All Products
Search

This Product

    PolarDB:Request signatures

    Document Center

    PolarDB:Request signatures

    Last Updated:Nov 18, 2024

    PolarDB authenticates each access request. Therefore, a request must contain signature information regardless of whether it is an HTTP or HTTPS request.

    PolarDB implements symmetric encryption by using an AccessKey pair to verify the identity of the request sender. The AccessKey ID and AccessKey secret are issued by Alibaba Cloud to users. You can request and manage them on the official Alibaba Cloud website. The AccessKey ID indicates the identity of a user. The AccessKey secret is the key used to encrypt the signature string and verify the signature string on the server. The AccessKey secret must be strictly kept confidential.

    Sign a request

    To sign a request, perform the following steps:
    1. Create a canonicalized query string by using request parameters.
      1. Arrange the request parameters, including all common request parameters and operation-specific parameters except Signature, in alphabetical order.
        Important When you use the GET method to submit a request, you must include the request parameters in the request URL. You must place the request parameters after a question mark (?) and separate parameters with ampersands (&).
      2. Encode the name and value of each request parameter.

        The parameter names and values must be URL-encoded in UTF-8 based on the following encoding rules:

        1. Uppercase letters, lowercase letters, digits, and special characters do not need to be encoded. Special characters include hyphens (-), underscores (_), periods (.), and tildes (~).
        2. Other characters must be percent encoded in the %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, double quotation marks (") are encoded as %22.
        3. Extended UTF-8 characters are encoded in the %XY%ZA… format.
        4. Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
          Important Most libraries that support URL encoding, such as java.net.URLEncoder, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of application/x-www-form-urlencoded. If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with a tilde (~) to conform to the encoding rules.
      3. Connect the encoded parameter names and values by using equal signs (=).
      4. Sort the key-value pairs connected by equal signs (=) in lexicographic order and separate them with ampersands (&) to obtain the canonicalized query string.
    2. Create a string-to-sign from the encoded canonicalized query string based on the following rules: 
      StringToSign=
HTTPMethod + "&" +
percentEncode("/") + "&" +
percentEncode(CanonicalizedQueryString)
      Parameters
      • HTTPMethod: specifies the HTTP request method that is used to send a request, such as GET.
      • percentEncode("/"): encodes forward slashes (/) based on the URL encoding rules described in Step 1.ii. The encoded value of a forward slash (/) is %2F.
      • percentEncode(CanonicalizedQueryString): encodes the canonicalized query string that is created in Step 1 based on the URL encoding rules described in Step 1.ii.
    3. Calculate the hash-based message authentication code (HMAC) value of the string-to-sign based on the HMAC algorithm that is described in RFC 2104.
      Important Use the Secure Hash Algorithm 1 (SHA-1) algorithm to calculate the HMAC value of the string-to-sign. Add an ampersand (&) to the end of your AccessKey secret and then use the result string as the secret key to calculate the HMAC value. The ASCII value of an ampersand (&) is 38.
    4. Encode the HMAC value in Base64 to obtain the signature string.
    5. Add the signature string to the request as the Signature parameter.
      Note

      When the signature string is submitted to the PolarDB server as the final value of the request parameter, the string must be URL-encoded as other parameters based on rules defined in RFC 3986.

    Performance test

    The following URL is the request URL without a signature for the DescribeDBClusters operation:
    http://polardb.aliyuncs.com/?Timestamp=2013-06-01T10:33:56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBClusters&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&Version=2014-08-15&SignatureVersion=1.0
    The following string is the string to sign:
    GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeDBClusters&Format%3DXML&RegionId%3Dregion1&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3DNwDAxvLU6tFE0DVb&SignatureVersion%3D1.0&TimeStamp%3D2013-06-01T10%253A33%253A56Z&Version%3D2014-08-15
    Assume that the AccessKey ID is testid and the AccessKey secret is testsecret. Then, the Key used to calculate the HMAC value of the signature is testsecret&. The calculated signature string is BIPOMlu8LXBeZtLQkJTw6iFvw1E=.
    The following URL is the signed request URL after the signature is added to the request as the Signature parameter:
    http://polardb.aliyuncs.com/?Timestamp=2013-06-01T10%3A33%3A56Z&Format=XML&AccessKeyId=testid&Action=DescribeDBClusters&SignatureMethod=HMAC-SHA1&RegionId=region1&SignatureNonce=NwDAxvLU6tFE0DVb&SignatureVersion=1.0&Version=2014-08-15&Signature=BIPOMlu8LXBeZtLQkJTw6iFvw1E%3D