动态加密:配置内容密钥授权策略Dynamic encryption: Configure a content key authorization policy

备注

Google Widevine 目前在中国地区不可用。Google Widevine is not avaliable in China regions now.

概述Overview

可以使用 Azure 媒体服务传送使用高级加密标准 (AES)(使用 128 位加密密钥)以及 PlayReady 数字版权管理 (DRM) 动态加密的内容。You can use Azure Media Services to deliver your content encrypted (dynamically) with the Advanced Encryption Standard (AES) by using 128-bit encryption keys and PlayReady digital rights management (DRM). 媒体服务还提供了用于向已授权客户端传送密钥和 PlayReady 许可证的服务。Media Services also provides a service for delivering keys and PlayReady license to authorized clients.

如果希望媒体服务对某个资产进行加密,则需要将加密密钥(CommonEncryption 或 EnvelopeEncryption)与该资产相关联。If you want Media Services to encrypt an asset, you need to associate an encryption key (CommonEncryption or EnvelopeEncryption) with the asset. 有关详细信息,请参阅使用 REST 创建内容密钥For more information, see Create content keys with REST. 还需要配置密钥的授权策略(如本文中所述)。You also need to configure authorization policies for the key (as described in this article).

当播放器请求某个流时,媒体服务将使用 AES 或 PlayReady 加密使用指定的密钥来对内容进行动态加密。When a stream is requested by a player, Media Services uses the specified key to dynamically encrypt your content by using AES or PlayReady encryption. 为了解密流,播放器将从密钥传送服务请求密钥。To decrypt the stream, the player requests the key from the key delivery service. 为了确定用户是否被授权获取密钥,服务将评估你为密钥指定的授权策略。To determine whether the user is authorized to get the key, the service evaluates the authorization policies that you specified for the key.

媒体服务支持通过多种方式对发出密钥请求的用户进行身份验证。Media Services supports multiple ways of authenticating users who make key requests. 通过使用开放或令牌限制,内容密钥授权策略可以实现一种或多种授权限制。The content key authorization policy can have one or more authorization restrictions by using either the open or token restriction. 令牌限制策略必须附带由安全令牌服务 (STS) 颁发的令牌。The token-restricted policy must be accompanied by a token issued by a security token service (STS). 媒体服务支持采用简单 Web 令牌 (SWT) 格式和 JSON Web 令牌 (JWT) 格式的令牌。Media Services supports tokens in the simple web token (SWT) and JSON Web Token (JWT) formats.

媒体服务不提供 STS。Media Services doesn't provide STS. 可以创建自定义 STS 或使用 Azure Active Directory (Azure AD) 来颁发令牌。You can create a custom STS or use Azure Active Directory (Azure AD) to issue tokens. 必须将 STS 配置为创建令牌,该令牌使用指定密钥以及你在令牌限制配置中指定的颁发声明进行签名(如本文所述)。The STS must be configured to create a token signed with the specified key and issue claims that you specified in the token restriction configuration (as described in this article). 如果令牌有效,并且令牌中的声明与为内容密钥配置的声明相匹配,则媒体服务密钥传送服务会将加密密钥返回到客户端。If the token is valid and the claims in the token match those configured for the content key, the Media Services key delivery service returns the encryption key to the client.

有关详细信息,请参阅以下文章:For more information, see the following articles:

需要注意的一些事项Some considerations apply

  • 若要使用动态打包和动态加密,需确保要从中流式传输内容的流式处理终结点处于“正在运行”状态。To use dynamic packaging and dynamic encryption, make sure the streaming endpoint from which you want to stream your content is in the "Running" state.
  • 资产必须包含一组自适应比特率 MP4 或自适应比特率平滑流式处理文件。Your asset must contain a set of adaptive bitrate MP4s or adaptive bitrate Smooth Streaming files. 有关详细信息,请参阅对资产进行编码For more information, see Encode an asset.
  • 使用 AssetCreationOptions.StorageEncrypted 选项上传资产并对其进行编码。Upload and encode your assets by using the AssetCreationOptions.StorageEncrypted option.
  • 如果打算创建需要相同策略配置的多个内容密钥,建议创建单个授权策略,并将其重复用于多个内容密钥。If you plan to have multiple content keys that require the same policy configuration, we recommend that you create a single authorization policy and reuse it with multiple content keys.
  • 密钥传送服务将 ContentKeyAuthorizationPolicy 及其相关对象(策略选项和限制)缓存 15 分钟。The key delivery service caches ContentKeyAuthorizationPolicy and its related objects (policy options and restrictions) for 15 minutes. 可以创建 ContentKeyAuthorizationPolicy 并指定使用令牌限制,对其进行测试,然后更新策略以开放限制。You can create ContentKeyAuthorizationPolicy and specify to use a token restriction, test it, and then update the policy to the open restriction. 在策略切换到策略的开放版本之前,此过程需要花费大约 15 分钟。This process takes roughly 15 minutes before the policy switches to the open version of the policy.
  • 如果添加或更新资产的传送策略,则必须删除现有的定位符并创建新的定位符。If you add or update your asset's delivery policy, you must delete any existing locator and create a new locator.
  • 目前,无法对渐进式下载进行加密。Currently, you can't encrypt progressive downloads.
  • 媒体服务流式处理终结点将预检响应中 CORS Access-Control-Allow-Origin 标头的值设置为通配符“*”。Media Services streaming endpoint sets the value of the CORS Access-Control-Allow-Origin header in preflight response as the wildcard "*." 此值适用于大多数播放器,其中包括 Azure Media Player、Roku、JWPlayer 等。This value works well with most players, including Azure Media Player, Roku and JWPlayer, and others. 但是,这不适用于一些使用 dash.js 的播放器,因为将凭据模式设置为“包含”之后,dash.js 中的 XMLHttpRequest 不允许将通配符“*”作为 Access-Control-Allow-Origin 的值。However, some players that use dash.js don't work because, with the credentials mode set to "include," XMLHttpRequest in their dash.js doesn't allow the wildcard "*" as the value of Access-Control-Allow-Origin. 作为 dash.js 中这一限制的解决办法,如果你将客户端承载在单个域中,则媒体服务可以指定预检响应标头中的域。As a workaround to this limitation in dash.js, if you host your client from a single domain, Media Services can specify that domain in the preflight response header. 若需帮助,请通过 Azure 门户开具支持票证。For assistance, open a support ticket through the Azure portal.

AES-128 动态加密AES-128 dynamic encryption

备注

使用媒体服务 REST API 时,需注意以下事项。When you work with the Media Services REST API, the following considerations apply.

访问媒体服务中的实体时,必须在 HTTP 请求中设置特定标头字段和值。When you access entities in Media Services, you must set specific header fields and values in your HTTP requests. 有关详细信息,请参阅媒体服务 REST API 开发的设置For more information, see Setup for Media Services REST API development.

开放限制Open restriction

开放限制意味着系统会将密钥传送到发出密钥请求的任何用户。Open restriction means the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for testing purposes.

以下示例创建开放授权策略,并将其添加到内容密钥。The following example creates an open authorization policy and adds it to the content key.

创建 ContentKeyAuthorizationPoliciesCreate ContentKeyAuthorizationPolicies

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicies HTTP/1.1
Content-Type: application/json
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: d732dbfa-54fc-474c-99d6-9b46a006f389
Host: wamsbayclus001rest-hs.chinacloudapp.cn 
Content-Length: 36

{"Name":"Open Authorization Policy"}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 211
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicies('nb%3Ackpid%3AUUID%3Adb4593da-f4d1-4cc5-a92a-d20eacbabee4')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: d732dbfa-54fc-474c-99d6-9b46a006f389
request-id: aabfa731-e884-4bf3-8314-492b04747ac4
x-ms-request-id: aabfa731-e884-4bf3-8314-492b04747ac4
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 08:25:56 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicies/@Element","Id":"nb:ckpid:UUID:db4593da-f4d1-4cc5-a92a-d20eacbabee4","Name":"Open Authorization Policy"}

