best practices - huawei cloudexample: periodically backing up files from an ftp server to obs cdm...

Object Storage Service

Best Practices

Issue 08

Date 2020-08-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 08 (2020-08-31) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Overview of OBS Best Practices........................................................................................... 1

2 Migrating Local Data to OBS................................................................................................32.1 Overview.................................................................................................................................................................................... 32.2 Migrating Through OBS Tools.............................................................................................................................................52.3 Migrating Through the CDM Service................................................................................................................................52.4 Migrating Through Disk-Based DES..................................................................................................................................62.5 Migrating Through Teleport-Based DES.......................................................................................................................... 72.6 Migrating Through Direct Connect................................................................................................................................... 8

3 Migrating Data from Third-Party Cloud Service Vendors to OBS................................93.1 Overview.................................................................................................................................................................................... 93.2 Migrating Through OMS.................................................................................................................................................... 103.3 Migrating Through the CDM Service............................................................................................................................. 11

4 Using Backup Software to Back Up Local Data to OBS............................................... 124.1 Overview.................................................................................................................................................................................. 124.2 Using Commvault to Back Up Local Data in SAP HANA........................................................................................ 12

5 Accessing OBS over Intranet...............................................................................................155.1 Overview.................................................................................................................................................................................. 155.2 Accessing OBS over Intranet by Using OBS Browser+ on a Windows ECS....................................................... 175.3 Accessing OBS over Intranet by Using obsutil on a Linux ECS............................................................................. 20

6 Using a User-Defined Domain Name to Host a Static Website.................................236.1 Static Website Hosting........................................................................................................................................................ 236.2 Updating a Static Website................................................................................................................................................. 29

7 Enterprise Data Access Control..........................................................................................327.1 Introduction to OBS Access Control............................................................................................................................... 327.2 Access Management on Department Public Data.................................................................................................... 387.3 Data Sharing Among Departments/Projects............................................................................................................... 407.4 Authorizing Business Departments with Independent Resource Permissions................................................. 477.5 Isolating Bucket Resources Between Business Departments................................................................................. 52

8 Verifying Data Consistency................................................................................................. 598.1 Overview.................................................................................................................................................................................. 59

Object Storage ServiceBest Practices Contents

Issue 08 (2020-08-31) Copyright © Huawei Technologies Co., Ltd. ii

8.2 Verifying Data Consistency During Upload................................................................................................................. 628.3 Verifying Data Consistency During Download........................................................................................................... 64

9 Performance Optimization..................................................................................................68

10 Accessing OBS from App Clients..................................................................................... 69

11 Accessing OBS Through an NGINX Reverse Proxy.......................................................77

12 Migrating Data Between HUAWEI CLOUD OBS Buckets...........................................82

A Change History...................................................................................................................... 84

Object Storage ServiceBest Practices Contents

Issue 08 (2020-08-31) Copyright © Huawei Technologies Co., Ltd. iii

1 Overview of OBS Best Practices

This document summarizes practices in common application scenarios of ObjectStorage Service (OBS). Each practice case provides detailed solution descriptionand operation guide, helping you easily build your storage services based on OBS.

Table 1-1 OBS best practices

Best Practice Description

Migrating Local Data toOBS

This section describes how to migrate local datafrom personal computers or on-premises storageservers to OBS.

Migrating Data fromThird-Party Cloud ServiceVendors to OBS

This section describes several migration methodsthat can migrate various volumes of data fromthird-party vendors to OBS, and provides operationprocedures and guidance for each method.

Using Backup Softwareto Back Up Local Data toOBS

This section describes the backgrounds of backingup local data to OBS and the backup softwaresupported by OBS. Commvault is used as anexample to describe how to back up local data toOBS.

Accessing OBS overIntranet

This section describes how to access OBS fromyour Elastic Cloud Servers (ECSs) through theinternet or the HUAWEI CLOUD intranet. Tooptimize performance and reduce costs, it isrecommended that you access OBS over theHUAWEI CLOUD intranet. ECS supports access toOBS through either Internet or the HUAWEICLOUD intranet.

Using a User-DefinedDomain Name to Host aStatic Website

This section describes how to use a user-defineddomain name to host static websites on OBS. Youcan quickly publish personal and enterprise staticwebsites without setting up a website server.

Object Storage ServiceBest Practices 1 Overview of OBS Best Practices

Issue 08 (2020-08-31) Copyright © Huawei Technologies Co., Ltd. 1

Best Practice Description

Enterprise Data AccessControl

OBS provides multiple permission controlmechanisms to help you manage data stored inOBS. This section uses common scenarios of datapermission control as examples to describe how tocontrol access to data stored in OBS to ensure datasecurity.

Verifying DataConsistency

Data inconsistency may occur due to networkhijacking, cache, and other reasons during objectupload and download. This section describes howto use the MD5 value calculating method to verifydata consistency during data upload anddownload.

PerformanceOptimization

This section describes how to add random prefixesto object names to implement horizontalexpansion for access requests, and thus improvethe access rate and shorten the access delay.

Accessing OBS from AppClients

This section describes two methods for app clientsto access OBS to better protect data and preventdata leakage and unauthorized access afterattacks.

Accessing OBS Throughan NGINX Reverse Proxy

This section describes how to configure the Nginxreverse proxy on an ECS, so that you can use afixed IP address to access OBS.

Migrating Data BetweenHUAWEI CLOUD OBSBuckets

This section describes how to migrate databetween HUAWEI CLOUD OBS buckets that areunder different accounts or deployed in the sameor different regions.

Object Storage ServiceBest Practices 1 Overview of OBS Best Practices


2 Migrating Local Data to OBS

2.1 Overview

BackgroundConventional on-premises storage servers cannot meet the storage demands formassive amounts of data. The main reasons are as follows:

● Storage capacity is subject to hardware devices. If the storage capacitybecomes insufficient, you need to purchase disks and expand the capacitymanually.

● The initial deployment requires high investment and long construction period,but it quickly lags behind as enterprise services change so fast.

● Network information vulnerabilities, technical vulnerabilities, and mis-operations may result in unbearable security risks.

