STAC Catalog Authorization¶
The EOCube.Ro STAC catalog enforces ownership- and visibility-based access control on every collection and item. Whether a request can read, create, update or delete an entity is decided from two fields carried by the entity itself, the identity of the caller, and the groups that caller belongs to.
This page describes the rules an application must follow when publishing, searching, updating, or deleting STAC entities. Follow them and your data will be visible and modifiable exactly as you intend; ignore them and entities may be rejected on write or silently hidden on read.
Who you are¶
Every authenticated request carries:
- a username (your identity), and
- the set of groups you belong to (group paths such as
eocube-users/uvt-users/team-a).
Requests may also be anonymous (no identity). Anonymous callers can only ever read, and only public entities.
A small number of accounts are administrators; they bypass the rules below and may read, write, and delete anything. Everything that follows describes the rules for ordinary (non-admin) accounts.
The two control fields¶
Every collection and item you publish must carry these two fields:
| Field | Type | Meaning |
|---|---|---|
eocube:owner |
string | The username that owns the entity. |
eocube:visibility |
array of strings | Grant tokens that decide who else may read or write the entity. |
Where to put them
- On items, both fields live under
properties(properties.eocube:owner,properties.eocube:visibility). - On collections, both fields live at the top level of the collection object.
eocube:visibility must be an array, even for a single grant
(["public"], not "public").
eocube:owner¶
- The owner always has full read, write, and delete access to the entity.
- On creation,
eocube:ownermust be set to your own username. You cannot create an entity owned by somebody else. - Only administrators may change the owner of an existing entity.
eocube:visibility¶
A list of grant tokens. Each token extends read or read+write access beyond the owner. The owner's own access does not depend on this list.
| Token | Grants |
|---|---|
public |
Read for everyone, including anonymous callers. Use for open data. |
private |
No additional access (owner-only). A no-op marker, equivalent to an empty list. |
group:ro:<group> |
Read for members of <group> and any of its sub-groups. |
group:rw:<group> |
Read and write for members of <group> and any of its sub-groups. |
user:ro:<username> |
Read for that user. Use user:ro:* for any authenticated user. |
user:rw:<username> |
Read and write for that user. Use user:rw:* for any authenticated user. |
Group prefix matching. A group grant applies to the named group and every
sub-group beneath it. For example group:rw:eocube-users grants write access
to a member of eocube-users/uvt-users/team-a, because eocube-users is an
ancestor of that user's group path.
Combining tokens. Tokens are additive; list as many as you need:
["public", "group:rw:eocube-users", "user:rw:ion.popescu"]
This entity is readable by anyone, and writable by members of eocube-users
(and its sub-groups) and by the user ion.popescu.
Visibility is required
There is no implicit default. An entity published without an
eocube:visibility array is visible and modifiable only by its owner —
it will not appear in anonymous or other users' searches. Always set
visibility explicitly (use ["public"] for open data, ["private"] for
owner-only).
Collection naming¶
When you create a collection, its id must be prefixed with your
username:
<your-username>-<name>
For example, user ion.popescu may create ion.popescu-my-aoi but not
my-aoi or someone-else-aoi. Collections whose id does not match this
pattern are rejected. (Items are not subject to a naming rule; they are scoped
by the collection they belong to.)
Rules per operation¶
Searching and reading¶
- An entity appears in your results only if you own it or its
eocube:visibilitygrants you read access — that is, it containspublic, agroup:ro:/group:rw:token for one of your groups (or an ancestor), auser:ro:/user:rw:token for your username, or a*wildcard. - Anonymous callers only ever see entities whose visibility contains
public. - Results are filtered, not refused: entities you are not allowed to see are simply omitted from search results and individual lookups behave as if they do not exist. A search never fails because some entities are private.
Creating (publishing)¶
When you publish a new collection or item:
- Set
eocube:ownerto your own username. A create whose owner is missing or is not you is rejected. - For collections, name the
idas<your-username>-<name>. - Set
eocube:visibilityto the access you intend (e.g.["public"],["private"], or a list of group/user grants).
You cannot publish an entity on behalf of another user, and visibility grants do not let you create entities inside another user's namespace.
Updating¶
- You may update an entity only if you own it or its
eocube:visibilitygrants you write access — agroup:rw:token for one of your groups, auser:rw:<you>token, oruser:rw:*. - Read-only grants do not allow updates. A
group:ro:/user:ro:token lets a user see the entity but not change it. - Preserve
eocube:owneron update — only administrators may reassign ownership.
Deleting¶
- Deletion follows the same rule as updating: you may delete an entity only
if you own it or you have a write grant on it
(
group:rw:,user:rw:<you>, oruser:rw:*). - A read grant never permits deletion.
- Anonymous callers cannot delete anything.
Checklist for publishers¶
- [ ] Every item and collection carries both
eocube:ownerandeocube:visibility. - [ ]
eocube:owneris your username. - [ ]
eocube:visibilityis an array of valid tokens. - [ ] Item fields are under
properties; collection fields are at the top level. - [ ] Collection ids are
<your-username>-<name>. - [ ] You publish open data with
["public"], private data with["private"], and shared data with the appropriategroup:rw:/user:rw:tokens.
Examples¶
Public item, owned by you (fields under properties):
{
"type": "Feature",
"id": "S2A_...",
"collection": "sentinel-2-l1c",
"properties": {
"eocube:owner": "ion.popescu",
"eocube:visibility": ["public"]
}
}
Private collection, owner-only:
{
"type": "Collection",
"id": "ion.popescu-experiments",
"eocube:owner": "ion.popescu",
"eocube:visibility": ["private"]
}
Item shared read+write with a team, readable by all:
{
"properties": {
"eocube:owner": "ion.popescu",
"eocube:visibility": ["public", "group:rw:eocube-users/uvt-users/team-a"]
}
}