Collection permissions via HTTP headers

[GrzegorzPustulka]

Currently all user queries have access to all collections.

I propose a solution that will allow limiting user queries to specific collections. The list of collections will be passed through a proxy, which will pass the collection list via header based on the user's role in KC

Changes on the API side:

• Handling a new HTTP header containing a list of allowed collections (e.g., X-User-Permissions: ["collection1", "collection2", "collection3"])
• Implementation of query filtering logic to specific index aliases
• Adding an environment variable to enable/disable the functionality (e.g. ENABLE_COLLECTION_ACCESS_CONTROL)

System behavior:

1. When ENABLE_COLLECTION_ACCESS_CONTROL variable is disabled:

   • All queries work as before (full access)

2. When ENABLE_COLLECTION_ACCESS_CONTROL variable is enabled:

   • Missing header: no access to any collections
   • Empty header: no access to any collections
   • Header with list: access to the listed collections

[StijnCaerts]

We at VITO implemented role-based access control for collections as an extension of this project: https://github.com/VITObelgium/terra-stac-api.
For granting access, we directly use the access tokens issued by Keycloak and the roles defined in them.

Maybe we can integrate this authorization mechanism into this project if there is wider interest.

[MathewNWSH]

Sounds wonderful. Great idea, in my opinion. One step further toward establishing SFEOS as the most complete stac ecosystem out there.

Hope we will see such solution implemented.

CC:
@jonhealy1

[jonhealy1]

@StijnCaerts This would be a very nice addition.

[GrzegorzPustulka]

@jonhealy1 I understand that we should model it on @StijnCaerts's solution? On Wednesday, either I or my colleague can start working on this task