V2 Common Requests

All APIs of OBS can authenticate user identities through common requests. This is the most common identity authentication method.

A common HTTP/HTTPS request is authenticated by its Authorization header. The following is the format of the Authorization header:

Authorization: AWS AccessKeyID:signature

To generate the signature, perform the following steps:

  1. Construct StringToSign using request parameters.
    StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedOBSHeaders + CanonicalizedResource
    Table 1 Request parameters

    Parameter

    Description

    HTTP-Verb

    Indicates an HTTP request method supported by OBS REST APIs. The value can be an HTTP verb such as PUT, GET, or DELETE.

    Date

    Indicates the time when the request is initiated. The value must be in RFC 1123 format. This parameter is an empty string when the x-amz-date is specified. For details, see Table 3.

    This parameter can be omitted if the request is for a temporarily authorized operation, for example, to obtain an object through temporary authorization.

    Content-Type

    Indicates the content type and is used for specifying the request content type, for example, text/plain.

    This parameter is an empty string when the request does not contain the header. See Table 2.

    Content-MD5

    Indicates the base64-encoded 128-bit MD5 digest of the message (without the headers) according to RFC 1864.

    CanonicalizedOBSHeaders

    Indicates an OBS-defined header prefixed with x-amz-, for example, x-amz-date or x-amz-acl.

    1. All characters in the OBS-defined header must be converted to lower-case letters. If a request contains multiple OBS-defined headers, the headers are organized in alphabetical order.

    2. If multiple OBS-defined headers in a request have the same prefix, combine the headers into one. For example, if headers x-amz-meta-name:name1 and x-amz-meta-name:name2 are added, combine the headers to x-amze-meta-name:name1,name2.

    3. If an OBS-defined header contains non-ASCII or unrecognizable characters, the header must be Base64 encoded.

    4. An OBS-defined header contains spaces or tabs only when necessary. Unnecessary spaces must be deleted. For example, x-amz-meta-name: name must be changed to x-amz-meta-name:name.

    5. Each OBS-defined field occupies a separate line. For details, see Table 4.

    CanonicalizedResource

    Indicates a requested resource. This parameter is constructed as follows:

    [ "/" + BucketName ] + <HTTP-Request-URI, characters between the protocol name and the query string> + [subresource]. Among which, [subresource] is required if any subresource exists, for example, ?acl. Then the parameter is /bucket/object/?acl.

    1. In virtual-host-style requests, the bucket name is required. In other requests, the bucket name is not required. For details, see Table 5.

    2. In URI requests, the encoded path in the query string must be added. For example, path /bucket/object.txt in http://localhost:80/bucket/object.txt?acl must be added.

    3. If a subresource (such as ?acl and ?logging) exists, the subresource must be added. The subresource includes acl, lifecycle, location, logging, notification, partNumber, policy, uploadId, uploads, versionId, versioning, versions, website, quota, storagePolicy, storageinfo, and deletebucket. For details, see Table 6.

Table 2 lists example StringToSign.

Table 2 StringToSign generated for GET Object ACL

Request Header

StringToSign

GET /bucket/object.txt HTTP/1.1

Host: obs.cn-north-1.myhwclouds.com

Date: Sat, 12 Oct 2015 08:12:38 GMT

GET \n

\n

Sat, 12 Oct 2015 08:12:38 GMT\n

/bucket/object.txt

Table 3 StringToSign generated for a PUT Object request containing OBS-defined headers (1)

Request Header

StringToSign

PUT /bucket/object.txt HTTP/1.1

User-Agent: curl/7.15.5

Host: obs.cn-north-1.myhwclouds.com

x-amz-date:Tue, 15 Oct 2015 07:20:09 GMT

content-type: text/plain

Content-Length: 5913339

PUT\n

\n

text/plain\n

x-amz-date:Tue, 15 Oct 2015 07:20:09 GMT\n

/bucket/object.txt

Table 4 StringToSign generated for a PUT Object request containing OBS-defined headers (2)

Request Header

StringToSign

PUT /bucket/object.txt HTTP/1.1

User-Agent: curl/7.15.5

Host: obs.cn-north-1.myhwclouds.com

Date: Mon, 14 Oct 2015 12:08:34 GMT

x-amz-acl: public-read

content-type: text/plain

Content-Length: 5913339

PUT\n

\n

text/plain\n

Mon, 14 Oct 2015 12:08:34 GMT\n

x-amz-acl:public-read\n

/bucket/object.txt

Table 5 StringToSign generated for a virtual-host-style GET Object request

Request Header

StringToSign

GET /object.txt HTTP/1.1

Host: bucket.obs.cn-north-1.myhwclouds.com

Date: Sat, 12 Oct 2015 08:12:38 GMT

GET \n

\n

Sat, 12 Oct 2015 08:12:38 GMT\n

/bucket/object.txt

Table 6 StringToSign generated for GET Object ACL

Request Header

StringToSign

GET /bucket/object.txt?acl HTTP/1.1

Host: obs.cn-north-1.myhwclouds.com

Date: Sat, 12 Oct 2015 08:12:38 GMT

GET \n

\n

Sat, 12 Oct 2015 08:12:38 GMT\n

/bucket/object.txt?acl

  1. Use the hash-based message authentication code (HMAC) algorithm to calculate the request and SK, generating a signature.
    Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of(YourSecretAccessKeyID, StringToSign ) ) )
Registration