v14.0.0-rc.16

v14.0.0-rc.16 (2026-03-25)

Features

• Update to generate map links and render preview assets for all renders config assets, unit test (#572, 7eaa5b3)

Issue

#567

First AC => Thumbnail and map links generated for all COG assets in a collection's render configuration ✅

--- Changes in PR: * adds unit tests for the _search_base method in stac_api/runtime/src/core.py file * tests pass ✅ * updates _search_base method to generate Map Link Items for all render config assets (originally just dashboard) * updates _search_base method to generate render preview assets for all render config assets (originally just dashboard)

---

Current Test Outcome Generated: ``` { "type":"FeatureCollection", "features":[ { "id":"test-item", "type":"Feature", "collection":"test-collection", "links":[ { "title":"Map of Item for ndvi", "href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/WebMercatorQuad/map?nodata=0&assets=ndvi", "rel":"preview", "type":"text/html" }, { "title":"Map of Item for colorIR", "href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/WebMercatorQuad/map?nodata=0&assets=colorIR&bidx=1&bidx=2&bidx=3&rescale=0%2C255", "rel":"preview", "type":"text/html" }, { "title":"Map of Item for dashboard", "href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/WebMercatorQuad/map?nodata=-9999&assets=burnRatio&rescale=-1%2C1", "rel":"preview", "type":"text/html" } ], "assets":{ "rendered_preview_ndvi":{ "title":"Rendered preview for ndvi",
"href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/preview.png?nodata=0&assets=ndvi", "rel":"preview", "roles":[ "overview" ], "type":"image/png" }, "rendered_preview_colorIR":{ "title":"Rendered preview for colorIR", "href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/preview.png?nodata=0&assets=colorIR&bidx=1&bidx=2&bidx=3&rescale=0%2C255", "rel":"preview", "roles":[ "overview" ], "type":"image/png" }, "rendered_preview_dashboard":{ "title":"Rendered preview for dashboard", "href":"https://fake-titiler.example.com/collections/test-collection/items/test-item/preview.png?nodata=-9999&assets=burnRatio&rescale=-1%2C1", "rel":"preview", "roles":[ "overview" ], "type":"image/png" } }, "geometry":"None", "bbox":"None", "properties":{ "datetime":"2021-01-01T00:00:00Z" }, "stac_version":"1.0.0", "stac_extensions":[

] } ], "links":[

] } ``` @smohiudd @anayeaye Can I get 👀 to see if this structure looks okay ^?

---

Detailed Changes: v14.0.0-rc.15...v14.0.0-rc.16

v14.0.0-rc.15

v14.0.0-rc.15 (2026-03-24)

Bug Fixes

• Adjust lifespan handling (#577, d9860fc)

---

Detailed Changes: v14.0.0-rc.14...v14.0.0-rc.15

v14.0.0-rc.14

v14.0.0-rc.14 (2026-03-24)

Bug Fixes

• Pin titiler and mangum (#576, 1796ad4)

Co-authored-by: Vincent Sarago vincent.sarago@gmail.com

---

Detailed Changes: v14.0.0-rc.13...v14.0.0-rc.14

v14.0.0-rc.13

v14.0.0-rc.13 (2026-03-23)

Bug Fixes

• Add bulk item endpoint tests (84583c2)

• Add delete collections integration tests (a7f7bd1)

• Add items integration tests (02246e5)

• Formatting, remove unused imports now (97ced8a)

• Item creation for tests (da1eb59)

• Remove delete as a protected route (ba3ae5d)

• Remove delete tests (afd185e)

• Remove delete to handle in different pr (488e1fb)

• Remove items and bulk items (732adc0)

• Remove items and related tests in unit tests (7a87fba)

• Remove post item (6cf9939)

• Remove property setting on item, use copied object (802746b)

• Remove remaining delete test (42e65c6)

• Test setup (23282e0)

• Update delete behavior to check stored tenant for source of truth (2760807)

• Update unit tests with docstrings, start working on integration tests (51431cd)

Features

• Add unit tests for testing get_matching_scope_and_route (0fa61b8)

• stac: Add policy enforcement point to all create/update stac endpoints (#571, 5f331f3)

Issue

#559

What?

• Updates to extend PEP to STAC endpoints for collections where the action is a create or update - This takes a very naive approach to apply the policy enforcement point by relying on the request body's tenant value to determine permissions

Testing?

• Unit and Integration tests updated

| Test Case | Expected Result | Actual Result | |--|--|--| | User in tenant1 is able to update a collection in tenant1 | Allow | Allow| | User in tenant1 and tenant2 is able to update a collection from tenant1 -> tenant2 | Allow | Allow| | User in tenant1 and tenant2 and not tenant3 is not able to update a collection from tenant1 -> tenant3 | Deny | Deny | | User in tenant1 only attempts to update a collection from tenant1 -> tenant2 | Deny |  Deny | | User in tenant2 only attempts to update a collection from tenant1 -> tenant2 | Allow |  Allow | | User in tenant1 and tenant2 and not tenant3 attempts to update a collection from tenant1 → tenant3 | Deny |  Deny | | User in tenant1 and tenant3 updates a collection from tenant1 -> tenant3 | Allow |  Allow | | User in tenant1 and tenant2 updates a collection from tenant2 -> tenant1 | Allow |  Allow | | User with no tenant memberships updates a public collection (public -> public) | Allow |  Allow | | User in tenant1 updates a
public collection to tenant1 (public -> tenant1) | Allow |  Allow | | User in tenant1 attempts to update a collection in tenant1 to public (tenant1 -> public) | Allow |  Allow |

https://sit.openveda.cloud/

• stac: Add policy enforcement point to all stac endpoints (d1a4e19)

---

Detailed Changes: v14.0.0-rc.12...v14.0.0-rc.13

v14.0.0-rc.12

v14.0.0-rc.12 (2026-03-09)

Bug Fixes

• Add back arg comment (e360ced)

• Add case to handle nonexistent tenant (b2380c2)

• Add debugging (0629819)

• Add logging to conftest to debug (480d5bb)

• Add path to error message, and add error message function for pep middleware (5c0b8c1)

• Add pep middleware to ingest api, delete old middleware file in stac api (c64d035)

• Add prefix to keycloak secret env var (bb514b4)

• Add root path to pep int tests (e4f0113)

• Attempt to fix mutable mapping incompatible type issue (cd79d46)

• Attempt to fix tests (9b033e0)

• Attempt to fix tests, and enable transactions on pep int tests (266818c)

• Attempt to resolve dependencies (9e5a724)

• Catch invalid token case and throw helpful error (b0a0342)

• Clear cache and reload config and app to properly register endpoint (aaf029a)

• Create new error for permission denied (2176ff9)

• Env vars for lambda (283f9ab)

• Fix tests (de6693a)

• Formatting (82fe411)

• Formatting (733d7ca)

• Formatting (bec19a6)

• Formatting, remove unused variable (a8a9a55)

• Import common auth in dockerfile (9d08bef)

• Linting (e7c004f)

• Linting and generalize regexes to use in pep middleware (a17407f)

• Move parse_keycloak_from_openid_url to common/auth package to reuse (66d464b)

• Move pep middleware to common auth so it's reusable (38bc05f)

• Remove return type on check_permission (31c8873)

• Spacing, move import (243a793)

• Update error message, and also update keycloak client to check rsname (e4c4a9d)

• Update ingest api to read keycloak secret from ARN or name (01382e2)

• Update ingest api to read keycloak secret from ARN or name (#570, b31a77f)

Issue

Related to NASA-IMPACT/veda-keycloak#207

What?

• Updates to use ARN or secret name for cross account support for keycloak

• Update readme (6721ff0)

• Update tests (afdc19a)

• Update to use keycloak secret instead (605a881)

Features

• Add integration tests for proof of concept (3fa37e1)

• Add pep middleware to stac api (2d96128)

• Create policy enforcement point for stac api (921095c)

• stac: Policy enforcement point proof of concept (#569, 1f45cb4)

Issue

#557 #558

What?

• Creates proof of concept Policy Enforcement Point on STAC and Ingest API's POST /collections endpoints - Handles writes for tenantless collections for users who are developers but do not belong to any tenant group

Testing?

