九游平台/ 对象存储服务 obs/ api参考/ api/ / 服务端加密sse-obs方式
更新时间:2024-10-21 gmt 08:00
查看pdf

服务端加密sse-九游平台

功能介绍

sse-obs方式,obs使用服务自身提供的密钥进行服务端加密。与sse-kms的区别在于sse-obs是obs管理密钥,而非kms。

新增头域

sse-obs方式用户可以通过配置表1中的头域来实现sse-obs加密。

您也可以通过配置桶的默认加密方式来对桶内的对象进行加密。在为桶配置默认加密后,对于任何不带加密头域的上传对象的请求,将使用桶的默认加密配置进行加密。有关桶的加密配置的更多信息请参考设置桶的加密配置章节。

表1 sse-obs方式使用的头域

名称

描述

x-obs-server-side-encryption

使用该头域表示服务端加密是sse-obs方式。对象使用sse-obs方式加密。

类型:string

示例:x-obs-server-side-encryption:aes256

支持头域的接口

以下接口支持配置sse-obs相关头域:

您可以通过设置桶策略,来限制指定桶的请求头域,如果您要对桶中的所有对象执行服务端加密限制,则可通过设置桶策略达成。例如,如果要求本租户的上传对象请求不包含服务端加密 (sse-obs) 的相关头域x-obs-server-side-encryption:"aes256",则可使用以下桶策略达成:

{ 
    "statement": [ 
        { 
            "sid": "denyunencryptedobjectuploads", 
            "effect": "deny", 
            "principal": "*", 
            "action": "putobject", 
            "resource": "yourbucket/*", 
            "condition": { 
                "stringnotequals": { 
                    "x-obs-server-side-encryption": "aes256" 
                } 
            } 
        } 
    ] 
}

请求示例:使用默认密钥对上传的对象进行加密

put /encryp1 http/1.1 
user-agent: curl/7.29.0 
host: examplebucket.obs.cn-north-4.myhuaweicloud.com
accept: */* 
date: wed, 06 jun 2018 09:08:21 gmt 
authorization: obs h4ipjx0tqththebqqcec:f3/7es6mfbw3jo4 7i5atyaqenu= 
x-obs-server-side-encryption:aes256 
content-length: 5242 
expect: 100-continue 
 
[5242 byte object contents]

响应示例:使用默认密钥对上传的对象进行加密

http/1.1 200 ok 
server: obs 
x-obs-request-id: 8df400000163d45aa81d038b6ae4c482 
etag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: aes256 
x-obs-id-2: 32aaaujaiaabaaaqaaeaabaaaqaaeaabctv7chmangfbagxuheibusiettnqlcqc 
date: wed, 06 jun 2018 09:08:21 gmt 
content-length: 0

请求示例:将普通对象拷贝为加密对象

put /destobject http/1.1 
user-agent: curl/7.29.0 
host: examplebucket.obs.cn-north-4.myhuaweicloud.com
x-obs-server-side-encryption:aes256 
accept: */* 
date: wed, 06 jun 2018 09:10:29 gmt 
authorization: obs h4ipjx0tqththebqqcec:sh3utrelagwarvi1utq325ktvci= 
x-obs-copy-source: /bucket/srcobject1

响应示例:将普通对象拷贝为加密对象

http/1.1 200 ok 
server: obs 
x-obs-request-id: bb78000001648480af3900ced7f15155 
etag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: aes256 
x-obs-id-2: oraxhgwdalc9wkvhqtlsmqb7i35d 32aaaujaiaabaaaqaaeaabaaaqaaeaabcs 
date: wed, 06 jun 2018 09:10:29 gmt 
content-length: 0

请求示例:在url中携带签名并上传加密对象

put /destobject?accesskeyid=ui3sn1sruqe14oybktzb&expires=1534152518&x-obs-server-side-encryption=aes256&signature=chvmg7/da/dcqmtrju3xngldjpg= http/1.1 
user-agent: curl/7.29.0 
host: examplebucket.obs.cn-north-4.myhuaweicloud.com
accept: */* 
date: wed, 06 jun 2018 09:10:29 gmt

响应示例:在url中携带签名并上传加密对象

http/1.1 200 ok 
server: obs 
x-obs-request-id: bb78000001648480af3900ced7f15155 
etag: "d8bffdfbab5345d91ac05141789d2477" 
x-obs-server-side-encryption: aes256 
x-obs-id-2: oraxhgwdalc9wkvhqtlsmqb7i35d 32aaaujaiaabaaaqaaeaabaaaqaaeaabcs 
date: wed, 06 jun 2018 09:10:29 gmt 
content-length: 0
父主题:

相关文档

网站地图