Basic terms
AliyunAccount or AliyunRAMUser: an Alibaba Cloud account or a RAM user. An Alibaba Cloud account or a RAM user can also be called a tenant in Drive and Photo Service (PDS).
Domain: A domain is a separate resource space that has an independent user system and can be independently accessed. Domains are identified by IDs.
SelfBuildApp: an application developed by the owner of a PDS domain. Users do not need to grant consent to a self-managed application when they perform operations on the application.
ThirdPartyApp & Consent: an application developed by a third party. When the application accesses PDS based on the Open Authorization (OAuth) 2.0 protocol, the application can access the data of a user only with the consent of the user.
Account: An account belongs to a domain and is the credential for logon used by a user. Accounts are required if you access PDS by adopting the user system provided by PDS or a third party, or if you use PDS official applications or applications provided by the PDS application store.
Group, User, and Role: PDS supports users, user groups, and roles in a domain. The following three roles are provided: superadmin, admin, and user.
Drive: a storage space in which files are stored.
Share: If you want other users to store a file, you can share the file with other users.
File and Folder: a file and a folder.
Recyclebin: If you do not want to store a file any longer, you can dump the file into a recycle bin.
Revision: the file version.
Data storage modes
PDS provides two data storage modes for a domain. Currently, only the standard mode is supported.
Access identities
Access as an application: If an application accesses PDS, manual intervention is not required. For example, no backend service needs to be enabled, no backend process needs to be started, or no command line needs to be run. In this case, requests are initiated by the application.
Access as a user: If an account and consent are required for an application to access PDS, requests are initiated by the user corresponding to the account. This access identity is usually used on the client side, such as mobile phones and PCs.
Identity authentication
Access identity | Authentication method | Description |
Access as an application | JSON Web Token (JWT) encrypted signature | Coming soon |
Access as an application | AccessKey pair | For more information about Resource Access Management (RAM) and Security Token Service (STS), see the corresponding documentation. |
Access as a user | Account password | Account supported by PDS and the account password |
Access as a user | OAuth 2.0 protocol | Standard OAuth 2.0 authentication protocol |
Application categories
1. Classified by application ownership
Self-managed applications: applications developed by the owner of a PDS domain. Users do not need to grant consent to self-managed applications when they perform operations on the applications.
Third-party applications: applications developed by a third party. When the applications access PDS based on OAuth 2.0, the applications can access the data of a user only with the consent of the user.
2. Classified by client type
When you use OAuth 2.0 for authentication, the security requirements for applications vary based on the client type. The applications can be classified into the following categories based on the client type:
Native applications: applications for mobile devices or PCs.
WebServer applications: applications for web servers.
WebBrowser applications: applications for web browsers.
3. Classified by identity
JWT applications: If an application accesses PDS, PDS supports two authentication methods: JWT encrypted signatures and Alibaba Cloud AccessKey pairs. If an Alibaba Cloud AccessKey pair is used, a JWT application must be created.
User system
If a user identity is used to access PDS, a user system must be specified. PDS supports multiple user systems and the combination of these user systems.
Self-managed user system: In such a user system, an account is developed and maintained by a tenant. Each account corresponds to a user and the information about each account is synchronized to PDS. PDS manages consent based on the users.
PDS user system: For such a user system, PDS supports account registration, account logon, and the association of the user system with a third-party user system. The PDS user system can be directly used.
Third-party user system: PDS supports the association of a user system with a third-party user system such as DingTalk or RAM. This way, you can use an account of a third-party user system to access PDS.