创建 ContentKeyAuthorizationPolicyOptionsCreate ContentKeyAuthorizationPolicyOptions

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions HTTP/1.1
Content-Type: application/json
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: d225e357-e60e-4f42-add8-9d93aba1409a
Host: wamsbayclus001rest-hs.chinacloudapp.cn 
Content-Length: 168

{"Name":"policy","KeyDeliveryType":2,"KeyDeliveryConfiguration":"","Restrictions":[{"Name":"HLS Open Authorization Policy","KeyRestrictionType":0,"Requirements":null}]}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 349
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions('nb%3Ackpoid%3AUUID%3A57829b17-1101-4797-919b-f816f4a007b7')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: d225e357-e60e-4f42-add8-9d93aba1409a
request-id: 81bcad37-295b-431f-972f-b23f2e4172c9
x-ms-request-id: 81bcad37-295b-431f-972f-b23f2e4172c9
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 08:56:40 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicyOptions/@Element","Id":"nb:ckpoid:UUID:57829b17-1101-4797-919b-f816f4a007b7","Name":"policy","KeyDeliveryType":2,"KeyDeliveryConfiguration":"","Restrictions":[{"Name":"HLS Open Authorization Policy","KeyRestrictionType":0,"Requirements":null}]}

将 ContentKeyAuthorizationPolicies 与 Options 相链接Link ContentKeyAuthorizationPolicies with Options

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicies('nb%3Ackpid%3AUUID%3A0baa438b-8ac2-4c40-a53c-4d4722b78715')/$links/Options HTTP/1.1
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Content-Type: application/json
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: 9847f705-f2ca-4e95-a478-8f823dbbaa29
Host: wamsbayclus001rest-hs.chinacloudapp.cn 
Content-Length: 154

{"uri":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions('nb%3Ackpoid%3AUUID%3A57829b17-1101-4797-919b-f816f4a007b7')"}

响应:Response:

HTTP/1.1 204 No Content

将授权策略添加到内容密钥Add an authorization policy to the content key

请求:Request:

PUT https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeys('nb%3Akid%3AUUID%3A2e6d36a7-a17c-4e9a-830d-eca23ad1a6f9') HTTP/1.1
Content-Type: application/json
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: e613efff-cb6a-41b4-984a-f4f8fb6e76a4
Host: wamsbayclus001rest-hs.chinacloudapp.cn
Content-Length: 78

{"AuthorizationPolicyId":"nb:ckpid:UUID:c06cebb8-c4f0-4d1a-ba00-3273fb2bc3ad"}

响应:Response:

HTTP/1.1 204 No Content

令牌限制Token restriction

本部分介绍如何创建内容密钥授权策略,以及如何将其与内容密钥相关联。This section describes how to create a content key authorization policy and associate it with the content key. 授权策略描述了必须达到什么授权要求才能确定用户是否有权接收密钥。The authorization policy describes what authorization requirements must be met to determine if the user is authorized to receive the key. 例如,“验证密钥”列表是否包含为令牌签名时使用的密钥?For example, does the verification key list contain the key that the token was signed with?

若要配置令牌限制选项,需要使用 XML 来描述令牌的授权要求。To configure the token restriction option, you need to use an XML to describe the token's authorization requirements. 令牌限制配置 XML 必须符合以下 XML 架构:The token restriction configuration XML must conform to the following XML schema:

