[DISCUSSION] Support Multiple Authenticated Tilers

[anayeaye]

Problem

An authenticated host-specific session token is required to stream COG data from some external hosts and the edl-credential-rotation service can be used to manage auth tokens in the tiler API's lambda environment. This only works for one data host at a time, however, and for VEDA we will need to render tiles from the VEDA account, LPDAAC-CLD, and ORNL-CLOUD.

Desired outcome

A single raster-api/titiler instance can be used to search the VEDA pgstac catalog that will direct map layer requests to one of three lambda titilers that have the appropriate AWS session credentials or token for a given collection.

Proposed solution

@abarciauskas-bgse and I discussed a possible 'switch' mechanism inside the delta-backend raster-api that could seamlessly choose the correct tiler host based on a passed data-host parameter. In this solution, an additional titiler lambda would be added for each additional data host (with corresponding credential rotation services) and the main raster-api/titiler would contains logic for switching between hosts for datasets that are not hosted in the delta-backend AWS account.

Implementation notes

• Use custom route dependencies to add a data host parameter in stac-fastapi. We have eoAPI and titler examples.
• A possible implementation might update the results of */register and */info endpoints to return the appropriate tiler url in the tiles link in the response object. This would make the client/user responsible for making a register or info request before creating a map layer.

# Links for veda-hosted tiles
...
"links": [
...
    {
      "rel": "tilejson",
      "type": "application/json",
      "href": "https://<main>-raster.delta-backend.xyz/mosaic/<searchId>/tilejson.json"
    }
  ]
# Links for a lpdaac hosted tiles
"links": [
   ...
    {
      "rel": "tilejson",
      "type": "application/json",
      "href": "https://<lpdaacDataHost>-raster.delta-backend.xyz/mosaic/<searchId>/tilejson.json"
    }
  ]

• The link solution above only works for map tiles, though--how would we switch users to the correct data-host tiler for statistics and other endpoints that require authenticated data access? Do we provide additional links in the info endpoints?

Assumptions

• STAC Collection attributes and delta-config dataset mdx can manage the logic of what data-host (VEDA/MCP, LPDAAC-CLD, or ORNL-CLOUD) is needed for the tiler.
• Delta-backend clients and users can supply data-host as a request parameter.

Known limitations

• Map layers cannot be composed of assets from different data-hosts.

@abarciauskas-bgse @vincentsarago @sharkinsspatial @alukach @leothomas do you think using a data-host custom request parameter to direct titiler requests to a lambda configured specifically for a given data host/provider is a viable solution to this problem? Do you have ideas/suggestions?

[anayeaye]

Just saw that this discussion is already happening in another ticket so I will probably close this issue.
REDIRECT HERE: #25 (comment)

[abarciauskas-bgse]

Yes sorry about that @anayeaye I just didn't want to forget what we discussed yesterday.

[anayeaye]

@abarciauskas-bgse it worked out well, I signed off without creating this yesterday with a bug in the delta-west raster-api and then this morning when I caught up on your thread @vincentsarago had shared the rasterio session solution I needed :)