• Integration tests and ad hoc testing matrix (Tested on SIT https://sit.openveda.cloud/api/stac/docs)

| API | Test Case | Expected Result | Actual Result | |--|--|--|--| | STAC | User is an Admin of Tenant 1 | Can POST to tenant1 | ✅ | | STAC | User is an Editor of Tenant 1 | Can POST to tenant1 | ✅ | | STAC | User is NOT an Admin of Tenant 1, and NOT an editor | Can't POST to tenant1 | ✅ | | Ingest | User is an Admin of Tenant 1 | Can POST to tenant1 | ✅ | | Ingest | User is an Editor of Tenant 1 | Can POST to tenant1 | ✅ | | Ingest | User is NOT an Admin of Tenant 1, and NOT an editor | Can't POST to tenant1 | ✅ | | STAC | User is an Admin of Tenant 2 | Can POST to tenant2 | ✅ | | STAC | User is an Editor of Tenant 2 | Can POST to tenant2 | ✅ | | STAC | User is NOT an Admin of Tenant 2, and NOT an editor of Tenant 2 | Can't POST to tenant2 | ✅ | | Ingest | User is an Admin of Tenant 2 | Can POST to tenant2 | ✅ | | Ingest | User is an Editor of Tenant 2 | Can POST to tenant2 | ✅ | | Ingest | User is NOT an Admin of Tenant 2, and NOT an editor of Tenant 2 | Can't POST to tenant2 | ✅ |
| STAC | User is an Admin of Tenant 3 | Can POST to tenant3 | ✅ | | STAC | User is an Editor of Tenant 3 | Can POST to tenant3 | ✅ | | STAC | User is NOT an Admin of Tenant 3, and NOT an editor of Tenant 3 | Can't POST to tenant3 | ✅ | | Ingest | User is an Admin of Tenant 3 | Can POST to tenant3 | ✅ | | Ingest | User is an Editor of Tenant 3 | Can POST to tenant3 | ✅ | | Ingest | User is NOT an Admin of Tenant 3, and NOT an editor of Tenant 3 | Can't POST to tenant3 | ✅ | | STAC | User is NOT a part of any tenancy but is a developer | Can post a public "tenant-less" collection | ✅ | | Ingest | User is NOT a part of any tenancy but is a developer | Can post a public "tenant-less" collection | ✅ |

---

Detailed Changes: v14.0.0-rc.11...v14.0.0-rc.12

v.14.0.0-rc.12

What's Changed

• fix: update ingest api to read keycloak secret from ARN or name by @botanical in #570

Full Changelog: v14.0.0-rc.11...v.14.0.0-rc.12

v14.0.0-rc.11

v14.0.0-rc.11 (2026-02-11)

Bug Fixes

• Add auth unit tets to pr.yml (e80c79f)

• Add resource extractor for post collections via transactions endpoint, update readme and tests (36772bf)

• Refactor extract_stac_resource_id (9bbb583)

• Remove properties extraction, remove test (1e2d0c2)

• Update based on feedback, use template strings, update to throw error (5547d91)

Features

• Add ingest extraction function and tests (8151265)

• Create resource extractors for permission ticket buildling (39d3f1d)

• Create resource extractors for RPT (requesting party token) (#566, 1c659ad)

Issue

#556

What?/Why?

This PR adds resource extractor functions that parse HTTP requests to extract resource ids and scopes that are needed for Keycloak's RPT endpoint.

In order to create a permission ticket or request an RPT from keycloak, we need - resource id (needs to follow convention defined in our keycloak config ) - scope (action being performed)

Additional Context, from https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions ``` Example of an authorization request when a client is seeking access to two resources protected by a resource server.

curl -X POST \ http://${host}:${port}/realms/${realm-name}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience={resource_server_client_id}" \ --data "permission=Resource A#Scope A" \ --data "permission=Resource B#Scope B" ```

Testing?