令牌限制架构Token restriction schema

<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:tns="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1" elementFormDefault="qualified" targetNamespace="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1" xmlns:xs="https://www.w3.org/2001/XMLSchema">
  <xs:complexType name="TokenClaim">
    <xs:sequence>
      <xs:element name="ClaimType" nillable="true" type="xs:string" />
      <xs:element minOccurs="0" name="ClaimValue" nillable="true" type="xs:string" />
    </xs:sequence>
  </xs:complexType>
  <xs:element name="TokenClaim" nillable="true" type="tns:TokenClaim" />
  <xs:complexType name="TokenRestrictionTemplate">
    <xs:sequence>
      <xs:element minOccurs="0" name="AlternateVerificationKeys" nillable="true" type="tns:ArrayOfTokenVerificationKey" />
      <xs:element name="Audience" nillable="true" type="xs:anyURI" />
      <xs:element name="Issuer" nillable="true" type="xs:anyURI" />
      <xs:element name="PrimaryVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
      <xs:element minOccurs="0" name="RequiredClaims" nillable="true" type="tns:ArrayOfTokenClaim" />
    </xs:sequence>
  </xs:complexType>
  <xs:element name="TokenRestrictionTemplate" nillable="true" type="tns:TokenRestrictionTemplate" />
  <xs:complexType name="ArrayOfTokenVerificationKey">
    <xs:sequence>
      <xs:element minOccurs="0" maxOccurs="unbounded" name="TokenVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
    </xs:sequence>
  </xs:complexType>
  <xs:element name="ArrayOfTokenVerificationKey" nillable="true" type="tns:ArrayOfTokenVerificationKey" />
  <xs:complexType name="TokenVerificationKey">
    <xs:sequence />
  </xs:complexType>
  <xs:element name="TokenVerificationKey" nillable="true" type="tns:TokenVerificationKey" />
  <xs:complexType name="ArrayOfTokenClaim">
    <xs:sequence>
      <xs:element minOccurs="0" maxOccurs="unbounded" name="TokenClaim" nillable="true" type="tns:TokenClaim" />
    </xs:sequence>
  </xs:complexType>
  <xs:element name="ArrayOfTokenClaim" nillable="true" type="tns:ArrayOfTokenClaim" />
  <xs:complexType name="SymmetricVerificationKey">
    <xs:complexContent mixed="false">
      <xs:extension base="tns:TokenVerificationKey">
        <xs:sequence>
          <xs:element name="KeyValue" nillable="true" type="xs:base64Binary" />
        </xs:sequence>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:element name="SymmetricVerificationKey" nillable="true" type="tns:SymmetricVerificationKey" />
</xs:schema>

配置令牌限制策略时,必须指定主验证密钥、颁发者和受众参数。When you configure the token-restricted policy, you must specify the primary verification key, issuer, and audience parameters. 主验证密钥包含为令牌签名时使用的密钥。The primary verification key contains the key that the token was signed with. 颁发者是颁发令牌的 STS。The issuer is the STS that issues the token. 受众(有时称为范围)描述该令牌的意图,或者令牌授权访问的资源。The audience (sometimes called scope) describes the intent of the token or the resource the token authorizes access to. 媒体服务密钥传送服务验证令牌中的这些值是否与模板中的值匹配。The Media Services key delivery service validates that these values in the token match the values in the template.

以下示例创建包含令牌限制的授权策略。The following example creates an authorization policy with a token restriction. 在此示例中,客户端必须出示令牌,其中包含:签名密钥 (VerificationKey)、令牌颁发者和必需的声明。In this example, the client must present a token that contains the signing key (VerificationKey), a token issuer, and required claims.

创建 ContentKeyAuthorizationPoliciesCreate ContentKeyAuthorizationPolicies

创建令牌限制策略,如“创建 ContentKeyAuthorizationPolicies”部分中所示。Create a token restriction policy, as shown in the section "Create ContentKeyAuthorizationPolicies."

