Skip to content

feat: retrieve tenant from collection for items and ingest endpoints#573

Open
botanical wants to merge 28 commits intodevelopfrom
mt-uma/pep-items
Open

feat: retrieve tenant from collection for items and ingest endpoints#573
botanical wants to merge 28 commits intodevelopfrom
mt-uma/pep-items

Conversation

@botanical
Copy link
Copy Markdown
Member

@botanical botanical commented Mar 13, 2026
edited
Loading

Issue

#559
And to begin supporting #560

What?

  • This handles item operations, making a look up on the collection object's tenant property to determine tenancy and then calling out to the PDP to ensure the user has permission to make that item request.
  • Extends PEP to ingest DELETE endpoint

Testing?

https://sit.openveda.cloud/api/ingest/docs
https://sit.openveda.cloud/api/stac/docs

API Test Case Expected Result Actual Result
STAC User in tenant1 is able to update an item in tenant1 Allow
STAC User in tenant1 is able to delete an item in tenant1 Allow  ✅
STAC User in tenant2 attempt to delete item in tenant1 Deny  ✅
STAC User in tenant1 attempts to patch an item in tenant2 Deny  ✅
STAC User with no tenant memberships updates a public item Allow  ✅
Ingest User is an Admin of Tenant 1 and tries to delete a tenant1 collection Allow
Ingest User is an Editor of Tenant 1 and tries to delete a collection in tenant1 Deny
Ingest User is an Editor of Tenant 2 and tries to delete a collection in tenant1 Deny
Ingest User is an Admin of Tenant 2 and tries to delete a collection in tenant1 Deny

@botanical botanical changed the title fix: wip retrieve tenant from collection proof of concept fix: wip retrieve tenant from collection for items proof of concept Mar 13, 2026
smohiudd
smohiudd approved these changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@smohiudd smohiudd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

collection_tenant_resolver and querying the db looks like a good way to get the tenant for items endpoints. No proposed changes from me.

@botanical botanical changed the title fix: wip retrieve tenant from collection for items proof of concept feat(stac): wip retrieve tenant from collection for items proof of concept Mar 19, 2026
botanical added 20 commits March 24, 2026 09:29
@botanical
feat: wip extend to ingest api
fb8dd98
@botanical
Merge branch 'develop' into mt-uma/pep-items
59626e6
@botanical
Merge branch 'mt-uma/pep-items' of https://github.com/NASA-IMPACT/ved…
ec9a8eb 
…a-backend into mt-uma/pep-items
@botanical
fix: linting and set tenant resolver always
ea3a243
@botanical
fix: fix template response
2f862dc
@botanical
Merge branch 'develop' into mt-uma/pep-items
3367a16
@botanical
fix: extend tenant lookup resolver to stac delete endpoint
205ae6b
@botanical
feat: extend pep to delete ingest endpoint
45cf990
@botanical
fix: update tests
9ad6e67
@botanical
fix: update pep integration tests
64a2a39
@botanical
fix: update readme for ingest delete endpoint description
5aeac85
@botanical
fix: update ingest api to include tenant filter field in lambda, upda…
19e5443 
…te lookup method, add to config
@botanical
fix: formatting
7e17817
@botanical
fix: add debug logging
eaa8435
@botanical
fix: add more logging
98906eb
@botanical
fix: try alternative collection lookup and add validation alias to co…
469c7f4 
…nfig
@botanical
fix: add logging to determine content shape
8391d89
@botanical
fix: update log level
1e13f3f
@botanical
fix: update logs and remove tuple, use dict only
3e63e03
@botanical
fix: linting
470e5ed
botanical
botanical commented Mar 25, 2026
View reviewed changes
Comment thread ingest_api/runtime/src/collection_publisher.py
)
creds = get_db_credentials(os.environ["DB_SECRET_ARN"])
try:
with PgstacDB(dsn=creds.dsn_string, debug=True) as db:
Copy link
Copy Markdown
Member Author

@botanical botanical Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially tried to use the collection loader / VEDALoader to get information on the collection, but because the tenancy field is non standard, it didn't yield any results compared to directly querying like so (lines 49-50).

@botanical botanical changed the title feat(stac): wip retrieve tenant from collection for items proof of concept feat(stac): retrieve tenant from collection for items and ingest endpoints Mar 25, 2026
@botanical botanical changed the title feat(stac): retrieve tenant from collection for items and ingest endpoints feat: retrieve tenant from collection for items and ingest endpoints Mar 25, 2026
sandrahoang686
sandrahoang686 reviewed Mar 30, 2026
View reviewed changes
Comment thread common/auth/veda_auth/resource_extractors.py
tenant = await _collection_tenant_for_item(request, collection_id)
if tenant:
return STAC_COLLECTION_TEMPLATE.format(tenant)
return _stac_collection_resource_id(request)
Copy link
Copy Markdown
Contributor

@sandrahoang686 sandrahoang686 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can probably remove this? Since without this, it will next land on line 153 which is returning same?

Copy link
Copy Markdown
Member Author

@botanical botanical Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need it because, otherwise, it wouldn't land on line 153 but it would land on the outermost return which would be None, and we want to make sure it falls back to get the collection resource ID using the request if it doesn't manage to resolve using the resolver (looking up in the DB in the case of DELETEs)

Comment thread common/auth/veda_auth/resource_extractors.py Outdated


async def _extract_item_stac_resource_id(
request: Request, path: str, method: str
Copy link
Copy Markdown
Contributor

@sandrahoang686 sandrahoang686 Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is method being used?

Copy link
Copy Markdown
Member Author

@botanical botanical Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😯 good call out! Let me remove it

Copy link
Copy Markdown
Member Author

@botanical botanical Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

60b529e

Comment thread common/auth/veda_auth/resource_extractors.py Outdated
sandrahoang686
sandrahoang686 approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sandrahoang686 sandrahoang686 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code wise - lgtm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sandrahoang686 sandrahoang686 sandrahoang686 approved these changes

@smohiudd smohiudd Awaiting requested review from smohiudd

@anayeaye anayeaye Awaiting requested review from anayeaye

@stephenkilbourn stephenkilbourn Awaiting requested review from stephenkilbourn

@ividito ividito Awaiting requested review from ividito

@aliziel aliziel Awaiting requested review from aliziel

Assignees

No one assigned

Labels

needs review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@botanical @sandrahoang686 @smohiudd