaluating several approaches for securing these endpoints:

  • Application runtime integration: One approach is to integrate endpoint protection directly within the application runtime by leveraging stac-fastapi-pgstac alongside eoapi-auth-utils. This solution offers a straightforward way to implement authentication within the STAC API component itself.

  • Dedicated auth proxy: Another option is to deploy the lightweight proxy stac-auth-proxy between the internal STAC API endpoints and the ingress. This proxy would handle authentication for the designated endpoints, providing a clean separation between the API logic and the authentication layer. Additionally, it offers flexibility, as it integrates seamlessly within the same ecosystem as the application.

  • Kubernetes ingress proxy: Leveraging Kubernetes Ingress for authentication is another potential solution. While this can offer a centralized mechanism for securing the API, it has limitations that make it more complicated compared to the other options. Kubernetes Ingress is not primarily designed for handling authentication, and its configuration can become complex when enforcing fine-grained access control for specific endpoints.

  • API Gateway: Finally, we are considering managing authentication and protection for all STAC API endpoints through the project’s apisix API Gateway. This approach would centralize access control, but it may introduce additional limitations in terms of functionality and customization.

I currently favor the second approach using a proxy. This would allow us to continue running eoAPI without modifying the packaged runtime, while also providing greater flexibility.

Acceptance criteria

  • Decided on an approach and documented in this ticket
  • Validated and implemented the approach
  • Added documentation to our RTD
@j08lue
Copy link
Collaborator

j08lue commented Dec 3, 2024

Decision from meeting today:

We will start by trying to solve this simple case using the API Gateway (APISIX + KeyCloak or OPA) and configure two routes on the same application to behave differently:

GET /stac/collection (open)
POST /stac/collection (protected)

There are indications that HTTP method-based auth should be possible with APISIX https://apisix.apache.org/docs/ingress-controller/concepts/apisix_route/#advanced-routing

This will follow the example of the Workspace API, which is currently under development.

@pantierra
Copy link
Author

@j08lue
Copy link
Collaborator

j08lue commented Dec 3, 2024

from @achtsnits

from the workspace perspective there are currently two topics ongoing with the IAM BB:

Discussed today: exploring Keycloak policies based on HTTP methods for #101. Once done with the route, we will follow up with proper ingresses for STAC API Admin tools/endpoints based on HTTP methods (see https://eoepca.slack.com/archives/C078J079YLR/p1733231324225879 above)

@j08lue
Copy link
Collaborator

j08lue commented Dec 6, 2024

Plan from here:

  1. IAM team implements a proof of concept to distinguish between the GET and POST methods on https://eoapi.develop.eoepca.org/stac/collections, where the former is open and the latter is protected via KeyCloak (group membership in an admin group or so) Implement ingress control distinguishing between GET and POST to eoapi/stac/collections #102
  2. BB updates ingress configuration to connect <- need instructions from IAM team
  3. We'll plan implementation of the auth flow in STAC Manager and either implement one, deploy it against an open copy of the service, or omit it from the 2.0.0-beta.2 release.

@j08lue j08lue changed the title Protect eoAPI's STAC API Transaction Extension endpoints Decide on approach how to protect eoAPI's STAC API Transaction Extension endpoints Dec 11, 2024
@j08lue j08lue changed the title Decide on approach how to protect eoAPI's STAC API Transaction Extension endpoints Protect eoAPI's STAC API Transaction Extension endpoints Dec 11, 2024
@j08lue
Copy link
Collaborator

j08lue commented Dec 17, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants