Photo and Drive Service (PDS) API supports two authentication modes. In addition to authentication based on access tokens, PDS API also supports authentication based on AccessKey pairs. You can sign an API request by using an AccessKey pair and send the signed request to call an API operation.
1. Sample request for calling an API operation by using an AccessKey pair
You can call all the API operations within the following endpoints by sending requests that are signed by using AccessKey pairs.
Endpoint | Description |
| The endpoint of resource-related API operations and authorization and authentication API operations. |
Sample request:
POST /v2/drive/list
Host: ${domainID}.api.aliyunpds.com
Authorization: acs ${ACCESS_KEY_ID}:${SIGNATURE}
Content-Type: application/json; charset=UTF-8
{
"owner": "xxxx"
}2. Sign a request by using an AccessKey pair
You can add the Authorization header to an HTTP request to include a signature in the request. This signature indicates that the request is authorized.
2.1 Signature calculation method
In the following example, the resource-oriented architecture (ROA) request style of Alibaba Cloud SDK is used. Make sure that Alibaba Cloud SDK is accessible.
Authorization = "acs " + AccessKeyId + ":" + Signature
Signature = base64(hmac-sha1(AccessKeySecret,
VERB + "\n"
+ Accept + "\n"
+ Content-MD5 + "\n"
+ Content-Type + "\n"
+ Date + "\n"
+ CanonicalizedHeaders
+ CanonicalizedResource))AccessKeySecret: the AccessKey secret that is used to sign the request.VERB: the method of the HTTP request. Set the value to POST.\n: the line feed.Accept: optional. If you specify this header, set the value toapplication/json.Content-MD5: the MD5 hash of the request content. You need to specify this header only if the request body is not empty. Calculate the MD5 hash of the request content that excludes headers to obtain a 128-bit number. Encode this number in Base64 to obtain the value of this header. This header can be used to check whether the received request content is the same as the request content that is sent. Example:eB5eJF1ptWaXm4bijSPyxw==. For more information, seeContent-MD5in Request for Comments (RFC) 2616.Content-Type: optional. This header specifies the type of the request content. Example:application/octet-stream.Date: required. This header specifies the time when the request was sent, in Greenwich Mean Time (GMT). Example:
Sun, 22 Nov 2015 08:16:38 GMT.CanonicalizedHeaders: the HTTP headers that are prefixed withx-acs-. The headers are arranged in alphabetical order.CanonicalizedResource: the PDS resources you want to access. TheDateheader and theCanonicalizedResourcestring are required. If the difference between the time specified by the Date header in the request and the time on the PDS server when the request is received is greater than 15 minutes, PDS rejects the request and returns the HTTP status code 403.
2.2 How to create a CanonicalizedHeaders string
A CanonicalizedHeaders string consists of all HTTP headers that are prefixed with x-acs-. To create a CanonicalizedResource string, perform the following steps:
Convert the names of all HTTP headers that are prefixed with
x-acs-to lowercase letters. For example, convertX-ACS-Meta-Name: TaoBaointox-acs-meta-name: TaoBao.If the request is sent by using an AccessKey pair provided by Security Token Service (STS), add the
security-tokenvalue to the CanonicalizedHeaders string in the format ofx-acs-security-token:security-token.Sort all the HTTP headers obtained in the previous step in alphabetical order.
Delete all spaces on each side of the delimiter between each header and value. For example, convert
x-acs-meta-name: TaoBaointox-acs-meta-name:TaoBao.Separate every two pairs of headers and their values with the delimiter
\nto obtain theCanonicalizedHeadersstring.
If the request does not contain HTTP headers that are prefixed with x-acs-, you can leave the CanonicalizedHeaders string empty. In this case, you do not need to add a tailing \n delimiter to the empty string. If the request contains one or more HTTP headers that are prefixed with x-acs-, you must add a tailing \n delimiter to the CanonicalizedHeaders string that you obtain. Examples: x-acs-meta-a\n and x-acs-meta-a:a\nx-acs-meta-b:b\nx-acs-meta-c:c\n.
2.3 How to create a CanonicalizedResource string
A CanonicalizedResource string specifies the PDS resource that you want to access. To create a CanonicalizedResource string, perform the following steps:
Set the
CanonicalizedResourcestring to an empty string "".Add the PDS resource that you want to access to the empty string. Example:
/v2/domain/list.
2.4 Signature calculation rules
The string-to-sign must be encoded in UTF-8. Use the UTF-8-encoded string-to-sign and an
AccessKeySecretto calculate the signature.Use the
HMAC-SHA1method defined in RFC 2104 to calculate the signature. In this method, theAccessKeySecretis used as the key.The
Accept,Content-Type, andContent-MD5headers are optional in a request. If these headers are empty in a request, replace them with line feeds (\n) when you calculate a signature for the request.Among all non-standard HTTP headers, only the headers that are prefixed with
x-acs-need to be added to the string-to-sign. Other non-standard HTTP headers are ignored.Headers prefixed with
x-acs-in the string-to-sign must comply with the following conventions:The header names are in lowercase.
The headers are sorted in alphabetical order.
No space exists before or after the colon (:) that separates each header name and value.
Each header is followed by a line feed (
\n). If the request does not contain headers that are prefixed with x-acs-, specify theCanonicalizedHeadersstring as an empty string without a tailing \n delimiter.
2.5 Troubleshooting
If you specify the
Acceptheader, verify that the value isapplication/json. Otherwise, the error400 Bad Requestis returned. The error code isInvalidHeader.Verify that the body length does not exceed 4 MB. If the body length exceeds 4 MB, the error
400 Bad Requestis returned. The error code isInvaliField.If the format of the
Authorizationheader is invalid, the error400 Bad Requestis returned. The error code isInvaliField.If the AccessKey ID starts with STS, verify that the
x-acs-security-tokenheader is set. Otherwise, the error403 Forbiddenis returned. The error code isInvalidHeader.If the
AccessKey IDdoes not exist or is in the Disabled state, the error403 Forbiddenis returned. The error code isInvalidParameter.If the
AccessKey IDis in the Enabled state, but PDS detects that the signature for the request is invalid, the error403 Forbiddenis returned. The error code isSignatureDoesNotMatch. The string-to-sign that is used to verify the signature is also returned in theresponse. You can check whether the signature string is correct based on the response.
3. Permission control
PDS API server uses Alibaba Cloud Resource Access Management (RAM) to verify permissions. You can configure permission policies for the AccessKey pair of the RAM user that you use in the RAM console.
The following table describes the action and resource that are verified for each API operation.
Operation | Action | Resource |
ListStores(/v2/domain/liststores) | pds:ListStores |
|
ListStoreFiles(/v2/storefile/list) | pds:ListStoreFiles |
|
CreateDrive(/v2/drive/create) | pds:CreateDrive |
|
ListDrives(/v2/drive/list) | pds:ListDrives |
|
GetDrive(/v2/drive/get) | pds:GetDrive |
|
UpdateDrive(/v2/drive/update) | pds:UpdateDrive |
|
DeleteDrive(/v2/drive/delete) | pds:DeleteDrive |
|
ListMyDrives(/v2/drive/list_my_drives) | pds:ListMyDrives |
|
ListMyShares(/v2/drive/list_my_shares) | pds:ListMyShares |
|
CreateUser(/v2/user/create) | pds:CreateUser |
|
GetUser(/v2/user/get) | pds:GetUser |
|
ListUsers(/v2/user/list) | pds:ListUser |
|
UpdateUser(/v2/user/update) | pds:UpdateUser |
|
DeleteUser(/v2/user/delete) | pds:DeleteUser |
|
SearchUser(/v2/user/search) | pds:SearchUser |
|
GetUserAccessToken(/v2/user/get_access_token) | pds:GetUserAccessToken |
|
CreateShare(/v2/share/create) | pds:CreateShare |
|
GetShare(/v2/share/get) | pds:GetShare |
|
ListShares(/v2/share/list) | pds:ListShares |
|
UpdateShare(/v2/share/update) | pds:UpdateShare |
|
CreateFile(/v2/file/create) | pds:CreateFile |
|
CreateFileWithSignature(/v2/file/create_with_signature) | pds:CreateFile |
|
ListFiles(/v2/file/list) | pds:ListFiles |
|
CompleteFile(/v2/file/complete) | pds:CreateFile |
|
CompleteFileWithStoreInfo(/v2/file/complete_with_store_info) | pds:CreateFile |
|
GetFileSignature(/v2/file/get_signature) | pds:GetFileSignature |
|
GetFileUploadUrl(/v2/file/get_upload_url) | pds:CreateFile |
|
GetFileDownloadUrl(/v2/file/get_download_url) | pds:GetFile |
|
DeleteFile(/v2/file/delete) | pds:DeleteFile |
|
CopyFile(/v2/file/copy) | pds:CopyFile |
|
MoveFile(/v2/file/move) | pds:MoveFile |
|
UpdateFile(/v2/file/update) | pds:UpdateFile |
|
GetFile(/v2/file/get) | pds:GetFile |
|
DownloadFile(/v2/file/get) | pds:GetFile |
|
BatchDeleteFile(/v2/file/batch_delete) | pds:DeleteFile |
|
GetAsyncTask(/v2/async_task/get) | pds:GetAsyncTask |
|
ListImageTags(/v2/image/list_tags) | pds:ListImageTags |
|
ListImageFaceGroups(/v2/image/list_facegroups) | pds:ListImageFaceGroups |
|
ListFaceGroupImages(/v2/image/list_facegroup_images) | pds:ListFaceGroupImages |
|
Batch(/v2/batch) | pds:Batch |
|