From a3a94a144dea1e0fa5a4cbe9bd5e87b8a8ca14ad Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Thu, 22 Dec 2022 12:55:16 -0500 Subject: [PATCH] add config for thumbnail permissions --- README.md | 28 +++++++++++++++++++++------- serverless.example.yml | 3 +++ 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1ccabd76..c9e659a6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # stac-server -![](https://github.com/stac-utils/stac-server/workflows/Push%20Event/badge.svg) +![push event badge](https://github.com/stac-utils/stac-server/workflows/Push%20Event/badge.svg) - [stac-server](#stac-server) - [Overview](#overview) @@ -9,6 +9,7 @@ - [0.4.x -\> 0.5.x](#04x---05x) - [Elasticsearch to OpenSearch Migration](#elasticsearch-to-opensearch-migration) - [Preferred Elasticsearch to OpenSearch Migration Process](#preferred-elasticsearch-to-opensearch-migration-process) + - [Granting Access for Thumbnails](#granting-access-for-thumbnails) - [0.3.x -\> 0.4.x](#03x---04x) - [Elasticsearch upgrade from 7.9 to 7.10](#elasticsearch-upgrade-from-79-to-710) - [Disable automatic index creation](#disable-automatic-index-creation) @@ -20,8 +21,8 @@ - [Create collection index](#create-collection-index) - [Enable OpenSearch fine-grained access control](#enable-opensearch-fine-grained-access-control) - [Configure OpenSearch for fine-grained access control](#configure-opensearch-for-fine-grained-access-control) - - [Option 1 - API method:](#option-1---api-method) - - [Option 2 - Dashboard method:](#option-2---dashboard-method) + - [Option 1 - API method](#option-1---api-method) + - [Option 2 - Dashboard method](#option-2---dashboard-method) - [Populating and accessing credentials](#populating-and-accessing-credentials) - [Proxying Stac-server through CloudFront](#proxying-stac-server-through-cloudfront) - [Locking down transaction endpoints](#locking-down-transaction-endpoints) @@ -243,6 +244,19 @@ Switch the DNS entry for the domain name to the API Gateway endpoint for the new Double-check that the `DeletionPolicy: Retain` is set on the old Stack for the Elasticsearch/OpenSearch resource, and then delete the old Stack. +#### Granting Access for Thumbnails + +The new experimental endpoint `/collections/{c_id}/items/{item_id}/thumbnail` will +redirect to a URL providing a thumbnail as determined by the assets in an item. If the +href for this is an AWS S3 ARN, IAM permissions must be granted for the API Lambda to +generate a pre-signed HTTP URL instead. For example: + +```yaml +- Effect: Allow + Action: s3:GetObject + Resource: 'arn:aws:s3:::usgs-landsat/*' +``` + ### 0.3.x -> 0.4.x Create a new deployment, copy the elasticsearch database, and rename indexes. @@ -401,7 +415,6 @@ There are some settings that should be reviewed and updated as needeed in the se | OPENSEARCH_CREDENTIALS_SECRET_ID | The AWS Secrets Manager secret to retrieve the username and password from, to authenticate to OpenSearch with if fine-grained access control is enabled. | | | COLLECTION_TO_INDEX_MAPPINGS | A JSON object representing collection id to index name mappings if they do not have the same names. | | - | ITEMS_INDICIES_NUM_OF_SHARDS | Configure the number of shards for the indices that contain Items. | none | | ITEMS_INDICIES_NUM_OF_REPLICAS | Configure the number of replicas for the indices that contain Items. | none | @@ -553,7 +566,7 @@ Redeploy the stack, and this will be updated without re-creating the cluster. The next step is to create the OpenSearch user and role to use for stac-server. This can either be done through the OpenSearch API or Dashboard. -##### Option 1 - API method: +##### Option 1 - API method This assumes the master username is `admin` and creats a user with the name `stac_server`. @@ -617,7 +630,7 @@ curl -X "PUT" "${HOST}/_plugins/_security/api/rolesmapping/stac_server_role" \ }' ``` -##### Option 2 - Dashboard method: +##### Option 2 - Dashboard method Login to the OpenSearch Dashboard with the master username (e.g. `admin`) and password. From the left sidebar menu, select "Security". Select "Internal users", and then "Create @@ -726,7 +739,8 @@ def lambda_handler(event, context): ### Locking down transaction endpoints -If you wanted to deploy STAC Server in a way which ensures certain endpoints have restricted access but others don't, you can deploy it into a VPC and add conditions that allow only certain IP addresses to access certain endpoints. Once you deploy STAC Server into a VPC, you can modify the Resource Policy of the API Gateway endpoint that gets deployed to restrict access to certain endpoints. Here is a hypothetical example. Assume that the account into which STAC Server is deployed is numbered 1234-5678-9123, the API ID is ab1c23def, and the region in which it is deployed is us-west-2. You might want to give the general public access to use any GET or POST endpoints with the API such as the "/search" endpoint, but lock down access to the transaction endpoints (see https://github.com/radiantearth/stac-api-spec/tree/master/ogcapi-features/extensions/transaction) to only allow certain IP addresses to access them. These IP addresses can be, for example: 94.61.192.106, 204.176.50.129, and 11.27.65.78. In order to do this, you can impose a condition on the API Gateway that only allows API transactions such as adding, updating, and deleting STAC items from the whitelisted endpoints. For example, here is a Resource Policy containing two statements that allow this to happen: +If you wanted to deploy STAC Server in a way which ensures certain endpoints have restricted access but others don't, you can deploy it into a VPC and add conditions that allow only certain IP addresses to access certain endpoints. Once you deploy STAC Server into a VPC, you can modify the Resource Policy of the API Gateway endpoint that gets deployed to restrict access to certain endpoints. Here is a hypothetical example. Assume that the account into which STAC Server is deployed is numbered 1234-5678-9123, the API ID is ab1c23def, and the region in which it is deployed is us-west-2. You might want to give the general public access to use any GET or POST endpoints with the API such as the "/search" endpoint, but lock down access to the transaction endpoints (see ) to only allow certain IP addresses to access them. These IP addresses can be, for example: 94.61.192.106, 204.176.50.129, and 11.27.65.78. In order to do this, you can impose a condition on the API Gateway that only allows API transactions such as adding, updating, and deleting STAC items from the whitelisted endpoints. For example, here is a Resource Policy containing two statements that allow this to happen: + ``` { "Version": "2012-10-17", diff --git a/serverless.example.yml b/serverless.example.yml index a34f9403..3f04d1ed 100644 --- a/serverless.example.yml +++ b/serverless.example.yml @@ -37,6 +37,9 @@ provider: - sqs:DeleteMessage Resource: Fn::GetAtt: [ingestQueue, Arn] + - Effect: Allow + Action: s3:GetObject + Resource: 'arn:aws:s3:::usgs-landsat/*' # - Effect: "Allow" # Action: "lambda:InvokeFunction" # Resource: "arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-preHook"