创建 ContentKeyAuthorizationPolicyOptionsCreate ContentKeyAuthorizationPolicyOptions

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions HTTP/1.1
Content-Type: application/json
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN>
x-ms-version: 2.19
x-ms-client-request-id: 2643d836-bfe7-438e-9ba2-bc6ff28e4a53
Host: wamsbayclus001rest-hs.chinacloudapp.cn
Content-Length: 1079

{"Name":"Token option for HLS","KeyDeliveryType":2,"KeyDeliveryConfiguration":null,"Restrictions":[{"Name":"Token Authorization Policy","KeyRestrictionType":1,"Requirements":"<TokenRestrictionTemplate xmlns:i=\"https://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1\"><AlternateVerificationKeys><TokenVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>BklyAFiPTQsuJNKriQJBZHYaKM2CkCTDQX2bw9sMYuvEC9sjW0W7GUIBygQL/+POEeUqCYPnmEU2g0o1GW2Oqg==</KeyValue></TokenVerificationKey></AlternateVerificationKeys><Audience>urn:test</Audience><Issuer>http://testissuer.com/</Issuer><PrimaryVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>E5BUHiN4vBdzUzdP0IWaHFMMU3D1uRZgF16TOhSfwwHGSw+Kbf0XqsHzEIYk11M372viB9vbiacsdcQksA0ftw==</KeyValue></PrimaryVerificationKey><RequiredClaims><TokenClaim><ClaimType>urn:microsoft:azure:mediaservices:contentkeyidentifier</ClaimType><ClaimValue i:nil=\"true\" /></TokenClaim></RequiredClaims><TokenType>SWT</TokenType></TokenRestrictionTemplate>"}]}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 1260
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions('nb%3Ackpoid%3AUUID%3Ae1ef6145-46e8-4ee6-9756-b1cf96328c23')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: 2643d836-bfe7-438e-9ba2-bc6ff28e4a53
request-id: 2310b716-aeaa-421e-913e-3ce2f6f685ca
x-ms-request-id: 2310b716-aeaa-421e-913e-3ce2f6f685ca
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 09:10:37 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicyOptions/@Element","Id":"nb:ckpoid:UUID:e1ef6145-46e8-4ee6-9756-b1cf96328c23","Name":"Token option for HLS","KeyDeliveryType":2,"KeyDeliveryConfiguration":null,"Restrictions":[{"Name":"Token Authorization Policy","KeyRestrictionType":1,"Requirements":"<TokenRestrictionTemplate xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1\"><AlternateVerificationKeys><TokenVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>BklyAFiPTQsuJNKriQJBZHYaKM2CkCTDQX2bw9sMYuvEC9sjW0W7GUIBygQL/+POEeUqCYPnmEU2g0o1GW2Oqg==</KeyValue></TokenVerificationKey></AlternateVerificationKeys><Audience>urn:test</Audience><Issuer>http://testissuer.com/</Issuer><PrimaryVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>E5BUHiN4vBdzUzdP0IWaHFMMU3D1uRZgF16TOhSfwwHGSw+Kbf0XqsHzEIYk11M372viB9vbiacsdcQksA0ftw==</KeyValue></PrimaryVerificationKey><RequiredClaims><TokenClaim><ClaimType>urn:microsoft:azure:mediaservices:contentkeyidentifier</ClaimType><ClaimValue i:nil=\"true\" /></TokenClaim></RequiredClaims><TokenType>SWT</TokenType></TokenRestrictionTemplate>"}]}

将 ContentKeyAuthorizationPolicies 与 Options 相链接,如“创建 ContentKeyAuthorizationPolicies”部分中所示。Link ContentKeyAuthorizationPolicies with options, as shown in the section "Create ContentKeyAuthorizationPolicies."

将授权策略添加到内容密钥Add an authorization policy to the content key

将 AuthorizationPolicy 添加到 ContentKey,如“将授权策略添加到内容密钥”部分中所示。Add AuthorizationPolicy to ContentKey, as shown in the section "Add an authorization policy to the content key."

PlayReady 动态加密PlayReady dynamic encryption

可以使用媒体服务配置相应的权限和限制,这样当用户尝试播放受保护的内容时,PlayReady DRM 运行时就会强制实施这些权限和限制。You can use Media Services to configure the rights and restrictions that you want the PlayReady DRM runtime to enforce when a user tries to play back protected content.

使用 PlayReady 保护内容时,需要在授权策略中指定的项目之一是用于定义 PlayReady 许可证模板的 XML 字符串。When you protect your content with PlayReady, one of the things you need to specify in your authorization policy is an XML string that defines the PlayReady license template.

开放限制Open restriction

开放限制意味着系统会将密钥传送到发出密钥请求的任何用户。Open restriction means the system delivers the key to anyone who makes a key request. 此限制可能适用于测试用途。This restriction might be useful for testing purposes.

以下示例创建开放授权策略,并将其添加到内容密钥。The following example creates an open authorization policy and adds it to the content key.

创建 ContentKeyAuthorizationPoliciesCreate ContentKeyAuthorizationPolicies

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicies HTTP/1.1
Content-Type: application/json
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: 9e7fa407-f84e-43aa-8f05-9790b46e279b
Host: wamsbayclus001rest-hs.chinacloudapp.cn
Content-Length: 58

{"Name":"Deliver Common Content Key"}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 233
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicies('nb%3Ackpid%3AUUID%3Acc3c64a8-e2fc-4e09-bf60-ac954251a387')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: 9e7fa407-f84e-43aa-8f05-9790b46e279b
request-id: b3d33c1b-a9cb-4120-ac0c-18f64846c147
x-ms-request-id: b3d33c1b-a9cb-4120-ac0c-18f64846c147
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 09:26:00 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicies/@Element","Id":"nb:ckpid:UUID:cc3c64a8-e2fc-4e09-bf60-ac954251a387","Name":"Deliver Common Content Key"}

创建 ContentKeyAuthorizationPolicyOptionsCreate ContentKeyAuthorizationPolicyOptions

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions HTTP/1.1
Content-Type: application/json
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: f160ad25-b457-4bc6-8197-315604c5e585
Host: wamsbayclus001rest-hs.chinacloudapp.cn
Content-Length: 593

{"Name":"","KeyDeliveryType":1,"KeyDeliveryConfiguration":"<PlayReadyLicenseResponseTemplate xmlns:i=\"https://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/PlayReadyTemplate/v1\"><LicenseTemplates><PlayReadyLicenseTemplate><AllowTestDevices>false</AllowTestDevices><ContentKey i:type=\"ContentEncryptionKeyFromHeader\" /><LicenseType>Nonpersistent</LicenseType><PlayRight /></PlayReadyLicenseTemplate></LicenseTemplates></PlayReadyLicenseResponseTemplate>","Restrictions":[{"Name":"Open","KeyRestrictionType":0,"Requirements":null}]}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 774
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions('nb%3Ackpoid%3AUUID%3A1052308c-4df7-4fdb-8d21-4d2141fc2be0')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: f160ad25-b457-4bc6-8197-315604c5e585
request-id: 563f5a42-50a4-4c4a-add8-a833f8364231
x-ms-request-id: 563f5a42-50a4-4c4a-add8-a833f8364231
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 09:23:24 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicyOptions/@Element","Id":"nb:ckpoid:UUID:1052308c-4df7-4fdb-8d21-4d2141fc2be0","Name":"","KeyDeliveryType":1,"KeyDeliveryConfiguration":"<PlayReadyLicenseResponseTemplate xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/PlayReadyTemplate/v1\"><LicenseTemplates><PlayReadyLicenseTemplate><AllowTestDevices>false</AllowTestDevices><ContentKey i:type=\"ContentEncryptionKeyFromHeader\" /><LicenseType>Nonpersistent</LicenseType><PlayRight /></PlayReadyLicenseTemplate></LicenseTemplates></PlayReadyLicenseResponseTemplate>","Restrictions":[{"Name":"Open","KeyRestrictionType":0,"Requirements":null}]}

将 ContentKeyAuthorizationPolicies 与 Options 相链接,如“创建 ContentKeyAuthorizationPolicies”部分中所示。Link ContentKeyAuthorizationPolicies with options, as shown in the section "Create ContentKeyAuthorizationPolicies."

