User Signature Authentication
OBS signs a request using AK/SK. When a client is sending a request to OBS, the message header must contain the SK, request time, request type, and other information of the signature.
- AK: access key ID, which is a unique identifier associated with a secret access key (SK). The AK and SK are used together to obtain an encrypted signature for a request. Format example: HCY8BGCN1YM5ZWYOK1MH
- SK: secret access key, which is used together with the AK to sign requests, identify a request sender, and prevent the request from being modified. Format example: 9zYwf1uabSQY0JTnFqbUqG7vcfqYBaTdXde2GUcq
A user can obtain the AK and SK from IAM. For details, see Obtaining Access Keys (AK/SK).
OBS provides three signature calculation methods based on application scenarios: Authentication of Signature in a Header, Authentication of Signature in a URL, and Authentication of Signature Carried in the Table Uploaded Through a Browser.
Table 1 shows the user signature verification process in which a signature is carried in a header. For details about the parameters and code examples of authentication of signature in a header, see Authentication of Signature in a Header.
Procedure |
Example |
|
---|---|---|
Signature calculation |
1. Construct an HTTP message. |
PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 |
2. Calculate StringToSign based on the signature rule. |
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource |
|
3. Prepare the AK and SK. |
AK: ****** SK: ****** |
|
4. Calculate Signature. |
Signature = Base64( HMAC-SHA1( SecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) |
|
5. Add a signature header and send the request to OBS. |
PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 Authorization: OBS AccessKeyID:Signature |
|
Signature authentication |
6. Receive the HTTP message. |
PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 Authorization: OBS AccessKeyID:Signature |
7. Obtain the SK based on the AK in the request. |
Obtain the AK from the authorization header and obtain the SK of the user from IAM. |
|
8. Calculate StringToSign based on the signature rule. |
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource |
|
9. Calculate Signature. |
Signature = Base64( HMAC-SHA1( SecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) |
|
10. Authenticate the signature. |
Verify that the value of Signature in the authorization header is the same as the value of Signature calculated by the server. If the two values are the same, the signature verification is successful. If the two values are different, the signature verification fails. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot