Prerequisites

• A ModelArts model in the Normal state is available.
• The account is not in arrears to ensure available resources for service running.

Enabling Application Authentication

When deploying a model as a real-time service, you can enable application authentication. You can also modify a deployed real-time service to support application authentication.

1. Log in to the ModelArts management console and choose Service Deployment > Real-Time Services.
2. Enable application authentication.
   • When deploying a model as a real-time service, configure the required parameters and enable application authentication on the Deploy page.
   • For a deployed real-time service, go to the Real-Time Services page, and click Modify in the Operation column of the service. On the service modification page that is displayed, enable application authentication.
     Figure 1 Enabling application authentication
     
3. Select an application for authorization from the drop-down list. If no application is available, create one as follows:
   • Click Create Application on the right, enter the application name and description, and click OK. By default, the application name starts with app_. You can change the application name.
   • On the Real-Time Services page, click Authorize. On the Manage Authorization of Real-Time Services page, click Create Application. For details, see Managing Authorization of Real-Time Services.
4. After enabling application authentication, authorize a service that supports application authentication to the application. Then, you can use the generated AppKey/AppSecret or AppCode to call the service's API that supports application authentication.

Managing Authorization of Real-Time Services

If you want to use application authentication, it is a good practice to create an application on the authorization management page before deploying a real-time service. On the Real-Time Services page, click Authorize. The Manage Authorization of Real-Time Services page is displayed. On this page, you can create and manage applications, including viewing, resetting, and deleting applications, unbinding real-time services from applications, and obtaining the AppKeys/AppSecrets or AppCodes.

Figure 2 Managing authorization for real-time services

• Creating an application

  Click Create Application, enter the application name and description, and click OK. By default, the application name starts with app_. You can change the application name.

• Viewing, resetting, or deleting an application

  View, reset, or delete an application by clicking the corresponding icon in the Operation column of the application. After an application is created, the AppKey and AppSecret are automatically generated for application authentication.

• Unbinding a service

  In front of the target application name, click to view the real-time services bound to the application. Click Unbind in the Operation column to cancel the binding. Then, this API cannot be called.

• Obtaining the AppKey/AppSecret or AppCode

  Application authentication is required for API calling. The AppKey and AppSecret are automatically generated during application creation. The AppCode is automatically generated by adding an application.

  Figure 3 Adding the AppCode
  

Application Authentication

When a real-time service that supports application authentication is in the Running state, the service' API can be called. Before calling the API, perform application authentication.

Requests for calling an API that supports application authentication can be authenticated using either AppKey/AppSecret-based authentication or AppCode-based authentication. AppKey/AppSecret-based authentication is recommended because it is more secure than AppCode-based authentication.

• AppCode-based authentication: Requests are authenticated using AppCodes.
• AppKey/AppSecret-based authentication: The AppKey (application access key ID) and AppSecret (application secret access key) are used to encrypt a request, identify the sender, and prevent the request from being modified.

You can obtain the AppKey/AppSecret and AppCode from the Usage Guides tab page on the service details page (see Figure 4) or from the real-time service authorization management page (see Figure 2).

Figure 4 Obtaining the API address

AppCode-based authentication

When application authentication is used and the simple authentication mode is enabled, you can use the AppKey/AppSecret for signature and verification, or AppCode for simple authentication of API requests. By default, AppCode-based authentication is enabled for ModelArts.

In AppCode-based authentication, the X-Apig-AppCode parameter (value: AppCode) is added to the HTTP request header when an API is called. The request content does not need to be signed. The API gateway only verifies the AppCode and does not verify the request signature, achieving quick response. The sample code is as follows:

GET https://iam.cn-north-1.myhuaweicloud.com/v3/auth/projects
Content-Type: application/json
X-Apig-AppCode: ABCDEFJ....

If an application does not support AppCodes, AppKeys can be used for simple authentication. That is, when an API is called, the apikey parameter (value: AppKey) can be added to the HTTP request header to accelerate authentication.

AppKey/AppSecret-based authentication

In AppKey/AppSecret-based authentication, the AppKey and AppSecret of an application are used for signature authentication.

• AppKey: access key ID of the application, which is a unique identifier used together with a secret access key to sign requests cryptographically.
• AppSecret: secret access key used together with an AppKey to sign requests. The AppKey and AppSecret can be used together to identify a request sender to prevent the request from being modified.

When using AppKey/AppSecret-based authentication, use a dedicated signing SDK to sign requests.

Preparing Environment (Python)

After application authentication is complete, you can prepare the calling environment to call the API. This section uses Python as an example to describe how to use the SDK. For details about how to download and use the SDK in other languages, see the API Gateway Developer Guide.

1. Obtain the API address, request method, AppKey, and AppSecret. For details, see Application Authentication.
2. Obtain the Python installation package (version 2.7.9 or 3.X) from the Python official website and install it. After Python is installed, you can run the pip install requests command to install the requests library using the Python package manager pip.
   

