vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/s3api/en-us_topic_0125560310.html
zhangyue 5eee175e13 OBS S3 API 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-03-14 12:40:31 +00:00

149 lines
17 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0125560310"></a><a name="EN-US_TOPIC_0125560310"></a>
<h1 class="topictitle1">V4 Common Request</h1>
<div id="body1440641993270"><p id="EN-US_TOPIC_0125560310__p24955142102033">A V4 common request is in the following format:</p>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen9786072102033">Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150524/region-1/s3/aws4_request,SignedHeaders=host;range;x-amz-date,Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024</pre>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560310__table43294633102033" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Request parameters</caption><thead align="left"><tr id="EN-US_TOPIC_0125560310__row55880548102033"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.3.2.3.1.1"><p id="EN-US_TOPIC_0125560310__p25411224102033">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.3.2.3.1.2"><p id="EN-US_TOPIC_0125560310__p57838005102033">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560310__row54829987102033"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p64118729102033">Authorization</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p37484048102033">Indicates signature information.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row51980971102033"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p48314813102033">AWS4-HMAC-SHA256</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p40040420102033">Indicates the hash algorithm used by signatures. It is a fixed value.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row37269559102033"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p34353168102033">Credential=AKIAIOSFODNN7EXAMPLE/20150524/region-1/s3/aws4_request</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p62160145102033">Indicates the AK and Signing Key information used to calculate the signature.</p>
<p id="EN-US_TOPIC_0125560310__p41396708102033">AKIAIOSFODNN7EXAMPLE: AK of the user that sends a request.</p>
<p id="EN-US_TOPIC_0125560310__p2060834102033">20150524: start time for calculating the Signing Key. After 7 days, the signature that is calculated by using the Signing Key is invalid. The definition of Signing Key is in the later part of the document.</p>
<p id="EN-US_TOPIC_0125560310__p16223213102033">region-1: Indicates the region information about the request.</p>
<p id="EN-US_TOPIC_0125560310__p43443884102033">s3: Indicates the service that is required.</p>
<p id="EN-US_TOPIC_0125560310__p17286994102033">aws4_request: Indicates a fixed value.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row53991063102033"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p22678090102033">SignedHeaders=host;range;x-amz-date</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p55590574102033">SignedHeaders: Indicates the HTTP request headers that are used for signature calculation.</p>
<div class="warning" id="EN-US_TOPIC_0125560310__note40851336215637"><span class="warningtitle"> WARNING: </span><div class="warningbody"><p id="EN-US_TOPIC_0125560310__p32117706215637">If headers contain <em id="EN-US_TOPIC_0125560310__i16456172512295">gzip</em>, <em id="EN-US_TOPIC_0125560310__i1456625202918">no-cache</em>, <em id="EN-US_TOPIC_0125560310__i104564256299">chunked</em>, <em id="EN-US_TOPIC_0125560310__i5456172512293">identity</em>, <em id="EN-US_TOPIC_0125560310__i1945662552919">keep-alive</em>, <em id="EN-US_TOPIC_0125560310__i10456182513298">bytes</em>, and <em id="EN-US_TOPIC_0125560310__i17456122542917">close</em>, please use lowercase letters. Otherwise, you will receive a <strong id="EN-US_TOPIC_0125560310__b17456825172916">SignatureDoesNotMatch</strong> error response.</p>
</div></div>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row43439015102033"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p28040332102033">Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p42600130102033">The signature value of this request is <strong id="EN-US_TOPIC_0125560310__b22801750102033">fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560310__p66648846155143"><a href="#EN-US_TOPIC_0125560310__fig15907824205112">Figure 1</a> shows the signature computing process in V4 authentication mode.</p>
<div class="fignone" id="EN-US_TOPIC_0125560310__fig15907824205112"><a name="EN-US_TOPIC_0125560310__fig15907824205112"></a><a name="fig15907824205112"></a><span class="figcap"><b>Figure 1 </b>Signature calculation process in V4 authentication mode</span><br><span><img id="EN-US_TOPIC_0125560310__image1190719247516" src="en-us_image_0125560271.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="EN-US_TOPIC_0125560310__p42955869102033">The signature computing process in V4 authentication mode is detailed in the following steps:</p>
