Plan deployment of STAC Auth Proxy with OPA integration

[j08lue]

We would like to deploy STAC Auth Proxy in front of the eoAPI-provided STAC API to enable the DLR Terrabyte platform to host user-private collections.

The policies linking users to resource filters should be stored in OPA, which generates the CQL2 expressions for STAC Auth Proxy to apply. https://developmentseed.org/stac-auth-proxy/user-guide/record-level-auth/#opa-filter

Target use case:

1. Calling /collections as an anonymous user, I get all public collections
2. Calling /collections as an authenticated user (i.e. with a bearer token), I get all public collections plus those associated with my workspace

Questions to answer:

1. Is all necessary functionality and configurability in place in STAC Auth Proxy to fulfil this use case?
2. What are the steps for a deployment in the EOEPCA develop cluster?

[achtsnits]

a working example from another cluster would be very helpful for me, so I can adapt it for our “record-level” decisions with the private collections

as discussed I would try routing GET /collections as well as POST /search to STAC Auth Proxy (keeping everything else as is for now) and then provide summary of findings/shortcomings/...

(related EOX efforts will be tracked in https://github.com/EOEPCA/roadmap/issues/459 so keep that ticket for DevSeed!)