为保证用户日志数据的安全,日志服务API的所有HTTP请求都必须经过安全验证。验证流程基于阿里云的访问密钥安全验证,使用非对称加密算法完成。
使用说明
日志服务SDK封装了日志服务的所有API接口,您可以通过日志服务SDK方便地调用日志服务的所有API接口。日志服务SDK支持自动签名,并支持多语言版本。推荐使用日志服务SDK访问日志服务,更多信息,请参见日志服务SDK。
安全验证能达到以下目的:
-
确认哪位用户在做API请求。
因为在发送请求前需要用户指定生成数字签名的密钥对,在服务端即可通过该密钥对确定用户身份,进而可做访问权限管理。
-
确认用户请求在网络传输过程中是否被篡改。
因为服务端会对接收到的请求内容重新计算数字签名,若请求内容在网络上被篡改,则无法通过数字签名比对。
为API请求生成签名,需使用一对访问密钥。您可以使用已经存在的访问密钥对,也可以创建新的访问密钥对,但需要保证使用的密钥对为启用状态。
下文介绍日志服务签名组成结构、算法流程,并给出各语言签名算法的示例代码。
签名组成结构
合法的日志服务请求需要在HTTP请求头内写入如下键值对(大小写敏感):
|
字段名 |
说明 |
示例 |
|
x-log-signaturemethod |
请求的加密方式。 |
hmac-sha1 |
|
x-log-apiversion |
访问的API版本。 |
0.6.0 |
|
Date |
HTTP请求中的标准时间戳头,其遵循RFC822/RFC1123格式,格式化字符串为 |
Mon, 3 Jan 2010 08:33:47 GMT |
|
Content-MD5 |
HTTP请求中Body部分的MD5值,必须转换成十六进制大写英文字符串。 |
72A15D7DE7EE9E7BB86461FFEA9499 |
|
Authorization |
签名,内容格式为 |
LOG testAccessKeyId:RLETq4u7sWb3cssZIhsun**** |
|
Content-Type |
请求中Body部分的类型。若无 Body,可省略此字段。 |
application/json |
完成签名后的HTTP请求示例如下所示:
POST /logstores/test-logstore/shards/0?action=split HTTP/1.1
Host: ali-test-project.cn-hangzhou.log.aliyuncs.com
Date: Tue, 23 Aug 2022 12:12:03 GMT
x-log-apiversion: 0.6.0
x-log-signaturemethod: hmac-sha1
Content-Length: 18
Content-Type: application/json
Content-MD5: 1572A15D7DE7EE9E7BB86461FFEA9499
Authorization: LOG testAccessKeyId:RLETq4u7sWb3cssZIhsun****
{"hello": "world"}签名算法流程
签名结构中最为重要的部分是Authorization字段,其格式为LOG accessKeyId:Signature,由用户密钥 AccessKeyId与签名字符串Signature拼接得到。这里介绍签名字符串Signature的构建过程。
签名消息体message
签名字符串Signature由签名消息体message加密编码得到,签名消息体message的构建过程如下:
|
名称 |
内容与格式 |
示例 |
|
method |
HTTP请求方法,全大写英文。取值包括GET、POST、PUT和DELETE。 |
GET |
|
Content-MD5 |
HTTP请求消息Body的MD5哈希值,转成为十六进制大写英文字符串。若Body为空,此项为空字符串。 |
1572A15D7DE7EE9E7BB86461FFEA9499 |
|
Content-Type |
HTTP请求中Body部分的类型。若Body为空,此项可为空字符串。 |
application/json |
|
Date |
当前时间的格式化字符串。格式为RFC822/RFC1123,格式化字符串为 |
Mon, 3 Jan 2010 08:33:47 GMT |
|
header |
header中以 |
|
|
uri |
请求的路径,不包括域名与请求参数部分。 |
/logstores/test-logstore |
|
query参数 |
请求的查询参数,按key升序排序后,以 |
offset=1&size=10 |
完整的message如下所示,注意除最后一行外,每行行末都存在一个换行符。
POST
1572A15D7DE7EE9E7BB86461FFEA9499
application/json
Tue, 23 Aug 2022 12:12:03 GMT
x-log-apiversion:0.6.0
x-log-bodyrawsize:0
x-log-signaturemethod:hmac-sha1
/logstores?offset=1&size=10签名字符串Signature
签名字符串Signature的获取流程如下:
-
获取签名消息体message。
-
将message消息体使用hmac-sha1算法加密,密钥为AccessKeySecret,获取加密后的哈希值。
-
将哈希值使用标准base64进行编码,获得签名字符串Signature。
请求签名过程示例
为了帮助您更好地理解整个请求签名的流程,我们用两个示例来演示整个过程。首先,假设您用做日志服务API签名的访问密钥对如下:
AccessKeyId = "bq2sjzesjmo86kq****"
AccessKeySecret = "4fdO2fTDDnZPU/L7CHNd****"-
示例一
您需要发送如下GET请求列出ali-test-project项目下的所有Logstore,其待签名的HTTP请求如下:
GET /logstores?logstoreName=&offset=0&size=1000 HTTP/1.1 Date: Mon, 09 Nov 2015 06:11:16 GMT Host: ali-test-project.cn-hangzhou.log.aliyuncs.com x-log-apiversion: 0.6.0 x-log-bodyrawsize:0 x-log-signaturemethod: hmac-sha1如上API请求生成的签名字符串为:
GET Mon, 09 Nov 2015 06:11:16 GMT x-log-apiversion:0.6.0\x-log-bodyrawsize:0 x-log-signaturemethod:hmac-sha1 /logstores?logstoreName=&offset=0&size=1000由于是GET请求,该请求无任何HTTP Body,所以生成的签名字符串中Content-Type与Content-MD5域为空字符串。如果以前面指定的AccessKeySecret做签名运算后得到的签名Signature为:
jEYOTCJs2e88o+y5F4/S5I****最后发送经数字签名的HTTP请求内容如下:
GET /logstores?logstoreName=&offset=0&size=1000 HTTP/1.1 Date:Mon, 09 Nov 2015 06:11:16 GMT Host: ali-test-project.cn-hangzhou.log.aliyuncs.com x-log-apiversion: 0.6.0 x-log-bodyrawsize:0 x-log-signaturemethod: hmac-sha1 Authorization: LOG bq2sjzesjmo86kq35behupbq:jEYOTCJs2e88o+y5F4/S5I**** -
示例二
您需要给ali-test-project项目中名为test-logstore的Logstore写入下面的日志:
topic="" time=1447048976 source="10.10.10.1" "TestKey": "TestContent"为此,按照API定义需要构建如下HTTP请求:
POST /logstores/test-logstore HTTP/1.1 Date: Mon, 09 Nov 2015 06:03:03 GMT Host: ali-test-project.cn-hangzhou.log.aliyuncs.com x-log-apiversion:0.6.0 x-log-bodyrawsize:50 x-log-signaturemethod:hmac-sha1 Content-MD5: 1DD45FA4A70A9300CC9FE7305AF2C494 Content-Length: 52在这个HTTP请求中,写入的日志内容首先被序列化成ProtoBuffer格式(请参见数据编码方式了解该格式的更多细节)后作为请求Body。所以该请求的Content-Type头的值指定为application/x-protobuf。类似,Content-MD5头的值是请求body对应的MD5值。按照上面的签名字符串构造方式,这个请求对应的签名字符串为:
POST 1DD45FA4A70A9300CC9FE7305AF2C494 application/x-protobuf Mon, 09 Nov 2015 06:03:03 GMT x-log-apiversion:0.6.0 x-log-bodyrawsize:50 x-log-compresstype:lz4 x-log-signaturemethod:hmac-sha1 /logstores/ali-test-logstore同样,以前面示例中的AccessKeySecret做签名运算,得到的最终签名为:
XWLGYHGg2F2hcfxWxMLiNk****最后发送经数字签名的HTTP请求内容如下:
POST /logstores/ali-test-logstore HTTP/1.1 Date: Mon, 09 Nov 2015 06:03:03 GMT Host: ali-test-project.cn-hangzhou.log.aliyuncs.com x-log-apiversion:0.6.0 x-log-bodyrawsize:50 x-log-compresstype:lz4 x-log-signaturemethod:hmac-sha1 Content-MD5: 1DD45FA4A70A9300CC9FE7305AF2C494 Content-Length: 52 Authorization: LOG bq2sjzesjmo86kq35behupbq:XWLGYHGg2F2hcfxWxMLiNk****
代码示例
-
Java签名示例代码
该示例依赖第三方库
commons-codec,请在pom.xml下添加Maven依赖:commons-codec commons-codec 1.15以下为请求签名的代码示例,仅为参考:
package com.aliyun.openservices.log.http.signer; import org.apache.commons.codec.binary.Base64; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.math.BigInteger; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.*; import java.util.stream.Collectors; public class v1 { public static String md5(byte[] bs) throws Exception { MessageDigest digest = MessageDigest.getInstance("MD5"); digest.update(bs); String hex = new BigInteger(1, digest.digest()).toString(16).toUpperCase(); return new String(new char[32 - hex.length()]).replace("\0", "0") + hex; } public static String getDateString() { DateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US); df.setTimeZone(new SimpleTimeZone(0, "GMT")); return df.format(new Date()); } public static void sign(String method, String uri, String accessKeyId, String accessKeySecret, Map params, Map headers, byte[] body) throws Exception { int contentLength = 0; String contentMD5 = "", message = ""; headers.put("x-log-apiversion", "0.6.0"); headers.put("x-log-signaturemethod", "hmac-sha1"); if (body != null && body.length > 0) { contentLength = body.length; contentMD5 = md5(body); headers.put("Content-MD5", contentMD5); } String date = getDateString(); headers.put("Date", date); headers.put("Content-Length", String.valueOf(contentLength)); message += method + " " + contentMD5 + " " + headers.getOrDefault("Content-Type", "") + " " + date + " "; // header String headerStr = headers.entrySet().stream() .filter(e -> e.getKey().startsWith("x-log-") || e.getKey().startsWith("x-acs-")) .sorted(Map.Entry.comparingByKey()) .map(e -> String.format("%s:%s ", e.getKey(), e.getValue())) .collect(Collectors.joining("")); message += headerStr; // uri & params message += uri; if (params.size() > 0) { message += "?"; } message += params.entrySet().stream() .sorted(Map.Entry.comparingByKey()) .map(e -> String.format("%s=%s", e.getKey(), e.getValue())) .collect(Collectors.joining("&")); // signature & authorization Mac mac = Mac.getInstance("HmacSHA1"); mac.init(new SecretKeySpec(accessKeySecret.getBytes(StandardCharsets.UTF_8), "HmacSHA1")); String signature = new String(Base64.encodeBase64(mac.doFinal(message.getBytes(StandardCharsets.UTF_8)))); String auth = "LOG " + accessKeyId + ":" + signature; headers.put("Authorization", auth); } } -
Python签名示例代码
以下为请求签名的代码示例,仅为参考:
import base64 import hashlib import hmac import locale from datetime import datetime from typing import Dict, Tuple def get_date(): try: locale.setlocale(locale.LC_TIME, "C") except Exception as ex: pass return datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') def sign(method: str, uri: str, access_key_id: str, access_key_secret: str, params: Dict[str, str], headers: Dict[str, str], body: bytes): content_length = 0 content_md5, message = '', '' headers["x-log-apiversion"] = "0.6.0" headers["x-log-signaturemethod"] = "hmac-sha1" if body is not None and len(body) > 0: content_length = len(body) content_md5 = hashlib.md5(body).hexdigest().upper() headers['Content-MD5'] = content_md5 date = get_date() headers['Date'] = date headers['Content-Length'] = content_length content_type = headers.get('Content-Type', '') message += method + " " + content_md5 + \ " " + content_type + " " + date + " " # header filter_by_prefix = lambda t: t[0].startswith('x-log-') or t[0].startswith('x-acs-') slsHeaders = list(filter(filter_by_prefix, headers.items())) sort_by_key = lambda k: k[0] for [k, v] in sorted(slsHeaders, key=sort_by_key): message += k + ':' + v + " " # uri and params message += uri message += '?' if len(params) > 0 else '' sep = '' for [k, v] in sorted(params.items(), key=sort_by_key): message += sep + k + '=' + v sep = '&' # signature and authorization hashed = hmac.new(access_key_secret.encode('utf8'), message.encode('utf8'), hashlib.sha1).digest() signature = base64.encodebytes(hashed).decode('utf8').rstrip() auth = f'LOG {access_key_id}:{signature}' headers['Authorization'] = auth -
PHP签名示例代码
以下为请求签名的代码示例,仅为参考:
0) { $contentLength = strlen($body); $contentMd5 = strtoupper(md5($body)); $headers["Content-MD5"] = $contentMd5; } // date setLocale(LC_TIME, 'en_US'); $date = gmdate('D, d M Y H:i:s \G\M\T', time()); $headers["Date"] = $date; $headers["Content-Length"] = (string)$contentLength; $contentType = isset($headers['Content-Type']) ? $headers['Content-Type'] : ''; $message = $method . " " . $contentMd5 . " " . $contentType . " " . $date . " "; // header $filterHeaders = []; foreach ($headers as $key => $val) { if (str_starts_with($key, 'x-log-') || str_starts_with($key, 'x-acs-')) { $filterHeaders[$key] = $val; } } ksort($filterHeaders); foreach ($filterHeaders as $key => $val) { $message .= $key . ':' . $val . " "; } // uri and params $message .= $uri; if (sizeof($params) > 0) { $message .= '?'; } ksort($params); $sep = ''; foreach ($params as $key => $val) { $message .= $sep . $key . '=' . $val; $sep = '&'; } // signature & authorization $signature = base64_encode(hash_hmac('sha1', $message, $accessKeySecret, TRUE)); $auth = 'LOG ' . $accessKeyId . ':' . $signature; $headers['Authorization'] = $auth; return $headers; }; // example call $headers = sign( 'POST', '/logstores/test-logstore', 'testAccessId', 'testAccessKey', array( "test" => "test", "hello" => "world" ), array( "x-log-signaturemethod" => "hmac-sha1", "x-log-bodyrawsize" => "0", "x-log-apiversion" => "0.6.0" ), 'hello, world' ); echo ($headers['Authorization']); foreach ($headers as $key => $val) { echo ($key . '=' . $val . " "); } ?> -
Go签名示例代码
以下为请求签名的代码示例,仅为参考:
package sls import ( "crypto/hmac" "crypto/md5" "crypto/sha1" "encoding/base64" "fmt" "sort" "strconv" "strings" "time" ) /* * @param uri The uri of http request, exclude host and query param, eg: /logstores/test-logstore * @param headers This function modifies headers, headers must not be a nil map * @param method Http method in uppercase , eg: GET, POST, PUT, DELETE */ func Sign(method, uri, accessKeyID, accessKeySecret string, headers, queryParams map[string]string, body []byte) error { var message, signature string var contentMD5, contentType, date string headers["x-log-apiversion"] = "0.6.0"; headers["x-log-signaturemethod"] = "hmac-sha1"; if len(body) > 0 { contentMD5 = fmt.Sprintf("%X", md5.Sum(body)) headers["Content-MD5"] = contentMD5 } date = time.Now().In(time.FixedZone("GMT", 0)).Format(time.RFC1123) headers["Date"] = date headers["Content-Length"] = strconv.Itoa(len(body)) if val, ok := headers["Content-Type"]; ok { contentType = val } message += method + " " + contentMD5 + " " + contentType + " " + date + " " // header slsHeaders := make(map[string]string) for k, v := range headers { if strings.HasPrefix(k, "x-log-") || strings.HasPrefix(k, "x-acs-") { slsHeaders[k] = v } } forEachInOrder(slsHeaders, func(k, v string) { message += k + ":" + v + " " }) message += uri if len(queryParams) > 0 { message += "?" } sep := "" forEachInOrder(queryParams, func(k, v string) { message += sep + k + "=" + v sep = "&" }) // Signature = base64(hmac-sha1(UTF8-Encoding-Of(SignString),AccessKeySecret)) mac := hmac.New(sha1.New, []byte(accessKeySecret)) _, err := mac.Write([]byte(message)) if err != nil { return err } signature = base64.StdEncoding.EncodeToString(mac.Sum(nil)) auth := fmt.Sprintf("LOG %v:%v", accessKeyID, signature) headers["Authorization"] = auth return nil } func forEachInOrder(m map[string]string, f func(k, v string)) { var ss sort.StringSlice for k := range m { ss = append(ss, k) } ss.Sort() for _, k := range ss { f(k, m[k]) } } -
C#签名示例代码
以下为请求签名的代码示例,仅为参考:
using System.Security.Cryptography; using System.Text; using StringMap = System.Collections.Generic.Dictionary; void sign(string method, string uri, string accessKeyId, string accessKeySecret, StringMap queryParams, StringMap headers, byte[] body ) { int contentLength = 0; string contentMd5 = "", message = ""; headers["x-log-apiversion"] = "0.6.0"; headers["x-log-signaturemethod"] = "hmac-sha1"; if (body != null && body.Length > 0) { contentLength = body.Length; contentMd5 = BitConverter.ToString(MD5.Create().ComputeHash(body)).Replace("-", ""); Console.WriteLine(contentMd5); headers["Content-MD5"] = contentMd5; } string date = DateTime.Now.ToUniversalTime().ToString("R"); headers["Date"] = date; headers["Content-Length"] = contentLength.ToString(); message += method + " " + contentMd5 + " " + headers.GetValueOrDefault("Content-Type", "") + " " + date + " "; var sortedHeader = from entry in headers orderby entry.Key ascending select entry; // header foreach (var entry in sortedHeader) { if (entry.Key.StartsWith("x-log-") || entry.Key.StartsWith("x-acs-")) { message += entry.Key + ":" + entry.Value + " "; } } // url & params message += uri; if (queryParams.Count() > 0) { message += "?"; } var sortedParam = from entry in queryParams orderby entry.Key ascending select entry; string sep = ""; foreach (var entry in sortedParam) { message += sep + entry.Key + "=" + entry.Value; sep = "&"; } var hmac = new HMACSHA1(Encoding.ASCII.GetBytes(accessKeySecret)); var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(message))); var auth = "LOG " + accessKeyId + ":" + signature; headers["Authorization"] = auth; } -
C++签名示例代码
以下为请求签名的代码示例,其中涉及的辅助函数,需要自行实现。示例中的adapter.h头文件来自于日志服务C++ SDK,建议您参考日志服务C++ SDK进行签名,具体操作,请参见C++ SDK快速入门。
-
CodecTool::CalcMD5(string) : 计算MD5值并转为十六进制大写字符串。
-
CodecTool::StartWith(string, string) : 判断字符串是否含有另一字符串作为前缀。
-
CodecTool::Base64Enconde(string) : Base64编码字符串。
-
CodecTool::CalcHMACSHA1(string, string): 计算hmac-sha1哈希值。
-
CodecTool::GetDateString(): 获取当前时间的格式化字符串,格式为
%a, %d %b %Y %H:%M:%S GMT,例如Mon,3 Jan 2010 08:33:47 GMT。
#include -
-
TypeScript签名示例代码
该示例依赖第三方库
crypto-js,安装依赖命令如下:npm install crypto-js --save以下为请求签名的代码示例,仅为参考:
import CryptoJS from 'crypto-js' export function sign( method: string, uri: string, access_key_id: string, access_key_secret: string, params: Map, headers: Map, body: string | undefined ) { let content_length = 0 let content_md5 = '', message = '' headers.set("x-log-apiversion", "0.6.0") headers.set("x-log-signaturemethod", "hmac-sha1") if (body !== undefined && body.length > 0) { content_length = body.length content_md5 = CryptoJS.MD5(body).toString(CryptoJS.enc.Hex).toUpperCase() headers.set('Content-MD5', content_md5) } const date = new Date().toUTCString() headers.set('Date', date) headers.set('Content-Length', content_length.toString()) message += method + ' ' + content_md5 + ' ' + (headers.get('Content-Type') ?? '') + ' ' + date + ' ' // headers const sort_by_key = (a: [string, string], b: [string, string]) => a[0].localeCompare(b[0]) const filter_by_prefix = (e: [string, string]) => e[0].startsWith('x-log-') || e[0].startsWith('x-acs-') const header_str = [...headers.entries()] .filter(filter_by_prefix) .sort(sort_by_key) .map((e) => e[0] + ':' + e[1] + ' ') .join('') message += header_str // uri & query params message += uri if (params.size > 0) { message += '?' } message += [...params.entries()] .sort(sort_by_key) .map((e) => e[0] + '=' + e[1]) .join('&') // signature & authorization const signature = CryptoJS.HmacSHA1(message, access_key_secret).toString( CryptoJS.enc.Base64 ) const auth = 'LOG ' + access_key_id + ':' + signature headers.set('Authorization', auth) } // example call sign( 'POST', '/logstores/test-logstore', 'testAccessId', 'testAccessKey', new Map([ ['test', 'test'], ['hello', 'world'], ]), new Map([ ['x-log-signaturemethod', 'hmac-sha1'], ['x-log-bodyrawsize', '0'], ['x-log-apiversion', '0.6.0'], ['Content-Type', 'application/json'], ]), 'hello, world' ) -
Rust签名示例代码
该示例依赖库名称及版本如下所示:
[dependencies] chrono = "0.4.19" md5 = "0.7.0" base64 = "0.13.0" hmac-sha1 = "0.1.3"以下为请求签名的代码示例,仅为参考:
extern crate base64; extern crate hmacsha1; extern crate md5; use chrono::Utc; use std::collections::*; pub fn sign( method: &str, uri: &str, access_key_id: &str, access_key_secret: &str, params: &HashMap, headers: &mut HashMap, body: Option<Vec>, ) -> String { let mut content_length = 0; let mut content_md5 = String::from(""); headers.insert("x-log-apiversion".to_owned(), "0.6.0".to_owned()); headers.insert("x-log-signaturemethod".to_owned(), "hmac-sha1".to_owned()); if let Some(content) = body { if content.len() > 0 { content_length = content.len(); content_md5 = format!("{:X}", md5::compute(content)); headers.insert("Content-MD5".to_owned(), content_md5.clone()); } } headers.insert("Content-Length".to_owned(), content_length.to_string()); // date let date = Utc::now().format("%a, %d %b %Y %H:%M:%S GMT").to_string(); headers.insert("Date".to_owned(), date.clone()); let mut message = "".to_owned(); let content_type = headers .get(&"Content-Type".to_owned()) .cloned() .unwrap_or(String::from("")); message += format!("{} {} {} {} ", method, content_md5, content_type, date).as_str(); // header let mut sorted_header: Vec = headers.iter().collect(); sorted_header.sort_by_key(|x| x.0); for (k, v) in sorted_header { if k.starts_with("x-log-") || k.starts_with("x-acs-") { message += format!("{}:{} ", k, v).as_str(); } } // url & params message += uri; if params.len() > 0 { message += "?"; } let mut sorted_params: Vec = params.iter().collect(); sorted_params.sort_by_key(|x| x.0); let mut sep = ""; for (k, v) in sorted_params { message += format!("{}{}={}", sep, k, v).as_str(); sep = "&"; } let signature = base64::encode(hmacsha1::hmac_sha1( access_key_secret.as_bytes(), message.as_bytes(), )); let auth = format!("LOG {}:{}", access_key_id, signature); headers.insert("Authorization".to_owned(), auth.to_owned()); auth }
内容没看懂? 不太想学习?想快速解决? 有偿解决: 联系专家
阿里云企业补贴进行中: 马上申请
腾讯云限时活动1折起,即将结束: 马上收藏
同尘科技为腾讯云授权服务中心。
购买腾讯云产品享受折上折,更有现金返利:同意关联,立享优惠
转转请注明出处:https://www.yunxiaoer.com/160350.html