<ol id="EN-US_TOPIC_0125560310__ol48770743102033"><li id="EN-US_TOPIC_0125560310__li3494461102033">Generate StringToSign.<div class="p" id="EN-US_TOPIC_0125560310__p32887730102529"><a name="EN-US_TOPIC_0125560310__li3494461102033"></a><a name="li3494461102033"></a>StringToSign of a common V4 request is in the following format:<pre class="screen" id="EN-US_TOPIC_0125560310__screen32831838102033">"AWS4-HMAC-SHA256" + \n" + TimeStampISO8601Format + "\n" + &lt;Scope&gt; + "\n" +Hex(SHA256Hash(&lt;CanonicalRequest&gt;))</pre>
</div>
<p id="EN-US_TOPIC_0125560310__p47913970102033">Example:</p>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen8058919102033">AWS4-HMAC-SHA256 20150524T000000Z 20150524/region-1/s3/aws4_request 9e0e90d9c76de8fa5b200d8c849cd5b8dc7a3be3951ddb7f6a76b4158342019d</pre>
<p id="EN-US_TOPIC_0125560310__p51430222102033"><a href="#EN-US_TOPIC_0125560310__table63418753102033">Table 2</a> lists parameters of Canonical Request.</p>
<div class="tablenoborder"><a name="EN-US_TOPIC_0125560310__table63418753102033"></a><a name="table63418753102033"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0125560310__table63418753102033" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters of Canonical Request</caption><thead align="left"><tr id="EN-US_TOPIC_0125560310__row48420225102033"><th align="left" class="cellrowborder" valign="top" width="50.51%" id="mcps1.3.7.1.5.2.3.1.1"><p id="EN-US_TOPIC_0125560310__p64907308102033">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="49.49%" id="mcps1.3.7.1.5.2.3.1.2"><p id="EN-US_TOPIC_0125560310__p11964273102033">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0125560310__row4190517102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p51126242102033">HTTP Method</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p56869472102033">Indicates the HTTP request method such as GET, PUT, or POST.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row57830793102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p16392826102033">Canonical URI</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p48740272102033">Indicates the absolute path of the URI. It starts with the "/" special character. Example:</p>
<p id="EN-US_TOPIC_0125560310__p5955131114725">The absolute path of http://bucketname.obs.example.com/myphoto.jpg is /bucketname/myphoto.jpg.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row57436700102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p63755460102033">CanonicalQueryString</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p47778605102033">Indicates that name and values are encoded using URI-encode and sorted in the dictionary order.</p>
<p id="EN-US_TOPIC_0125560310__p65286101102033">Example:</p>
<p id="EN-US_TOPIC_0125560310__p5159867811487">CanonicalQueryString of http://bucketname.obs.example.com/?prefix=somePrefix&amp;marker=someMarker&amp;max-keys=20 is as follows:</p>
<p id="EN-US_TOPIC_0125560310__p53578079102033">URI-encode("marker")+"="+URI-encode("someMarker")+"&amp;"+URI-encode("max-keys")+"="+URI-encode("20")+"&amp;"+URI-encode("prefix")+"="+URI-encode("somePrefix")</p>
<p id="EN-US_TOPIC_0125560310__p18885714102033">If a parameter of the querystring request does not have a value, enter the value in the "" format. The following is an example:</p>
<p id="EN-US_TOPIC_0125560310__p31592912114847">CanonicalQueryString of http://bucketname.obs.example.com/?acl is as follows:</p>
<p id="EN-US_TOPIC_0125560310__p45784519102033">URI-encode("acl") + "=" + ""</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row53935604102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p62681399102033">Canonical Headers</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p28363307102033">Indicates the request header list. The name and value of each header are connected using a colon (:). Headers are separated by <strong id="EN-US_TOPIC_0125560310__b57255522102033">\n</strong>. The name of a header must use lowercase letters. The list is sorted in the dictionary order.</p>
<p id="EN-US_TOPIC_0125560310__p18903607102033">Canonical Headers are constructed using the value of SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class in the <strong id="EN-US_TOPIC_0125560310__b37786074102033">Authentication</strong> field of the HTTP header. In this example, the server uses date, host, x-amz-content-sha256, x-amz-date, and xamz-storage-class to calculate signatures. OBS must extract the five fields from the HTTP header to calculate signatures.</p>
<p id="EN-US_TOPIC_0125560310__p11620650125446">Host: bucketname..obs.example.com</p>
<p id="EN-US_TOPIC_0125560310__p35398262102033">Date: Fri, 24 May 2015 00:00:00 GMT</p>
<p id="EN-US_TOPIC_0125560310__p33936313102033">x-amz-content-sha256: 44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072</p>
<p id="EN-US_TOPIC_0125560310__p61431774102033">x-amz-date: 20150524T000000Z</p>
<p id="EN-US_TOPIC_0125560310__p55334527102033">x-amz-storage-class: STANDARD</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row12888635102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p31171124102033">SignedHeaders</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p16486642102033">Indicates the name that can be used to calculate signature headers. The names are sorted in the dictionary order. Fields are separated from each other by a semicolon (;).</p>
<p id="EN-US_TOPIC_0125560310__p62674243102033">Example:</p>
