User Signature Authentication¶
OBS signs a request using AK/SK. When a client is sending a request to OBS, the message header must contain the SK, request time, request type, and other information of the signature.
AK: access key ID, which is a unique identifier associated with a secret access key (SK). The AK and SK are used together to obtain an encrypted signature for a request.
SK: secret access key, which is used together with the AK to sign requests, identify a request sender, and prevent the request from being modified.
A user can obtain the AK and SK from IAM. For details, see Obtaining Access Keys (AK/SK).
OBS provides three signature calculation methods based on application scenarios: Authentication of Signature in a Header, Authentication of Signature in a URL, and Authentication of Signature Carried in the Table Uploaded Through a Browser.
Table 1 shows the user signature verification process in which a signature is carried in a header. For details about the parameters and code examples of authentication of signature in a header, see Authentication of Signature in a Header.
Procedure | Example | |
---|---|---|
Signature calculation |
| PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 |
| StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource | |
| AK: ****** SK: ****** | |
| Signature = Base64( HMAC-SHA1( SecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) | |
| PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 Authorization: OBS AccessKeyID:Signature | |
Signature authentication |
| PUT /object HTTP/1.1 Host: bucket.obs.region.example.com Date: Tue, 04 Jun 2019 06:54:59 GMT Content-Type: text/plain Content-Length: 5913 Authorization: OBS AccessKeyID:Signature |
| Obtain the AK from the Authorization header and obtain the SK from IAM. | |
| StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedHeaders + CanonicalizedResource | |
| Signature = Base64( HMAC-SHA1( SecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) | |
| Check whether the value of Signature in the Authorization header is the same as the value of Signature calculated by the server. If the two values are the same, the signature verification is successful. If the two values are different, the signature verification fails. |