   If a certificate error occurs when you use pip to install the requests library, download and execute the file using Python to upgrade pip. Then run the preceding command to install the library.

3. Obtain IntelliJ IDEA from the IntelliJ IDEA official website and install it. Install the Python plug-in on IntelliJ IDEA. See Figure 5.
   Figure 5 Installing the Python plug-in
   
4. Download the ApiGateway-python-sdk.zip. The following table describes the directory structure of the decompressed package.

   Table 1 Directory structure of the decompressed package

   Name	Description
   apig_sdk\__init__.py	SDK code
   apig_sdk\signer.py
   main.py	Sample code
   backend_signature.py	Sample code for the backend signature
   licenses\license-requests	Third-party library license file

5. Create a project.
   1. Open IDEA and choose File > New > Project. On the displayed New Project page, select Python and click Next.
      Figure 6 Creating a project
      
   2. Click Next. The following page is displayed. Click ..., select the path for the decompressed SDK package, and click Finish.
      Figure 7 Selecting the SDK path after decompression
      
6. After the project is created, the directory structure is shown in the following figure. main.py is sample code. Modify the parameters to suit your requirements before use. For details about the sample code, see API Calling Example.
   Figure 8 Directory structure of a new project
   

API Calling Example

1. Add apig_sdk to the project.

   1 2	from apig_sdk import signer import requests

2. Generate a new signer and enter the AppKey and AppSecret. For details about how to obtain the AppKey and AppSecret, see Application Authentication.

   1 2 3

   sig = signer.Signer() sig.Key = "4f5f626b-073f-402f-a1e0-e52171c6100c" sig.Secret = "******"

3. Generate a request object and specify the method, request URI, header, and body.

   r= signer.HttpRequest(method, uri, header, body)

   Table 2 HttpRequest parameters

   Parameter	Sub-Parameter	Mandatory	Description
   method	N/A	Yes	The value can be GET, POST, PUT, or DELETE.
   uri	N/A	Yes	Enter the API URI of the real-time service. For details about how to obtain the URI, see Application Authentication.
   header	x-stage	Yes	API release environment, which can only be RELEASE.
   	Content-Type	No	Content type, which can only be application/json. For details about the multipart/form-data request body, see Table 3.
   	x-sdk-content-sha256	No	Signature mode. This parameter can be set to UNSIGNED-PAYLOAD, indicating that signature authentication is not performed on the request body. This parameter is mandatory when the body is input as a file.
   body	N/A	No	The JSON format is supported, for example, "{\"xxx\":\"xxx\"}".

   1. If the request body is in JSON format:

      r = signer.HttpRequest("POST",
                             "https://1684994b180244de9d141c00d3e52c73.apig.exampleRegion.huaweicloudapis.com/v1/infers/exampleServiceId",
                             {"x-stage": "RELEASE","Content-Type":"application/json"},"{\"xxx\":\"xxx\"}")

   2. If the request body is input as an image, construct the request body in multipart/form-data format.

      Request body format: files = {"Request parameter": ("Load path", File content, "File type", Request header)}

      Table 3 files parameters

      Parameter	Description
      Request parameter	Enter the parameter name of the real-time service.
      Load path	Path in which the file is stored.
      File content	Content of the file to be uploaded.
      File type	Type of the file to be uploaded, which can be one of the following options: txt: text/plain jpg/jpeg: image/jpeg png: image/png
      Request header	You are advised to set this parameter to {}. The request header is specified by header in HttpRequest.

      If the input parameter of the real-time service you access is images and the parameter type is file, the request example is as follows:

      Figure 9 Accessing a real-time service
      

      1 2 3

      r = signer.HttpRequest("POST","https://63fb035aeef34368880448a94cb7f440.apig.cn-north-4.huaweicloudapis.com/v1/infers/76c41384-23ab-45f9-a66e-892e7bc2be53", {"x-stage": "RELEASE", "x-sdk-content-sha256": "UNSIGNED-PAYLOAD"}) files = {"images": ("flower.png", open("flower.png", "rb"), "image/png", {})}

4. Execute the following function to add the X-Sdk-Date header and Authorization header used for signature to the request:

   1	sig.Sign(r)

5. Call the API and check the result.

   resp = requests.request(method,url, headers, data, files)

   Table 4 Request parameters

   Parameter	Description
   method	Request method of the signed request object.
   url	Request URL of the signed request object.
   headers	Headers of the signed request object.
   data	Body of the request object, which can only be in JSON format.
   files	Request body in multipart/form-data format.

   1. If the request body is in JSON format:

      1 2 3

      resp = requests.request(r.method, r.scheme + "://" + r.host + r.uri, headers=r.headers, data=r.body) print(resp.status_code, resp.reason) print(resp.content)

   2. If the request body is input as an image:

      1 2 3

      resp = requests.request(r.method, r.scheme + "://" + r.host + r.uri, headers=r.headers, data={}, files=files) print(resp.status_code, resp.reason) print(resp.content)