Authentication
Requests for calling an API can be authenticated using either of the following methods:
- AK/SK-based authentication. Requests are encrypted using an access key ID (AK)/secret access key (SK).
- Token authentication: Requests are authenticated using tokens.
AK/SK Authentication
In AK/SK-based authentication, AK/SK is used to sign requests and the signature is then added to the request headers for authentication.
- AK: access key ID. which is a unique identifier associated with a secret access key and is used together with a secret access key to sign requests cryptographically.
- SK: secret access key. It is used together with an access key ID to identify a sender who initiates a request and to cryptographically sign requests, preventing the request from being modified.
- AK/SK-based authentication supports API requests with a body not larger than 12 MB. For API requests with a larger body, token-based authentication is recommended.
- APIG checks the time format and compares the time with the time when APIG receives the request. If the time difference exceeds 15 minutes, APIG will reject the request. The local time on the client must be synchronized with the clock server to avoid a large offset in the value of the X-Sdk-Date request header.
The following uses a demo to show how to sign a request and use an HTTP client to send an HTTPS request. If you do not need the demo project, visit the following URL to download the API Gateway signing SDK:
- Create an AK/SK pair. If an AK/SK pair has been generated, skip this step. Find the downloaded AK/SK file, which is usually named credentials.csv.
- Log in to ManageOne Operation Portal.
- Click the username in the upper-right corner and select My Settings from the drop-down list.
- On the My Settings page, click the Access Keys tab.
- Click Add Access Key to create an AK/SK pair.
- Click OK to download the access key file.
- Obtain the AK and SK from the credentials.csv file.
- Each user can create up to two access keys.
- For security purposes, access keys are automatically downloaded only when they are generated for the first time and cannot be obtained from the management console later. Keep them properly.
- Download and decompress the demo project.
- Start IDEA and choose File > New > Project from Existing Sources.
Select the decompressed ApiGateway-java-sdk-x.x.x folder, and click OK to import the sample project.
- On the Import Project page, select Import project from external model.
Select Maven and click Create.
- You can create a project in the current window or a new window. In this example, click New Window.
- Modify the API request information in HttpClientDemo.java.
- This example stores AK and SK in environment variables. Before running this example, set the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment. The following uses Linux as an example to describe how to set the AK/SK obtained in 1 as environment variables.
- Open the terminal and run the following command to open the environment variable configuration file:
vi ~/.bashrc
- Add the following environment variables to the file, save the file, and exit the editor:
export HUAWEICLOUD_SDK_AK="Obtained AK" export HUAWEICLOUD_SDK_SK="Obtained SK"
- Run the following command to bring the modification into effect:
source ~/.bashrc
- Open the terminal and run the following command to open the environment variable configuration file:
- Replace the API information and configured environment variables in the HttpClientDemo.java file.
As shown in the following code, replace the information in bold with the actual values.
public class HttpClientDemo { private static final Logger LOGGER = LoggerFactory.getLogger(HttpClientDemo.class); public static void main(String[] args) throws Exception { // Create a new request. Request httpClientRequest = new Request(); try { // Set the request parameters. // AppKey, AppSecrect, Method and Url are required parameters. // Directly writing AK/SK in code is risky. For security, encrypt your AK/SK and store them in the configuration file or environment variables. // In this example, the AK/SK are stored in environment variables for identity authentication. // Before running this example, set environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK. httpClientRequest.setKey(System.getenv("HUAWEICLOUD_SDK_AK")); httpClientRequest.setSecret(System.getenv("HUAWEICLOUD_SDK_SK")); // Set a request method for http request. httpClientRequest.setMethod("POST"); // Set a request URL in the format of https://{Endpoint}/{URI}. httpClientRequest.setUrl("put your request url here"); httpClientRequest.addHeader("Content-Type", "text/plain"); // Set a body for http request. httpClientRequest.setBody("put your request body here"); } catch (Exception e) { LOGGER.error(e.getMessage()); return; } CloseableHttpClient client = null; try { // Sign the request. HttpRequestBase signedRequest = Client.sign(httpClientRequest, Constant.SIGNATURE_ALGORITHM_SDK_HMAC_SHA256); if (Constant.DO_VERIFY) { // create httpClient and verify ssl certificate HostName.setUrlHostName(httpClientRequest.getHost()); client = (CloseableHttpClient) SSLCipherSuiteUtil.createHttpClientWithVerify(Constant.INTERNATIONAL_PROTOCOL); } else { // create httpClient and do not verify ssl certificate client = (CloseableHttpClient) SSLCipherSuiteUtil.createHttpClient(Constant.INTERNATIONAL_PROTOCOL); } HttpResponse response = client.execute(signedRequest); // Print the body of the response. HttpEntity resEntity = response.getEntity(); if (resEntity != null) { LOGGER.info("Processing Body with name: {} and value: {}", System.getProperty("line.separator"), EntityUtils.toString(resEntity, "UTF-8")); } } catch (Exception e) { LOGGER.error(e.getMessage()); } finally { if (client != null) { client.close(); } } } }
- This example stores AK and SK in environment variables. Before running this example, set the environment variables HUAWEICLOUD_SDK_AK and HUAWEICLOUD_SDK_SK in the local environment. The following uses Linux as an example to describe how to set the AK/SK obtained in 1 as environment variables.
- Run HttpClientDemo.java to sign the request, access the API, and print the result.
If the AK or SK has changed, APIG returns an error message.
Token Authentication
The validity period of a token is 24 hours. When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token.
A token specifies temporary permissions in a computer system. During API authentication using a token, the token is added to requests to get permissions for calling the API. You can obtain a user token by calling the API for Obtaining a User Token.
A cloud service can be deployed globally or at the project level.
- A project-level service requires a project-level token. When you call the API, set auth.scope in the request body to project.
- A global service requires a global token. When you call the API, set auth.scope in the request body to domain.
A project-level token is required for calling APIs of the DRS service. As such, set auth.scope in the request body to project when you call the API for obtaining a user token.
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"name": "username",
"password": "********",
"domain": {
"name": "domainname"
}
}
}
},
"scope": {
"project": {
"name": "projectname"
}
}
}
}
In section 3.1 Making an API Request, the process of calling the API used to obtain a user token is described. After a token is obtained, add the X-Auth-Token header field must be added to requests to specify the token when calling other APIs. For example, if the token is ABCDEFJ...., X-Auth-Token: ABCDEFJ.... can be added to a request as follows:
POST https://{Endpoint}/v3/auth/projects
Content-Type: application/json
X-Auth-Token: ABCDEFJ....
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
