This page aims to collect the comments on the Document "STAC Requirements for PRIP", downloadable from those links;
...
Preliminary version that will be updated with detailed requirements regarding downloading of assets from S3 buckets.
...
Different solutions are identified for storing and retrieving assets on S3 buckets. Those solutions are described in following presentation.
Storing ZARR on S3 for STAC.pptx
A benchmark of those solutions has been performed. Results are provided in following presentation:
Benchmark-Storing-and-downloading-EOPF-Products-on-S3-Buckets.pptx
Comments on the current version of the ICD can be added in the following table:
...
STAC-PRIP-ITEM-REQ-0050, page 21
...
The "unpublished" property would perhaps be semantically closer to the OData property EvictionDate than "expires".
...
No
...
Closed
...
What is the purpose of Local Folder Name property here? In case of an asset's href pointing to an individual group of measure or band of the Product, the local folder name is already included in the S3 URL as prefix.
...
It is a convenient method proposed to STAC Client to name consistently the asset they download without to extract this value from the href field.
...
No
...
Closed
...
Requests to the STAC API require authentication via a bearer token. However, both the text and the architecture diagram in Section 3.1 suggest that requests to and downloads from the S3 store currently do not require authentication. The same applies to the command in 3.4.3.4 Downloading ZARR content (see comment below). Later in the document, the requirement "STAC-PRIP-API-REQ-330 – S3 API endpoint authentication" (page 27) indicates the need for an authentication mechanism.
To enhance security, an authentication mechanism should also be enforced for the S3 API. If a technical solution for such a mechanism is already planned, it should be explicitly documented and specified in CAP-TN-036-BE. Additionally, would it be feasible to use the same bearer token for both the STAC API and the S3 API to ensure consistency and simplify the implementation?
...
Added a note in the schema and an explanation in the related text to clarify that all requests sent to the STAC catalogue and S3 buckets shall be authenticated.
From my knowledge, Cloud providers does not support bearer token to access to S3 buckets. Requirement STAC-PRIP-API-REQ-330 has been updated to specify consistent authorization between Catalog access and S3 Bucket access.
...
YES
...
Closed
...
The authentication procedure for the STAC API (retrieving, submitting, and verifying the bearer token) is missing from the use scenario, even though it constitutes an essential part of the workflow. The same applies to the authentication mechanism for the S3 API.
...
A common ICD is foreseen to better describe how a service shall validate the bearer token and implement the expected authorization approach.
...
NO
...
Closed
...
Automatic authentication token retrieval without manual interaction
Systematic downloaders must be able to automatically retrieve authentication tokens without requiring any manual interaction. A requirement should be added to address this need. Similarly, the authentication mechanism for the S3 API should also avoid manual interaction.
...
This shall be addressed by the common ICD related to the Centralized Authentication Service.
Note that the Systematic Downloader use case is well supported by OIDC Client Credential Flow.
...
No
...
Closed
...
3.4.2 PRIP Client requirements, page 28
...
PRIP client authentication for S3 download
...
A requirement specifying the PRIP client authentication mechanism for S3 downloads, analogous to "STAC-PRIP-API-REQ-370 – PRIP Client authentication for STAC browsing," should be added to define the authentication procedure for the S3 API. Would it be feasible to use the same bearer token for both the STAC API and the S3 API to ensure consistency and simplify the implementation?
...
Added requirement STAC-PRIP-API-REQ-391
...
YES
...
Closed
...
3.4.3.4 Downloading ZARR content, page 37
...
Downloading procedure
...
The command does not include authentication against the S3 API. However, an authentication mechanism is needed as stated in one of the comments above and in "STAC-PRIP-API-REQ-330 – S3 API endpoint authentication".
...
Added a note after the command to clarify that AWS CLI is assumed to be properly configured.
...
YES
...
Closed
...
3.4.3 Use case examples, page 30 ff.
...
Detailed examples for product search
...
It would be helpful for a client to have more examples for querying product especially in terms of filtering (by name, geography, datetime), counting and paging through search results.
...
Added some details regarding fetching pages. For more specific and complex use cases, implementors are invited to read the STAC documentation available on line.
...
YES
...
Closed
...
General
...
Quotas
...
The current PRIP is supposed to apply quotas to orders and downloads. If this is also a requirement for the STAC-based PRIP, a corresponding section should be added to the document.
...
Is it really needed to implement such quotas for internal EOF services, assuming that credentials will be provided to well known and trusty clients. To be discussed
...
NO
...
| Children Display |
|---|