将授权策略添加到内容密钥Add an authorization policy to the content key

将 AuthorizationPolicy 添加到 ContentKey,如“将授权策略添加到内容密钥”部分中所示。Add AuthorizationPolicy to ContentKey, as shown in the section "Add an authorization policy to the content key."

令牌限制Token restriction

若要配置令牌限制选项,需要使用 XML 来描述令牌的授权要求。To configure the token restriction option, you need to use an XML to describe the token's authorization requirements. 令牌限制配置 XML 必须遵循“令牌限制架构”部分中所示的 XML 架构。The token restriction configuration XML must conform to the XML schema shown in the section "Token restriction schema."

创建 ContentKeyAuthorizationPoliciesCreate ContentKeyAuthorizationPolicies

创建 ContentKeyAuthorizationPolicies,如“创建 ContentKeyAuthorizationPolicies”部分中所示。Create ContentKeyAuthorizationPolicies, as shown in the section "Create ContentKeyAuthorizationPolicies."

创建 ContentKeyAuthorizationPolicyOptionsCreate ContentKeyAuthorizationPolicyOptions

请求:Request:

POST https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions HTTP/1.1
Content-Type: application/json
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json
Accept-Charset: UTF-8
Authorization: Bearer <ENCODED JWT TOKEN> 
x-ms-version: 2.19
x-ms-client-request-id: ab079b0e-2ba9-4cf1-b549-a97bfa6cd2d3
Host: wamsbayclus001rest-hs.chinacloudapp.cn
Content-Length: 1525

{"Name":"Token option","KeyDeliveryType":1,"KeyDeliveryConfiguration":"<PlayReadyLicenseResponseTemplate xmlns:i=\"https://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/PlayReadyTemplate/v1\"><LicenseTemplates><PlayReadyLicenseTemplate><AllowTestDevices>false</AllowTestDevices><ContentKey i:type=\"ContentEncryptionKeyFromHeader\" /><LicenseType>Nonpersistent</LicenseType><PlayRight /></PlayReadyLicenseTemplate></LicenseTemplates></PlayReadyLicenseResponseTemplate>","Restrictions":[{"Name":"Token Authorization Policy","KeyRestrictionType":1,"Requirements":"<TokenRestrictionTemplate xmlns:i=\"https://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1\"><AlternateVerificationKeys><TokenVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>w52OyHVqXT8aaupGxuJ3NGt8M6opHDOtx132p4r6q4hLI6ffnLusgEGie1kedUewVoIe1tqDkVE6xsIV7O91KA==</KeyValue></TokenVerificationKey></AlternateVerificationKeys><Audience>urn:test</Audience><Issuer>http://testissuer.com/</Issuer><PrimaryVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>dYwLKIEMBljLeY9VM7vWdlhps31Fbt0XXhqP5VyjQa33bJXleBtkzQ6dF5AtwI9gDcdM2dV2TvYNhCilBKjMCg==</KeyValue></PrimaryVerificationKey><RequiredClaims><TokenClaim><ClaimType>urn:microsoft:azure:mediaservices:contentkeyidentifier</ClaimType><ClaimValue i:nil=\"true\" /></TokenClaim></RequiredClaims><TokenType>SWT</TokenType></TokenRestrictionTemplate>"}]}

响应:Response:

HTTP/1.1 201 Created
Cache-Control: no-cache
Content-Length: 1706
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Location: https://wamsbayclus001rest-hs.chinacloudapp.cn/api/ContentKeyAuthorizationPolicyOptions('nb%3Ackpoid%3AUUID%3Ae42bbeae-de42-4077-90e9-a844f297ef70')
Server: Microsoft-IIS/8.5
x-ms-client-request-id: ab079b0e-2ba9-4cf1-b549-a97bfa6cd2d3
request-id: ccf8a4ba-731e-4124-8192-079592c251cc
x-ms-request-id: ccf8a4ba-731e-4124-8192-079592c251cc
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-Powered-By: ASP.NET
Strict-Transport-Security: max-age=31536000; includeSubDomains
Date: Tue, 10 Feb 2015 09:58:47 GMT

{"odata.metadata":"https://wamsbayclus001rest-hs.chinacloudapp.cn/api/$metadata#ContentKeyAuthorizationPolicyOptions/@Element","Id":"nb:ckpoid:UUID:e42bbeae-de42-4077-90e9-a844f297ef70","Name":"Token option","KeyDeliveryType":1,"KeyDeliveryConfiguration":"<PlayReadyLicenseResponseTemplate xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/PlayReadyTemplate/v1\"><LicenseTemplates><PlayReadyLicenseTemplate><AllowTestDevices>false</AllowTestDevices><ContentKey i:type=\"ContentEncryptionKeyFromHeader\" /><LicenseType>Nonpersistent</LicenseType><PlayRight /></PlayReadyLicenseTemplate></LicenseTemplates></PlayReadyLicenseResponseTemplate>","Restrictions":[{"Name":"Token Authorization Policy","KeyRestrictionType":1,"Requirements":"<TokenRestrictionTemplate xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1\"><AlternateVerificationKeys><TokenVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>w52OyHVqXT8aaupGxuJ3NGt8M6opHDOtx132p4r6q4hLI6ffnLusgEGie1kedUewVoIe1tqDkVE6xsIV7O91KA==</KeyValue></TokenVerificationKey></AlternateVerificationKeys><Audience>urn:test</Audience><Issuer>http://testissuer.com/</Issuer><PrimaryVerificationKey i:type=\"SymmetricVerificationKey\"><KeyValue>dYwLKIEMBljLeY9VM7vWdlhps31Fbt0XXhqP5VyjQa33bJXleBtkzQ6dF5AtwI9gDcdM2dV2TvYNhCilBKjMCg==</KeyValue></PrimaryVerificationKey><RequiredClaims><TokenClaim><ClaimType>urn:microsoft:azure:mediaservices:contentkeyidentifier</ClaimType><ClaimValue i:nil=\"true\" /></TokenClaim></RequiredClaims><TokenType>SWT</TokenType></TokenRestrictionTemplate>"}]}

将 ContentKeyAuthorizationPolicies 与 Options 相链接,如“创建 ContentKeyAuthorizationPolicies”部分中所示。Link ContentKeyAuthorizationPolicies with options, as shown in the section "Create ContentKeyAuthorizationPolicies."

将授权策略添加到内容密钥Add an authorization policy to the content key

将 AuthorizationPolicy 添加到 ContentKey,如“将授权策略添加到内容密钥”部分中所示。Add AuthorizationPolicy to ContentKey, as shown in the section "Add an authorization policy to the content key."

定义 ContentKeyAuthorizationPolicy 时使用的类型Types used when you define ContentKeyAuthorizationPolicy

ContentKeyRestrictionTypeContentKeyRestrictionType

public enum ContentKeyRestrictionType
{
    Open = 0,
    TokenRestricted = 1, 
    IPRestricted = 2, // IP restriction on content key is not currently supported, reserved for future.
}

备注

内容密钥授权策略上的 IP 限制在服务中尚不可用。IP restriction on content key authorization policies is not yet available in the service.

ContentKeyDeliveryTypeContentKeyDeliveryType

public enum ContentKeyDeliveryType
{
    None = 0,
    PlayReadyLicense = 1,
    BaselineHttp = 2
}

媒体服务学习路径Media Services learning paths

媒体服务 v3(最新版本)Media Services v3 (latest)

查看最新版本的 Azure 媒体服务!Check out the latest version of Azure Media Services!

媒体服务 v2(旧版)Media Services v2 (legacy)

后续步骤Next steps

现在,你已配置了内容密钥的授权策略,可以查看如何配置资产传送策略了。Now that you have configured a content key's authorization policy, see Configure asset delivery policy.