• Unit tests - I will add integration tests when we create the actual policy enforcement point middleware that will use these functions

You can also test this yourself trying different permission permutations. A successful request looks like: curl -X POST \ https://[HOST]/realms/veda/protocol/openid-connect/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \ -d 'audience=uma-resource-server' \ -d 'client_id=uma-resource-server' \ -d 'client_secret=[redacted]' \ -d 'permission=stac:collection:faketenant1:*#create' \ -H "Authorization: Bearer TOKEN" {"upgraded":false,"access_token":"redacted","token_type":"Bearer","not-before-policy":0}%

And one where you are not authorized because you either aren't in a Tenancy group or don't have sufficient permissions (determined by your role) in a tenancy, will yield

{"error":"access_denied","error_description":"not_authorized"}%

---

Detailed Changes: v14.0.0-rc.10...v14.0.0-rc.11

v14.0.0-rc.10

v14.0.0-rc.10 (2026-01-23)

Bug Fixes

• Add debugging to pr.yml test step (8ebd647)

• Add debugging to stac api step (b8bb796)

• Add error handling for getting keycloak secret (de22e08)

• Attempt to make less complex (c265ec4)

• Final docs updates (e014cf4)

• Grant permission to get keycloak secret (a8df729)

• Make function less complex (03f49a5)

• Modify output based on feedback (a46fd48)

• Remove fallback (1539f6f)

• Revert debugging in pr.yml (a9a1c82)

• Revert docker veda.stac logging and install veda_auth for ingest api step (0db0c7d)

• Try waiting for oidc to be ready (3968802)

• Update credential variables to retrieve (0dddbbc)

• Update default resource server secret name and simplify try catch based on feedback (78600b7)

• Update keycloak client credentials function to use secret name instead of arn (c72d104)

• Update lambda to grant read access to keycloak secret (29e7f4b)

• Update to retrieve keycloak client creds from secret (fb355cd)

• Update to use kms key, add to example.env (8d6f610)

• Update to use secret name instead of arn (7a7c71c)

Features

• Add list tenants with create/update scopes endpoint (860f666)

• Add list tenants with create/update scopes endpoint (#555, 1e8b19f)

Issue

#521

What?/ Why?

Keycloak Client & Tenant Access Endpoint - KeycloakPDPClient which contains functions: - get_rpt to request the requesting party token from keycloak - check_permission which checks to see is a user has a permission granted for a resource and scope - get_tenants_with_create_update_access which gets a list of tenants the user has create and update access to - base64 padding helper function (this is needed because the decode function requires proper padding or it will raise an error) - JWT permission extraction functions - /auth/tenants/writeable endpoint added to Ingest API - Ingest API config updated to include resource server client ID and secret env vars

Testing?

-updated SIT envs to have VEDA_KEYCLOAK_UMA_RESOURCE_SERVER_CLIENT_SECRET_NAME and VEDA_KEYCLOAK_SECRET_KMS_KEY_ARN - Deployed to sit https://sit.openveda.cloud/api/ingest/docs#/Auth/get_writable_tenant_access_auth_tenants_writable_get

---

Detailed Changes: v14.0.0-rc.9...v14.0.0-rc.10

v14.0.0-rc.9

v14.0.0-rc.9 (2026-01-14)

Bug Fixes

• Use 0.11.1rc2 (f6fe1c5)

Chores

• Upgrade stac-auth-proxy to v0.11.1 (82eae61)

• Upgrade stac-auth-proxy to v0.11.1 (#565, 5ccb436)

What?

This upgrades stac auth proxy to to version that contains enhanced type safety developmentseed/stac-auth-proxy#125 ### Why?

When we were testing migrating EIC staging data, we had a couple collections that failed to migrate due to invalid fields NASA-IMPACT/veda-architecture#688

---

Detailed Changes: v14.0.0-rc.8...v14.0.0-rc.9

v14.0.0-rc.8

v14.0.0-rc.8 (2026-01-13)

Bug Fixes

• Update docs to mention migration (9a62cd5)

Features

• Add multi-tenancy documentation (960f534)

• stac-api: Multi-tenancy and migration documentation (#564, fef8608)

Issue

#544

What?

Documentation for enabling multi-tenancy and migrating data

---

Detailed Changes: v14.0.0-rc.7...v14.0.0-rc.8