In contrast, OBS provides massive, stable, and secure cloud storage capabilities.With OBS, you do not need to worry about the storage capacity because it can beexpanded infinitely. OBS can store unstructured data of any type and size. OBSensures high stability and security for your data, featuring a multi-level reliabilityarchitecture, server-side encryption, log management, and permission control. Interms of the cost, OBS is available upon service subscription, eliminating the needfor the investment in physical server deployment and maintenance.

HUAWEI CLOUD provides migration solutions to help you migrate data fromyour on-premises storage servers to OBS in a cost-effective, secure, and efficientmanner. You can select a suitable migration solution according to your datavolume, time arrangement, and budget.

Migration SolutionsTable 2-1 describes the migration solutions provided by HUAWEI CLOUD.

Object Storage ServiceBest Practices 2 Migrating Local Data to OBS


Table 2-1 Migration solutions

MigrationMethod

Data Volume Requirement Time Required Pricing

MigratingThroughOBS Tools(online)

Not largerthan 1 TB

Sufficient publicnetworkbandwidth;requiringmanualoperations onclients or scriptsto start dataupload.

About 1 day for1 TB data withthe bandwidthof 100 Mbit/s

Datatransmissionis offeredfor free.Fees arechargedonly forstoragespace usedon OBS.

MigratingThroughthe CDMService(online)

Less than 8 TBat a time

Subscription tothe CDM serviceis required.

1 TB to 8 TBeach day(depending onthe networkcondition andthe read andwriteperformance ofthe datasource)

Fees arechargedbased onCDMinstancespecifications and therunningduration.For details,see CDMPricingDetails.

MigratingThroughDisk-Based DES(offline)

Less than 10TB at a time

Disks need to beprepared.

Although ittakes 1 to 2days to deliverdisks to a datacenter, 4 TBdata can beimported withinone day.

Fees arechargedbased onthe numberof disks andthe runningduration.For details,see DESPricingDetails.

MigratingThroughTeleport-Based DES(offline)

Less than 100TB at a time

Huawei datacenters provideTeleports fordatatransmission.

Although ittakes 1 to 2days to deliverthe Teleport toa data center,120 TB datacan beimported withintwo days.

Fees arechargedbased onthe numberof disks andthe runningduration.For details,see DESPricingDetails.



https://www.huaweicloud.com/intl/en-us/pricing/index.html?tab=detail#/cdm



https://www.huaweicloud.com/intl/en-us/pricing/index.html?tab=detail#/des






MigrationMethod

Data Volume Requirement Time Required Pricing

MigratingThroughDirectConnect(real-time)

More than 100TB data thatneeds real-time onlinetransmissionevery month

Private linesneed to bedeployed.

Depends on thebandwidth ofthe private line.

Fees arechargedbased onthe distanceandbandwidthof theprivate line.For details,see DirectConnectPricingDetails.

2.2 Migrating Through OBS ToolsOBS tools are suitable for data migration within the hundreds of gigabytes. OBSprovides various client tools, such as OBS Browser+ and obsutil, to help youmigrate data from local hosts to OBS. Uploading data occupies your publicnetwork bandwidth. Therefore, you are advised to upload data during off-peakhours.

For details about the usage scenarios and operation guide of each tool, see OBSTools Guide.

2.3 Migrating Through the CDM Service

OverviewCloud Data Migration (CDM) provides batch data migration services betweenhomogeneous and heterogeneous data sources. By creating scheduled jobs, CDMconnects data sources, such as file systems, databases, and object storage on theon-premises storage servers, to HUAWEI CLOUD OBS. In this way, local data canbe migrated to OBS periodically and automatically.



https://www.huaweicloud.com/intl/en-us/pricing/index.html?tab=detail#/dline




https://support.huaweicloud.com/intl/en-us/tg-obs/obs_09_0001.html

https://support.huaweicloud.com/intl/en-us/tg-obs/obs_09_0001.html

Figure 2-1 CDM workflow

1. Creating an OBS bucketCreate a bucket on OBS Console or OBS Browser+ for storing data.

2. Purchasing CDMPurchase the CDM service, that is, create a CDM cluster to manageconnections and jobs.

3. Configuring connections and jobsCreate a source connection and a destination connection in the created CDMcluster to respectively connect to the local data source and OBS in the cloud.Then create a CDM job to migrate local data to OBS.

4. Starting data transmissionRun the CDM job to start data transmission. You can view the job progress onthe job management page.

Example: Periodically Backing Up Files from an FTP Server to OBSCDM can periodically upload new files to OBS. You do not need to compile codeor manually upload the files. You can also use the massive storage capabilities ofOBS on HUAWEI CLOUD to back up files. For details about how to periodicallyback up files from an FTP server to OBS, see From FTP/SFTP to OBS.

2.4 Migrating Through Disk-Based DESDisk-based Data Express Service (DES) allows users to deliver data disks (such asUSB flash drives and eSATA disks) to a data center of HUAWEI CLOUD, achievingefficient data transmission. Disk-based DES is suitable for TB-scale data migration.



https://support.huaweicloud.com/intl/en-us/usermanual-cdm/cdm_01_0076.html

Figure 2-2 Data migration diagram of disk-based DES


2. Creating a disk-based DES orderLog in to DES Console and create a disk-based DES order. Import the providedsignature file to a local data disk and send the disk to a HUAWEI CLOUD datacenter.

3. Starting data transmissionAfter receiving the disk, a HUAWEI CLOUD data center administrator mountsthe disk to a physical server. Then you will receive an SMS message to notifyyou of inputting the access keys (AK and SK) to start data uploading. Afterdata transmission is complete, you can view the transmission result on DESConsole or OBS Console. The HUAWEI CLOUD data center will send your diskback afterwards.

For details, see Detailed Instructions on Using Disks.

2.5 Migrating Through Teleport-Based DESTeleport is a storage device specially designed for TB- or PB-scale data migrationto OBS. It is dust- and water-proof and resistant to vibration and crush. Withmultiple security protection mechanisms, such as GPS locking, data encryption,and offline transfer, Teleport ensures data security and can efficiently completelarge-scale data migration.

