Message Queue for Apache RocketMQ verifies each HTTP access request. Each HTTP request that is sent to Message Queue for Apache RocketMQ contains the Authorization parameter in the request header, and the Authorization parameter contains a signature. This topic describes how to generate a signature.

Background information

Apsara Stack issues an AccessKey pair that consists of an AccessKey ID and an AccessKey secret to each user. The user can apply for and manage AccessKey pairs in the Apsara Uni-manager Management Console.

  • The AccessKey ID is used to verify the identity of the user.
  • The AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential.

For more information, see Create an AccessKey pair.

The HTTP service provided by Message Queue for Apache RocketMQ uses an AccessKey pair to perform symmetric encryption to verify the identity of a request sender. If the calculated verification code is the same as that provided in the request, the HTTP service determines that the request is valid. Otherwise, the HTTP service rejects the request and returns HTTP 403.

You must add the Authorization parameter to the header of each HTTP request to provide the signature of the request. This way, the HTTP service can determine the validity of the request.

How to sign a request

The Authorization parameter is specified in the following format:

MQ <AccessKey ID>:<Signature>

The following code shows the parameters that are used to generate a signature: 

Signature = base64(hmac-sha1(HTTP_METHOD + "\n"
                + "\n"+ CONTENT-TYPE + "\n"
                + DATE + "\n"
                + "x-mq-version:" + MQVersion + "\n"
                + CanonicalizedResource))
  • HTTP_METHOD: specifies an HTTP method in uppercase, such as PUT, GET, POST, or DELETE.
  • CONTENT-TYPE: specifies the type of the request body. Set the value to text/xml; charset=utf-8.
  • DATE: specifies the time when you want to perform the operation. This parameter cannot be left empty and must be specified in UTC. For example, you can set this parameter to Thu, 07 Mar 2012 18:49:58 GMT.
  • MQVersion: specifies the version of the Message Queue for Apache RocketMQ API. Set the value to 2015-06-06.
  • CanonicalizedResource: specifies the Uniform Resource Identifier (URI) of the resource requested by the HTTP request. For example, set the URI of a consumption request to /topics/abc/messages?consumer=GID_abc.
Note
  • The string-to-sign must be in the UTF-8 format.
  • The HMAC-SHA1 method defined in RFC 2104 is used to calculate the signature. In this method, the AccessKey secret is used as an encryption key.