<p id="EN-US_TOPIC_0125560310__p11816989102033">date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0125560310__row57333850102033"><td class="cellrowborder" valign="top" width="50.51%" headers="mcps1.3.7.1.5.2.3.1.1 "><p id="EN-US_TOPIC_0125560310__p52541386102033">Hashed Payload</p>
</td>
<td class="cellrowborder" valign="top" width="49.49%" headers="mcps1.3.7.1.5.2.3.1.2 "><p id="EN-US_TOPIC_0125560310__p14869883102033">Indicates the SHA256 hash value of the data that is uploaded.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="EN-US_TOPIC_0125560310__p11759671102033"></p>
<p id="EN-US_TOPIC_0125560310__p53149652102033">The following is a Canonical Request example.</p>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen54719395102033">PUT /test%24file.text date:Fri, 24 May 2015 00:00:00 GMT
host:bucketname.obs.example.com
x-amz-content-sha256:44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072 x-amz-date:20150524T000000Z x-amz-storage-class:STANDARD date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class 44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072</pre>
</li><li id="EN-US_TOPIC_0125560310__li35092926102033">Generate SigningKey.<p id="EN-US_TOPIC_0125560310__p11646788102033"><a name="EN-US_TOPIC_0125560310__li35092926102033"></a><a name="li35092926102033"></a>SigningKey is calculated as follows:</p>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen44909216102033">DateKey = HMAC-SHA256("AWS4"+"&lt;SecretAccessKey&gt;", "&lt;yyyymmdd&gt;")
DateRegionKey = HMAC-SHA256(&lt;DateKey&gt;, "&lt;aws-region&gt;")
DateRegionServiceKey = HMAC-SHA256(&lt;DateRegionKey&gt;, "&lt;aws-service&gt;")
SigningKey = HMAC-SHA256(&lt;DateRegionServiceKey&gt;, "aws4_request")</pre>
<p id="EN-US_TOPIC_0125560310__p57147330102033">Each field is described as follows:</p>
<ul id="EN-US_TOPIC_0125560310__ul11005539102033"><li id="EN-US_TOPIC_0125560310__li65206852102033"><strong id="EN-US_TOPIC_0125560310__b62479726102033">&lt;SecretAccessKey&gt;</strong>: Indicates the SK of the requester.</li></ul>
<ul id="EN-US_TOPIC_0125560310__ul64726130102033"><li id="EN-US_TOPIC_0125560310__li27387049102033"><em id="EN-US_TOPIC_0125560310__i53097589102033">&lt;yyyymmdd&gt;</em>: Indicates the period in which Signing Key obtained from Authorization in the HTTP header is valid.</li></ul>
<ul id="EN-US_TOPIC_0125560310__ul50918782102033"><li id="EN-US_TOPIC_0125560310__li26083572102033"><strong id="EN-US_TOPIC_0125560310__b25052626102033">&lt;aws-region&gt;</strong>: Indicates the region of the request.</li></ul>
<ul id="EN-US_TOPIC_0125560310__ul16902424102033"><li id="EN-US_TOPIC_0125560310__li25917455102033"><strong id="EN-US_TOPIC_0125560310__b12926089102033">&lt;aws-service&gt;</strong>: Indicates the service type of the request.</li></ul>
</li><li id="EN-US_TOPIC_0125560310__li4080413102033">Use StringToSign and SigningKey to calculate the signature.</li></ol>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen29434734102033">HMAC-SHA256(SigningKey, StringToSign)</pre>
<p id="EN-US_TOPIC_0125560310__p1251939102033">After the HMAC-SHA256 algorithm is used to calculate the signature, convert the signature into a hexadecimal code to get the ultimate signature.</p>
<p id="EN-US_TOPIC_0125560310__p666110173311">The common request authentication involves a special authentication method known as chunked uploading authentication. You can use this method when authenticating objects uploaded in a chunked manner.</p>
<p id="EN-US_TOPIC_0125560310__p24282735102033">Chunked uploading indicates that the data flows are composed of data blocks. Each data block is called a chunk. Each chunk consists of chunk metadata and chunk data. Chunk metadata includes the size and signature of the current chunk data. The chunk format is as follows:</p>
<pre class="screen" id="EN-US_TOPIC_0125560310__screen27809226102033">chunk-size + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n</pre>
<p id="EN-US_TOPIC_0125560310__p56660451155545"><a href="#EN-US_TOPIC_0125560310__fig727315155523">Figure 2</a> shows the signature computing process of each chunk.</p>
<div class="fignone" id="EN-US_TOPIC_0125560310__fig727315155523"><a name="EN-US_TOPIC_0125560310__fig727315155523"></a><a name="fig727315155523"></a><span class="figcap"><b>Figure 2 </b>Signature calculation process of each chunk</span><br><span><img id="EN-US_TOPIC_0125560310__image1827341518525" src="en-us_image_0125560434.png" title="Click to enlarge" class="imgResize"></span></div>
<p id="EN-US_TOPIC_0125560310__p14056273102033">Chunk signature calculation is an iterative process. The signature of each chunk is calculated based on the previous chunk signature. For the first chunk, its previous chunk signature is the seed signature in the header.</p>
<p id="EN-US_TOPIC_0125560310__p19474994102033">After OBS receives the object uploading request, OBS verifies the signature in the request header and then verifies the signature of each chunk when user data is uploaded. Objects are uploaded successfully only after the header signature and each chunk signature are verified.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0125560435.html">Authenticating a Request</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink