You must sign all API requests to ensure security. Alibaba Cloud uses the request signature to verify the identity of the API caller. DLA implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
Step 1: Create a canonicalized query string
- Create a canonicalized query string by arranging the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order. If you use the GET method to send a request, the canonicalized query string is only made up of the parameters and does not include "https://endpoint/?". The parameters are separated by ampersands (&).
- Encode the canonicalized query string in UTF-8. Follow the RFC 3986 specification to encode parameters and their values. Encoding rules:
- Uppercase letters, lowercase letters, digits, and some special characters such as
hyphens
(-)
, underscores(_)
, periods(.)
, and tildes(~)
do not need to be encoded. - Other characters must be percent encoded in
%XY
format.XY
represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks(")
are encoded as%22
. - Extended UTF-8 characters are encoded in
%XY%ZA…
format. - Spaces must be encoded as
%20
. Do not encode spaces as plus signs(+)
. The preceding encoding scheme is slightly different from theapplication/x-www-form-urlencoded
MIME-type encoding algorithm.If you use java.net.URLEncoder in the Java standard library, use percentEncode to encode request parameters and their values. In the encoded query string, replace the plus sign (+) with %20, the asterisk (*) with %2A, and %7E with a tilde (~). This way, you can obtain an encoded string that matches the preceding encoding rules.
private static final String ENCODING = "UTF-8"; private static String percentEncode(String value) throws UnsupportedEncodingException { return value != null ? URLEncoder.encode(value, ENCODING).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") : null; }
- Uppercase letters, lowercase letters, digits, and some special characters such as
hyphens
- Separate the encoded parameter names from their encoded values with equal signs (
=
). - Separate the name-value pairs with ampersands (
&
).
Then, the canonicalized query string is created.
Step 2: Create a string-to-sign from the encoded canonicalized query string
string-to-sign
. You can also use percentEncode
to encode the canonicalized query string that is created in the previous step. Comply
with the following rules to create a string-to-sign:StringToSign=
HTTPMethod + "&" + //HTTPMethod: the HTTP method that is used to send a request, such as GET.
percentEncode("/") + "&" + //percentEncode("/"): Encode the forward slash (/) in UTF-8 as %2F.
percentEncode(CanonicalizedQueryString) //Encode the canonicalized query string created in Step 1.
string-to-sign
, as defined in RFC 2104. Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value. The
Java Base64 encoding scheme is used in this example.Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
When you calculate the signature, the key value specified by RFC 2104 is your AccessKey secret
with an ampersand (&)
which has an ASCII value of 38. The calculation result is encoded based on the signature
rule specified in RFC 3986 and then added to the URL of the canonicalized query string that you created in Step
1.
Example
The following example demonstrates the signature process when you want to query the
status of a job by calling the GetJobStatus operation. In this example, the AccessKey
ID you obtained is xxx
and the AccessKey secret you obtained is yyy
.
- Create a canonicalized query string. Note that the
signature nonce
is a random string.http://openanalytics.cn-hangzhou.aliyuncs.com/? AccessKeyId=xxx&Action=GetJobStatus&Format=JSON&JobId=MySparkJobId&SignatureMethod=HMAC- SHA1&SignatureNonce=f87701c37ad49e3153fabf78ed2ad73c&SignatureVersion=1.0&Timestamp=2020-10-27T07:32:05Z&VcName=MyCluster&Version=2018-06-19
- Create a string-to-sign.
GET&%2F&AccessKeyId=xxx&Action=GetJobStatus&Format=JSON&JobId=MySparkJobId&SignatureMethod=HMAC- SHA1&SignatureNonce=f87701c37ad49e3153fabf78ed2ad73c&SignatureVersion=1.0&Timestamp=2020-10- 27T07%3A32%3A05Z&VcName=MyCluster&Version=2018-06-19
- Calculate the signature. The value of
AccessKey secret
is yyy, and therefore the key used for calculation isyyy&
. The calculated signature isDR5p4dbFur6ad****Iq8uH4sW6w=
. The Java Base64 encoding scheme is used in this example.Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(StringToSign) ) )
- Encode the calculated signature as
Signature=DR5p4dbFur6adTbYPIq8uH4sW6w%3D
based on the encoding rules specified in RFC 3986 Then, add Signature=DR5p4dbFur6ad****Iq8uH4sW6w%3D to the URL.http://openanalytics.cn-hangzhou.aliyuncs.com/? AccessKeyId=xxx&Action=GetJobStatus&Format=JSON&JobId=MySparkJobId&SignatureMethod=HMAC- SHA1&SignatureNonce=f87701c37ad49e3153fabf78ed2ad73c&SignatureVersion=1.0&Timestamp=2020- 10-27T07%3A32%3A05Z&VcName=MyCluster&Version=2018-06- 19&Signature=DR5p4dbFur6ad****Iq8uH4sW6w%3D
You can use browsers or tools such as cURL or wget to send HTTP requests based on the new URL.