OSS access

Last Updated: Nov 27, 2017

OSS access security

HTTP requests sent to OSS are divided into two types depending on whether they include identity authentication information: requests with identity authentication information and anonymous requests without identity authentication information. The identity authentication information in requests can be structured in two ways:

  • Authorization is contained in the request header, in the format of OSS + AccessKeyId + signature string.
  • OSS AccessKeyId and Signature fields are contained in the request URL.

OSS access verification process

Access process for anonymous requests

  1. The user’s request is sent to the HTTP server of OSS.

  2. OSS parses the bucket and the object based on the URL.

  3. OSS checks whether the object is set with an ACL.

    • If no ACL is set for the object, the process continues at step 4.
    • If an ACL is set for the object, OSS checks whether the object’s ACL permits anonymous access.
      • If the ACL permits anonymous access, the process moves to step 5.
      • If it does not, the request is rejected and the process ends.
  4. OSS checks whether the bucket’s ACL permits anonymous access.

    • If the ACL permits anonymous access, the process continues at step 5.
    • If it does not, the request is rejected and the process ends.
  5. The request passes the permission verification and the object content is returned to the user.

Access process for requests with identity authentication information

  1. The user’s request is sent to the HTTP server of OSS.

  2. OSS parses the bucket and the object based on the URL.

  3. Based on the request’s OSS AccessKeyId, OSS obtains the identity information of the requester to perform authentication.

    • If the information is not obtained, the request is rejected and the process ends.
    • If the information is obtained, but the requester is not permitted to access this resource, the request is rejected and the process ends.
    • If the information is obtained, but the signature calculated based on the request’s HTTP parameters does not match the sent signature, the request is rejected and the process ends.
    • If the authentication succeeds, the process continues at step 4.
  4. OSS checks whether the object is set with an ACL.

    • If no ACL is set for the object, the process continues at step 5.
    • If an ACL is set for the object, OSS checks whether the object’s ACL permits anonymous access.
      • If the ACL permits anonymous access, the process moves to step 6.
      • If it does not, the request is rejected and the process ends.
  5. OSS checks whether the bucket’s ACL permits anonymous access.

    • If the ACL permits anonymous access, the process continues at step 6.
    • If it does not, the request is rejected and the process ends.
  6. The request passes the permission verification and the object content is returned to the user.

Three methods for OSS access with identity authentication information

  • Access OSS in the console: The identity authentication process is concealed from users in the console. When users access OSS through the console, they do not have to concern themselves with the details of this process.

  • Access OSS using SDKs: OSS provides SDKs for multiple development languages. A signature algorithm is implemented in an SDK, where users only need to input the AK information as a parameter.

  • Access OSS using APIs: If you want to write your own code to package a call to the RESTful API, you must implement a signature algorithm to calculate the signature. For more information about the signature algorithm, see Add a Signature to the Header and Add a Signature to the URL in the API manual.

For an explanation of AccessKeys and more information on identity authentication operations, see Access Control.

Thank you! We've received your feedback.