Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Implementation:Apache Paimon DlfSigner

From Leeroopedia


Knowledge Sources
Domains Security, Authentication, Cloud Integration
Last Updated 2026-02-08 00:00 GMT

Overview

DlfSigner provides cryptographic request signing for Alibaba Cloud Data Lake Formation (DLF) authentication, implementing two distinct signing algorithms for VPC and public network access.

Description

This module implements the abstract `DLFRequestSigner` interface with two concrete signers. `DLFDefaultSigner` implements the DLF4-HMAC-SHA256 algorithm for VPC endpoints (e.g., cn-hangzhou-vpc.dlf.aliyuncs.com): it builds canonical requests from HTTP method, path, sorted query parameters, and signed headers (content-md5, content-type, content-sha256, date, version, security-token), then computes a multi-step HMAC-SHA256 signature chain (date key -> region key -> product key -> signing key -> final signature). `DLFOpenApiSigner` implements the Alibaba Cloud ROA v2 HMAC-SHA1 algorithm for public network access through dlfnext endpoints: it builds canonicalized headers (sorted x-acs-* headers), canonicalized resources (URL-decoded path with sorted query parameters), constructs a string-to-sign from method/accept/content-md5/content-type/date/headers/resource, and computes an HMAC-SHA1 signature. Both signers handle security tokens and content MD5 for request integrity. The signer selection is controlled by the identifier property.

This dual-signer architecture allows the Paimon Python SDK to authenticate against DLF services across different network configurations, which is essential for Alibaba Cloud deployments.

Usage

These signers are used internally by the REST API client when DLF authentication is configured, automatically selecting the appropriate signer based on the endpoint type.

Code Reference

Source Location

Signature

class DLFRequestSigner(ABC):
    @abstractmethod
    def sign_headers(self, body: Optional[str], now: datetime,
                     security_token: Optional[str], host: str) -> Dict[str, str]: ...

    @abstractmethod
    def authorization(self, rest_auth_parameter: RESTAuthParameter,
                      token: DLFToken, host: str,
                      sign_headers: Dict[str, str]) -> str: ...

    @abstractmethod
    def identifier(self) -> str: ...

class DLFDefaultSigner(DLFRequestSigner):
    SIGNATURE_ALGORITHM = "DLF4-HMAC-SHA256"
    def __init__(self, region: str): ...

class DLFOpenApiSigner(DLFRequestSigner):
    IDENTIFIER = "openapi"
    SIGNATURE_METHOD_VALUE = "HMAC-SHA1"

Import

from pypaimon.api.auth.dlf_signer import DLFDefaultSigner, DLFOpenApiSigner

I/O Contract

Inputs

Name Type Required Description
rest_auth_parameter RESTAuthParameter yes Request details (method, path, query, body)
token DLFToken yes DLF credentials (access key id, secret, security token)
host str yes Request host
now datetime yes Current timestamp for signature

Outputs

Name Type Description
sign_headers Dict[str, str] Signature-related headers (date, content-md5, etc.)
authorization str Authorization header value with signature

Usage Examples

VPC Endpoint Authentication

from pypaimon.api.auth.dlf_signer import DLFDefaultSigner
from pypaimon.api.token_loader import DLFToken
from datetime import datetime

# Create signer for VPC endpoint
signer = DLFDefaultSigner(region="cn-hangzhou")

# Prepare request parameters
token = DLFToken(
    access_key_id="LTAI...",
    access_key_secret="secret...",
    security_token="STS..."
)

# Generate signature headers
sign_headers = signer.sign_headers(
    body='{"database": "test"}',
    now=datetime.now(),
    security_token=token.security_token,
    host="cn-hangzhou-vpc.dlf.aliyuncs.com"
)

# Generate authorization header
auth_header = signer.authorization(
    rest_auth_parameter=RESTAuthParameter(
        method="POST",
        path="/api/databases",
        parameters={},
        data='{"database": "test"}'
    ),
    token=token,
    host="cn-hangzhou-vpc.dlf.aliyuncs.com",
    sign_headers=sign_headers
)

Public Network Authentication

from pypaimon.api.auth.dlf_signer import DLFOpenApiSigner

# Create signer for public endpoint
signer = DLFOpenApiSigner()

# Generate headers and authorization
sign_headers = signer.sign_headers(
    body='{"database": "test"}',
    now=datetime.now(),
    security_token=token.security_token,
    host="dlfnext.cn-hangzhou.aliyuncs.com"
)

auth_header = signer.authorization(
    rest_auth_parameter=...,
    token=token,
    host="dlfnext.cn-hangzhou.aliyuncs.com",
    sign_headers=sign_headers
)

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Apache_Paimon_DlfSigner&oldid=11521"