Figure 2-3 Data migration diagram of Teleport-based DES




https://support.huaweicloud.com/intl/en-us/usermanual-des/zh-cn_topic_0047663833.html

2. Creating a Teleport-based DES orderDES provides Teleport-based and disk-based services. Select Teleport-basedDES in this scenario.

3. Receiving and importing data to the TeleportAfter the DES order is created successfully, you will receive the Teleport sentby a HUAWEI CLOUD data center. Perform simple configuration to connectthe Teleport to your data server, copy the data, and send the Teleport to theHUAWEI CLOUD data center.

4. Starting data transmissionAfter the HUAWEI CLOUD data center receives the Teleport, you can input theaccess keys on DES Console to transmit data from the Teleport to a specifiedOBS bucket. After data transmission is complete, you can view thetransmission result on DES Console or OBS Console.

For details, see Detailed Instructions on Using Teleport.

2.6 Migrating Through Direct ConnectDirect Connect connects your data center to HUAWEI CLOUD, so that you canupload local data directly to HUAWEI CLOUD OBS. Direct Connect isrecommended when local data needs to be migrated to OBS frequently or in realtime. The provided low-latency and high-bandwidth services facilitate uploadingdata to OBS at any time.

Figure 2-4 Data migration diagram of Direct Connect

1. Creating an OBS bucketLog in to OBS Console and create one or more buckets for storing user data.

2. Enabling Direct ConnectLog in to Direct Connect Console, fill in the application form and submit anorder. After the administrator approves the application, you can pay for theorder and contact the carrier for physical line connections. Huawei engineerswill cooperate with your carrier to configure the connection. For details, seeProcess Description.

3. Starting data transmissionAfter Direct Connect is enabled, you can upload local data to OBS using themanagement console, tool, APIs, or SDKs.



https://support.huaweicloud.com/intl/en-us/usermanual-des/des_01_0011.html

https://support.huaweicloud.com/intl/en-us/qs-dc/en-us_topic_0032024349.html

3 Migrating Data from Third-Party CloudService Vendors to OBS

3.1 OverviewUsers who have a large amount of data stored at third-party cloud vendors needto download data to a local server, and then upload the data to OBS using OBSConsole or other clients. The entire process is time- and labor-consuming, andproblems such as missing transmission and incorrect transmission may occur.

To address these problems, HUAWEI CLOUD provides two migration services, OMSand CDM. With the migration services, you only need to configure connectionparameters and migration tasks on the Console. Then, you can easily andsmoothly migrate data from third-party cloud service providers to OBS. Table 3-1describes the migration solutions. You can select either one based on your needs.

Table 3-1 Migration solutions

MigrationMode

ApplicationScenario

SupportedMigrationSource

Migration Speed

Pricing

MigratingThrough OMS

Full or incrementalmigration of large-scale object data(less than 500 TB)

For detailsabout thesupportedthird-partycloudservicevendors, seeCreatingObjectStorageMigrationTasks.

10 to 20TB perday

For detailsabout thebilling, seeOMS PricingDetails.

Object Storage ServiceBest Practices

3 Migrating Data from Third-Party Cloud ServiceVendors to OBS


https://support.huaweicloud.com/intl/en-us/qs-oms/en-us_topic_0045916962.html





https://support.huaweicloud.com/intl/en-us/productdesc-oms/oms_01_0028.html


MigrationMode

ApplicationScenario

SupportedMigrationSource

Migration Speed

Pricing

MigratingThrough theCDM Service

Small-scale data(less than 10 TB)migration or periodicmigration

For detailsabout thesupportedthird-partycloudservicevendors, seeSupportedDataSources.

5 to 10TB perday

Fees arechargedbased onCDMinstancespecificationsand runningstatus. Fordetails, seethe CDMpart inProductPricingDetails.

NO TE

For large-scale data migration (over 500 TB), you can submit a service ticket or contactcustomer service to customize a solution at low costs based on your service needs.

3.2 Migrating Through OMSOMS is an online data migration service that helps you securely and efficientlymigrate your object data from other cloud service vendors to HUAWEI CLOUD.During data migration, HTTPS data encryption channels are used to ensure datatransmission security. If the content changes, only changed objects are migrated,reducing the migration cost.

Figure 3-1 Data migration diagram of OMS

1. Creating an OBS bucketLog in to OBS Console and create a bucket for storing migration data.

2. Creating migration tasks




https://support.huaweicloud.com/intl/en-us/productdesc-cdm/cdm_01_0095.html






https://console-intl.huaweicloud.com/ticket/?locale=en-us#/ticketindex/business?productTypeId=2a129f7ed0b543c6b92d73e2c26aa590&subTypeId=-1&type=2

Create a migration task on OMS Console and associate a third-party cloudservice vendor (source) with OBS (destination) by configuring parameterssuch as access keys and bucket names.

For details, see Creating an Object Storage Migration Task.

3. Starting data migration

Perform an OMS migration task to start data migration. You can view the taskexecution status and the final result on OMS Console.

3.3 Migrating Through the CDM ServiceWith CDM, you can connect third-party object storage services, including AlibabaCloud OSS and Qiniu Cloud KODO, to HUAWEI CLOUD OBS for seamlessmigration of object data.

Figure 3-2 Migrating data from a third-party object storage service to OBS usingCDM

1. Creating an OBS bucket

Create a bucket on OBS Console or OBS Browser+ for storing data.

2. Purchasing CDM

Purchase the CDM service, that is, create a CDM cluster to manageconnections and jobs.

3. Configuring connections and jobs

In the CDM cluster, create a source connection that uses a third-party cloudservice vendor as the data source and a destination connection that uses OBSas the data destination. Then create a CDM job to migrate data from thethird-party cloud service vendor to OBS.

4. Starting data migration

Run the CDM job to start data migration. You can view the job progress onthe job management page.

Example: Migrating Data from OSS to OBS

For details about migrating data from Alibaba Cloud OSS to HUAWEI CLOUD OBS,see From OSS to OBS.




https://support.huaweicloud.com/intl/en-us/qs-oms/en-us_topic_0045916962.html#

https://support.huaweicloud.com/intl/en-us/usermanual-cdm/cdm_01_0131.html#

4 Using Backup Software to Back Up LocalData to OBS

4.1 OverviewIn traditional backup and restoration solutions, backup data needs to be written tostorage devices such as tapes and then transported to a data center. In thisprocess, data security and integrity are subject to many factors, such as hardwareperformance and persons. In addition, data center deployment and maintenancepose problems such as complex management and high costs.

Cloud storage is easy-to-use, secure, efficient, and cost-effective, making it anattractive substitute for traditional storage devices such as tapes. OBS is a cloudstorage service that provides massive and scalable storage services. All OBSservices and storage nodes work in distributed cluster mode to improve OBSscalability. Data redundancy and consistency check functions improve the securityand reliability of data stored on OBS. Owing to OBS's pay-per-use billing mode,your cost on OBS is easy to estimate.

Backup software, such as Commvault and AnyBackup Cloud, can be connected toOBS for data backup. With such backup software, you can customize backuppolicies based on your requirements to achieve secure and efficient backup.

4.2 Using Commvault to Back Up Local Data in SAPHANA

SAP HANA is a high-performance real-time data computing platform based on thememory computing technology. Enterprises that need to process a large amountof real-time service data may use SAP HANA. The backup software Commvault isseamlessly integrated with SAP HANA and OBS and supports backup for onlinedatabases and logs. When a fault occurs in the SAP HANA system or servicemigration is required, Commvault can help you quickly and easily restore data,thereby providing enterprise-level data protection for SAP HANA.


4 Using Backup Software to Back Up Local Data toOBS


NO TE

Commvault V11 is recommended in this scenario.

Logical Architecture

The following uses Commvault as an example to describe how to back up the SAPHANA deployed on a local single-node system. Figure 4-1 shows the logicalarchitecture.

Figure 4-1 Logical architecture

Table 4-1 describes the components in the logical architecture.

Table 4-1 Component description

Component Description

iDataAgent (iDA) Backup client agent, which is deployed on the SAP HANAnode to obtain data to be backed up from SAP HANA.

CommServe (CS) Backup server, which is deployed on the backupmanagement node and is responsible for formulating globalbackup policies and scheduling backup services.

MediaAgent(MA)

Backup media, which is deployed on the backup servicenode and stores backup data to OBS.

OBS In backup scenarios, OBS stores backup data. Buckets arecontainers on OBS and data is stored in OBS buckets.

NO TE

A CommCell is a backup management domain and a logical grouping of softwarecomponents. Such software components obtain, transmit, store, and manage data andinformation.




Backup Process1. Installing and pre-configuring the backup software

When backing up SAP HANA, you need to install and configure the backupserver (CommServer), backup media (MediaAgent), and SAP HANA backupclient agent (iDataAgent).

2. Creating backup storage space (OBS bucket)

a. Log in to OBS Console and create a bucket as the backup data storagespace. For details about how to create a bucket, see Creating a Bucket.

b. Create a cloud repository on CommCell Console. Enter the OBS endpointaddress, access keys, and the bucket name to associate the MediaAgentof Commvault with OBS.

NO TE

CommCell Console is a graphical user interface for managing CommCellenvironments, monitoring and controlling activity jobs, and viewing activity-related events.

3. Creating a Commvault backup policyCreate a backup policy on Commcell Console and specify the backup period,time, and encryption mode.

4. Checking the backup execution statusDuring the execution of a backup policy, you can view the backup executionstatus on Commcell Console.

5. (Optional) Restoring dataRestore data to the SAP HANA source host.

NO TE

For details about Commvault operations, see Commvault Official Documentation.




https://support.huaweicloud.com/intl/en-us/usermanual-obs/en-us_topic_0045853662.html

http://documentation.commvault.com/commvault/v11/

5 Accessing OBS over Intranet

5.1 Overview

Scenario IntroductionAn enterprise runs basic services on Elastic Cloud Servers (ECSs), but storagecapacity of hard disks becomes insufficient for storing a large number of imagesand videos. After learning that HUAWEI CLOUD provides OBS, an elastic cloudstorage service for massive amounts of data, the enterprise determined to useOBS as the data storage resource pool to reduce the burden on local servers.

From ECSs, you can access OBS over the internet or HUAWEI CLOUD intranet.However, for access over the internet, the network response speed is subject to thenetwork conditions, and you need to pay for data access over the internet. Tomaximize performance and reduce costs, enterprise administrators want to accessOBS over the intranet.

NO TE

When accessing OBS over the intranet, ensure that the OBS resources to be accessed are inthe region where the ECS resides. If the OBS resources reside in a different region, access issupported only over the Internet.

SolutionConfigure intranet DNS on the established ECS. The intranet DNS resolves the OBSdomain name so that the ECS can access OBS through the intranet. Figure 5-1shows the access process.

Object Storage ServiceBest Practices 5 Accessing OBS over Intranet


Figure 5-1 Accessing OBS over intranet

Table 5-1 describes the services in the figure.

Table 5-1 Service description

Service Description

Virtual Private Cloud(VPC)

VPC enables users to create an isolated virtual networkenvironment defined and managed by themselves,improving security of resources in the cloud andsimplifying network deployment.A subnet is a network that provides IP addressmanagement and DNS services for the ECS in a VPC. IPaddresses of an ECS must be in the same subnet of theECS.

Domain Name Service(DNS)

Intranet DNS is provided for resolving intranet domainnames and OBS domain names. This simplifies thedomain name resolution process and reduces costs ondata transfer over the internet.

● For Windows ECSs, you are advised to use OBS Browser+ to access OBS overintranet. For details, see:Accessing OBS over Intranet by Using OBS Browser+ on a Windows ECS

● For Linux ECSs, you are advised to use obsutil to access OBS over intranet. Fordetails, see:Accessing OBS over Intranet by Using obsutil on a Linux ECS



When accessing OBS through the intranet from your ECSs, you can read, back up,and archive data without affecting the internet bandwidth.

5.2 Accessing OBS over Intranet by Using OBS Browser+on a Windows ECS

OBS Browser+ is a graphical interface tool for managing OBS resources. You canconfigure the intranet DNS server address to access OBS over intranet from aHUAWEI CLOUD Windows ECS. The process and procedure are described asfollows:

Process

Figure 5-2 The process of accessing OBS over intranet by using OBS Browser+ ona Windows ECS



Procedure

Step 1 Log in to a Windows ECS.

1. Log in to HUAWEI CLOUD and click Console.2. On the homepage of the console, choose Computing > Elastic Cloud Server.3. Select an ECS and log in to the ECS.

A Windows ECS provides two login modes, VNC remote login and MSTSC. Fordetails, see Purchasing and Logging In to a Windows ECS.

Step 2 Check whether the intranet DNS is configured on the Windows ECS.

On the Windows ECS, you can view the current DNS configuration by using thegraphical user interface (GUI) or command line interface (CLI). This section usesthe CLI as an example to explain how to view the DNS configuration.

1. After logging in to the ECS, open the CLI.2. Run the ipconfig /all command to check whether the DNS server is at the

intranet DNS address in the region where the ECS resides.

NO TE

HUAWEI CLOUD provides different intranet DNS server addresses for different regions.For details, see What Are the Private DNS Server Addresses Provided by the DNSService?

– If not, go to Step 3.– If yes, go to Step 4.

Step 3 Configure the intranet DNS.

Change the DNS server address of the ECS to the intranet DNS provided byHUAWEI CLOUD. You can change the DNS address of the VPC subnet or modifythe local DNS configuration to achieve this.

● Methods 1: Changing the DNS server address of the VPC subnetLocate the VPC where the ECS resides and change the DNS server address ofthe VPC subnet to the intranet DNS address. In this manner, ECSs in the VPCcan use the intranet DNS for resolution and thereby you can access OBS onHUAWEI CLOUD intranet. For details, see Modifying a Subnet.

NO TE

The intranet DNS server address must be selected based on the region where the ECSresides. For details, see What Are the Private DNS Server Addresses Provided by theDNS Service?

● Method 2: Modifying the local DNS configurationThe intranet DNS configured using this method becomes invalid once the ECSis restarted. Therefore, you need to reconfigure the intranet DNS after eachrestart of the ECS. This example uses the CLI tool to modify the DNSconfiguration locally.

1. Open the cmd window.2. Run the following command to configure the IP address of the primary DNS

server:netsh interface ip set dns name="Local connection" source=static addr=Intranet DNS server address register=primary



https://www.huaweicloud.com/intl/en-us/

https://support.huaweicloud.com/intl/en-us/qs-ecs/en-us_topic_0021831611.html

https://support.huaweicloud.com/intl/en-us/dns_faq/dns_faq_002.html


https://support.huaweicloud.com/intl/en-us/usermanual-vpc/vpc_vpc_0001.html



NO TE

– Local connection: NIC name. Use the actual NIC name when configuring the localDNS.

– Intranet DNS server address: Select the intranet DNS server address based on theregion where the ECS resides. For details, see What Are the Private DNS ServerAddresses Provided by the DNS Service?

3. (Optional) Run the following command to configure the IP address of thebackup DNS server:netsh interface ip add dns name="Local connection" addr=Alternative DNS server address index=2

NO TE

– Local connection: NIC name. Use the actual NIC name when configuring the localDNS.

– Alternative DNS server address: The DNS server used when the primary DNSserver is faulty, unavailable, or cannot resolve the requested domain name.Therefore, you can set this parameter to the IP address of the HUAWEI CLOUDintranet DNS server. (You need to select the intranet DNS server address based onthe region where the ECS resides. For details, see What Are the Private DNSServer Addresses Provided by the DNS Service?) You can also set this parameterto the IP address of a public DNS server.

Step 4 Download OBS Browser+.

For details, see Downloading OBS Browser+.

Step 5 Log in to OBS Browser+.

OBS Browser+ uses accesses OBS over the internet by default. Therefore, whenyou log in to OBS Browser+ to add an account, set Service and Server Address asfollows:

● Service: Select Other object storage services.● Server Address: Enter the OBS domain name for the region where your ECS

resides and the port number. The HTTPS port number is 443 and the HTTPport number is 80. An HTTPS server is used by default.Example: obs.ap-southeast-1.myhuaweicloud.com:443

NO TE

For details about OBS regions and endpoints, see Regions and Endpoints.

Step 6 Start to use OBS Browser+.

After logging in to OBS Browser+, you can access OBS over HUAWEI CLOUDintranet from the Windows ECS to perform basic data access operations andconfigure other advanced settings.

For details, see the Introduction to OBS Browser+.

----End







https://support.huaweicloud.com/intl/en-us/browsertg-obs/obs_03_1003.html

https://developer.huaweicloud.com/intl/en-us/endpoint


5.3 Accessing OBS over Intranet by Using obsutil on aLinux ECS

obsutil is a command line tool applicable to Windows and Mac operating systems.You can configure the intranet DNS server address to access OBS over intranet ona HUAWEI CLOUD Linux ECS. The process and procedure are described as follows.

Process

Figure 5-3 The process of accessing OBS over intranet by using OBS Browser on aLinux ECS

Procedure

Step 1 Log In to the Linux ECS.

1. Log in to HUAWEI CLOUD and click Console.



https://www.huaweicloud.com/intl/en-us/

2. On the home page of the console, choose Computing > Elastic Cloud Server.3. Select an ECS and log in to the ECS.

The login mode varies according to the login authentication mode set duringthe Linux ECS purchase. For details about how to log in to the ECS, seePurchasing and Logging In to a Linux ECS.

Step 2 Check whether the intranet DNS is configured on the Linux ECS.

1. Log in to the Linux ECS and open the CLI.2. Run the cat /etc/resolv.conf command to check whether the IP address after

nameserver in the first line is the intranet DNS address of the region wherethe current ECS resides.

NO TE

HUAWEI CLOUD provides different intranet DNS server addresses for different regions.For details, see What Are the Private DNS Server Addresses Provided by the DNSService?

– If no, go to Step 3.– If yes, go to Step 4.

Step 3 Configure the Intranet DNS.

Change the DNS server address of the ECS to the intranet DNS provided byHUAWEI CLOUD. You can change the DNS address of the VPC subnet or modifythe local DNS configuration to achieve this.

● Methods 1: Changing the DNS server address of the VPC subnetLocate the VPC where the ECS resides and change the DNS server address ofthe VPC subnet to the intranet DNS address. In this manner, ECSs in the VPCcan use the intranet DNS for resolution and thereby you can access OBS onHUAWEI CLOUD intranet. For details, see Modifying a Subnet.

NO TE

The intranet DNS server address must be selected based on the region where the ECSresides. For details, see What Are the Private DNS Server Addresses Provided by theDNS Service?

● Method 2: Modifying the local DNS configurationThe following uses an ECS running 64-bit CentOS 6.x as an example todescribe how to modify the local DNS configuration.

a. Open the CLI.b. Run the following command to open the /etc/resolv.conf file:

vi /etc/resolv.conf

c. Press i to enter the editing mode. In the /etc/resolv.conf file, add theintranet DNS server address before the existing DNS server address in thefollowing format:nameserver Intranet DNS server address



https://support.huaweicloud.com/intl/en-us/qs-ecs/en-us_topic_0092494193.html



https://support.huaweicloud.com/intl/en-us/usermanual-vpc/vpc_vpc_0001.html



NO TE

▪ Intranet DNS server address: Select the intranet DNS server address basedon the region where the ECS resides. For details, see What Are the PrivateDNS Server Addresses Provided by the DNS Service?

▪ The IP address of the new DNS server must come before all existing DNS IPaddresses.

▪ DNS servers are selected in the sequence of nameserver. A new DNS server isselected only when the previous DNS server is faulty, unavailable, or cannotresolve the requested domain name. Therefore, if you want to switch to thepublic network access mode, you need to change the first line of the DNSaddress to a public DNS server address or add a public DNS server addressbefore the existing DNS server address.

d. Press ESC and enter :wq! to save the settings and close the file.

NO TE

The modified DNS server address takes effect immediately after you save themodification to the /etc/resolv.conf file.

Step 4 Download obsutil.

For details about the latest version of obsutil and download link, see Downloadand Installation.

Step 5 Configure obsutil.

Before using, you need to configure the interconnection between obsutil and OBS.Parameters include OBS endpoints and access keys (AK and SK). For details, seePerforming Initial Configuration in the obsutil tool guide.

NO TE

The OBS endpoint needs to be entered according to the region where the ECS resides. Fordetails about OBS regions and endpoints, see Regions and Endpoints.

Step 6 Use obsutil.

After obsutil is successfully configured, you can access OBS over HUAWEI CLOUDintranet on the Linux ECS to perform basic data access operations and otheradvanced settings.

For details, see the following topics:

● Uploading an Object● Downloading an Object

For details about operations, see Introduction to obsutil.

----End





https://support.huaweicloud.com/intl/en-us/utiltg-obs/obs_11_0003.html



https://developer.huaweicloud.com/intl/en-us/endpoint




6 Using a User-Defined Domain Name toHost a Static Website

6.1 Static Website HostingOBS allows you to access static websites hosted by OBS using user-defineddomain names. This section uses a typical scenario as an example to describe howto use a user-defined domain name to configure static website hosting. Beforestarting the configuration, you may need to learn more about static websitehosting.

Scenario IntroductionCompany A has a large number of files to archive but it does not want to investefforts on storage resources. Therefore, the company subscribes to OBS to hoststatic websites and expects that users under the company's account can access thestatic resources through a user-defined domain name. See Figure 6-1.

Figure 6-1 Using a user-defined domain name to access hosted static website


6 Using a User-Defined Domain Name to Host aStatic Website


https://support.huaweicloud.com/intl/en-us/ugobs-obs/obs_41_0036.html


Data Planning

Table 6-1 describes the data to be planned before this configuration.

Table 6-1 Data planning

Item Description Example

User-defineddomain name

User's own domain name www.example.com

Static websitehomepage

Indicates the index page thatis returned when you access astatic website, that is, thehomepage.

index.html

Default 404 Page When an incorrect staticwebsite path is accessed, the404 error page is returned.

error.html

● Content of the index.html file<html> <head> <title>Hello OBS!</title> <meta charset="utf-8"> </head> <body> Welcome to use OBS static website hosting. This is the homepage. </body></html>

● Content of the error.html file<html> <head> <title>Hello OBS!</title> <meta charset="utf-8"> </head> <body> Welcome to use OBS static website hosting. This is the 404 error page. </body></html>

Process of Static Website Hosting

You need to create a bucket on OBS Console to store static website resources,enable static website hosting for the bucket, and bind the user-defined domainname to the newly created bucket using the user-defined domain name bindingfunction provided by OBS. Then, create and configure domain name hosting usingDomain Name Service (DNS) so that a user-defined domain name can be used toaccess the static website hosted on the OBS. Specific operations are as follows:

1. Register a domain name.

2. Create a bucket.

3. Upload static website files.

4. Host the static website on OBS.5. Bind a user-defined domain name.6. Create and configure domain name hosting.7. Verify the configuration.

Procedure

Step 1 Register a domain name.

If you have a registered domain name, skip this step.

If you do not have a registered domain name, register one with a registrar. In thisscenario, the example domain name www.example.com is used. In practice, youneed to replace the domain name with the one you actually planned.

Step 2 Create a bucket.

There is no special requirement for bucket names. You only need to create abucket for storing static website files as prompted. The following exampledescribes how to create a bucket named example:

1. Open OBS Console and log in to the console as prompted.2. Click Create Bucket in the upper part of the page.3. Set the following parameters in the dialog box that is displayed:

– Region: Select a region close to the service according to the proximityprinciple.

– Storage Class: It is recommended that you select Standard.

NO TE

You can also select Low Frequency Access or Archive based on the websiteaccess frequency and response speed requirements. For details about storageclasses, see Storage Classes.

– Bucket Name: Enter example.– Bucket Policies: Select Public Read to allow any user to access objects in

the bucket.– Default Encryption: Select Disable.

4. Click Create Now. The bucket is created.

Step 3 Upload static website files.

Prepare the static website files to be uploaded and repeat the following steps onOBS Console until all static website files are uploaded to bucket created in Step 2.

NO TE

In regions where batch uploading is available, you can upload a maximum of 100 files in abatch, with a total size not more than 5 GB. If there are a large number of website files,you are advised to use OBS Browser+ to upload them. For details, see Using OBS Browser+to Upload a File or Folder.

1. Click the name of the target bucket to go to the bucket overview page, andthen click Object in the navigation pane on the left.

2. Click Upload Object. A dialog box is displayed. For details, see Figure 6-2.




https://storage-intl.huaweicloud.com/obs/?locale=en-us#/obs/manager/buckets




Figure 6-2 Uploading an object

3. Add the files to be uploaded.

NO TE

– The static website files cannot be encrypted for upload.– It is recommended that you select Standard for the storage class. If the storage

class of static website files is Archive, you need to restore the files first beforeaccessing it. For details, see Restoring an Archive File on OBS.

– The website home page file (index.html) and 404 error page (error.html) must bestored in the root directory of the bucket.

4. Click Upload to upload the files.

Step 4 Configure static website hosting.

After uploading the static website files, you need to perform the following steps toset the bucket to the static website hosting mode.

NO TE

You can also redirect the entire static website to another bucket or domain name. Fordetails, see Configuring Redirection.

1. Click the bucket that you want to configure. On the Overview page that isdisplayed, choose Basic Configurations > Static Website Hosting on thenavigation pane on the left.

2. Click Configure Static Website Hosting.3. In the dialog box that is displayed, select Use this bucket to host a website,

set Default Home Page to index.html in the data plan, and set Default 404Error Page to error.html in the data plan. See Figure 6-3.




https://support.huaweicloud.com/intl/en-us/usermanual-obs/obs_03_0320.html


Figure 6-3 Configuring static website hosting

NO TE

You can also configure redirection rules based on service requirements to implementwebsite content redirection. For details, see Configuring Static Website Hosting.

4. Click OK.

Step 5 Bind a user-defined domain name.

To bind a user-defined domain name to OBS, perform the following steps:

1. Click the bucket name to go to the Overview page. In the navigation tree onthe left, click Domain Name Management.

2. Click Bind User Domain Name, and enter www.example.com in the UserDomain Name text box, as shown in Figure 6-4.

Figure 6-4 Binding a user domain name

3. Click OK. The user-defined domain name is bound to the bucket domainname.





Step 6 Create and configure domain name hosting.

To facilitate unified management of your user-defined domain names and staticwebsites and implement cloud-based services, you can directly manage your user-defined domain names on HUAWEI CLOUD DNS. After the hosting is configured,you can perform subsequent management of the domain name on DNS, includingmanaging record sets and PTR records, as well as creating wildcard DNS records.

NO TE

Alternatively, you can add a CNAME record to the DNS at the DNS registrar, mapping to thewebsite domain name hosted by the bucket. For example: If the region of bucketwww.example.com is AP-Hong Kong, you need to add a CNAME record whose value iswww.example.com CNAME www.example.com.obs-website.ap-southeast-1.myhuaweicloud.com at your DNS registrar.

To create and configure domain name hosting on DNS, perform the followingsteps:

1. Add a public zone.Use the root domain name example.com created in Step 1 as the name ofthe public zone to be created. For details, see "Create a Public Zone" inConfiguring Record Sets for a Website.

2. Add a CNAME record.In DNS, add a record set for the sub-domain name www.example.com of thehosted domain name, to map the CNAME of the sub-domain name to thestatic website domain name hosted by OBS. Configure the parameters asfollows:– Name: Enter www.– Type: Select CNAME-Canonical name.– Line: Select Default.– TTL (s): Retain the default value.– Value: Domain name mapped to the CNAME. If CDN acceleration is

disabled when a user-defined domain name is bound, enter the staticwebsite hosting domain name of the bucket. If CDN acceleration isenabled, set this parameter to the acceleration domain name (CNAME)provided by CDN.

For details, see Adding a CNAME Record Set.3. Change the DNS server address at your domain name registrar.

At your domain name registrar, change the DNS server address in the NSrecord of the root domain name to the cloud DNS server address. The specificaddress is the NS value of the public zone in DNS.For details about how to change the IP address of the DNS server, see section"Change the DNS Servers of the Domain Name" in Configuring Record Setsfor a Website.

NO TE

Generally, the update takes effect within 48 hours, but the time may vary dependingon domain name registrars.

Step 7 Verify that the configuration is successful.




https://support.huaweicloud.com/intl/en-us/qs-dns/en-us_topic_0035467699.html

https://support.huaweicloud.com/intl/en-us/usermanual-dns/dns_usermanual_0010.html



● Enter www.example.com in the address bar of the browser to check whetherthe default homepage can be accessed. For details, see Figure 6-5.

Figure 6-5 Default homepage

● In the web browser, enter a static file access address that does not exist in abucket. For example: www.example.com/imgs to verify that the 404 errorpage can be returned See Figure 6-6.

Figure 6-6 Default 404 Page

NO TE

Due to browser cache, you may need to clear the browser cache to view the expectedeffect.

----End

6.2 Updating a Static WebsiteIf you need to update a static file (such as a picture, music file, HTML file, or CSSfile) on a website, you can upload the static file again. Note that the newlyuploaded files in the same path of OBS overwrite the existing files with the samenames by default. To avoid file overwriting, you can enable the versioning functionof OBS. With versioning enabled, OBS can store multiple versions of a static file.




You can quickly search for and restore different versions or restore data in theevent of mis-operations or application faults.

Enabling Versioning

Step 1 Log in to OBS Console.

Step 2 In the bucket list, click the target bucket to go to the Overview page.

Step 3 In the Basic Information area, locate Versioning and click Edit to its right. SeeFigure 6-7.

Figure 6-7 Versioning

Step 4 Select Enable and click OK to enable versioning for objects in the bucket.

----End

For more information about versioning, see Versioning.

Updating Static Files

Step 1 Log in to OBS Console.

Step 2 In the bucket list, click the target bucket to go to the Overview page.

Step 3 In the navigation tree on the left, click Object.

Step 4 Click Upload Object, or select the folder where the file to be updated is locatedand click Upload Object. A dialog box is displayed. See Figure 6-8.





Figure 6-8 Uploading an object

Step 5 Add the files to be uploaded.

NO TE

● The static website files cannot be encrypted for upload.● It is recommended that you select Standard for the storage class. If the storage class of

static website files is Archive, you need to restore the files first before accessing it. Fordetails, see Restoring an Archive File on OBS.

Step 6 Click Upload to complete the upload.

The newly uploaded file with the same name in the same path is displayed as thelatest version in the object list. Each time, only the latest version of the file isaccessed. In this way, the static website file can be updated.

----End





7 Enterprise Data Access Control

7.1 Introduction to OBS Access ControlBy default, only the resource owner can access OBS resources. Withoutauthorization, other users cannot access OBS. OBS offers multiple methods to helpyou to assign the resource permissions to others. Resource owners can formulatedifferent access control schemes based on service requirements to ensure datasecurity.

OBS Access Control Mechanisms

OBS provides multiple permission control mechanisms, including IAM permissions,object ACLs, bucket ACLs, and bucket policies. Table 7-1 describes the mechanismsand application scenarios.

Table 7-1 OBS access control mechanisms

Mechanism Description Application Scenario

IAMpermissions

IAM permissions define theactions that can be performedon your cloud resources. In otherwords, IAM permissions specifywhat actions are allowed ordenied. After an IAM user iscreated, the administrator needsto add the user to a group. IAMcan grant the user grouprequired OBS access permissions,and then all users in the groupautomatically inherit thepermissions of the user group.For details about OBSpermissions that can beauthorized by IAM, seePermissions Management.

● Controlling permissionsto cloud resources as awhole

● Controlling permissionsto all OBS buckets andobjects

Object Storage ServiceBest Practices 7 Enterprise Data Access Control


https://support.huaweicloud.com/intl/en-us/usermanual-iam/iam_01_0001.html


https://support.huaweicloud.com/intl/en-us/productdesc-obs/obs_03_0045.html


Object ACL Controls access to objects foraccounts or user groups. Objectowners can configure the objectaccess control list (ACL) to grantbasic read and write permissionsto specified accounts or usergroups.NOTE

● By default, an object ACL iscreated when the object isuploaded. The object owner hasfull control over the object.

● The owner of an object is theaccount that uploads the object,who may not be the owner ofthe bucket to which the objectbelongs. For example, account Bis granted the permission toaccess a bucket of account A,and account B uploads a file tothe bucket. In that case, insteadof the bucket owner account A,account B is the owner of theobject.

● Object-level accesscontrol is required. Abucket policy can controlaccess permissions foran object or a set ofobjects. If you want tofurther specify an accesspermission for an objectin the set of objects forwhich a bucket policyhas been configured,then the object ACL isrecommended for easieraccess control oversingle objects.

● An object is accessedthrough a URL.Generally, if you want togrant anonymous usersthe permission to readan object through a URL,use the object ACL.

Bucket ACL Controls access to buckets foraccounts or user groups. Bucketowners can configure the bucketACL to grant basic read andwrite permissions to specifiedaccounts or user groups.NOTE

● By default, a bucket ACL iscreated upon the creation of thebucket. The bucket owner hasfull control over the bucket.

● Bucket ACLs do not provide fine-grained permission control.Generally, IAM permissions andbucket policies arerecommended for permissionaccess control.

● Grant an account withthe read and writeaccess to a bucket, sothat data in the bucketcan be shared or thebucket can be mounted.For example, if accountA grants the bucket readand write permissions toaccount B, then accountB can access the bucketby using the API andSDK, and can add anexternal bucket throughOBS Browser+.



https://support.huaweicloud.com/intl/en-us/perms-cfg-obs/obs_40_0005.html



Bucket policy Bucket policies providecentralized access control onOBS resources, and define whichoperations on which cloudresources are allowed. They arethe extension and supplement ofACLs of buckets and objects.

● If no IAM permissionsare used for accesspermission control andyou want to authorizeother accounts thepermission to accessyour OBS resources, youcan use bucket policiesto authorize suchpermissions.

● If you want to authorizeIAM users differentaccess permissions todifferent buckets, youcan configure differentbucket policies forbuckets.

● If you want to authorizeother accounts thepermission to accessyour buckets, you canuse bucket policies toauthorize suchpermissions.

For details about access control mechanisms when grantees and authorizedresources are involved, see Table 7-2.

Table 7-2 OBS access control mechanisms

Mechanism

Grantee AuthorizedResource

Granted Operation ConditionConfiguration

IAMpermissions

IAM users All orspecifiedOBSresources

All permissions to accessOBS

Supported




Mechanism



ObjectACL

● Accounts

● Anonymoususers

Objects ● Obtains the content andmetadata of an object.

● Obtains the content andmetadata of a specifiedobject.

● Obtains the ACL for anobject.

● Obtains the ACL for anobject of a specifiedversion.

● Configures object ACL.● Configures the ACL for an

object of a specifiedversion.

Notsupported

BucketACL

● Accounts

● Anonymoususers

● Logdeliveryusergroups

Buckets ● Identifies whether abucket exists.

● Lists objects in a bucket,and obtains the bucketmetadata.

● Lists multi-version objectsin a bucket.

● Lists multipart uploadtasks.

● Performs PUT upload,POST upload, multipartupload, initialization ofuploaded parts, andmerging of parts.

● Deletes an object.● Deletes an object of a

specified version.● Obtains the ACL for a

bucket.● Configures the ACL for a

bucket.

Notsupported



Mechanism



Bucketpolicy

● Accounts

● IAMusers

● Anonymoususers

All OBSresources

All operation permissions onOBS. For details, seeActions.

Supported

OBS Access Control Principles● Least privilege

Only the minimum permissions required for executing tasks are granted toIAM users or accounts. For example, if an IAM user only needs to upload anddownload objects to a specified directory, you do not need to assign the userthe read and write permissions to the bucket.

● Separation of duties

You are advised to use different IAM users under the same account tomanage different OBS resources and permissions. For example, IAM user A isresponsible for assigning permissions, and other IAM users managing OBSresources.

● Restricted conditions

Configure refined conditions for bucket policies to restrict scenarios where abucket policy takes effect, in order to enhance the security of resources in abucket. For example, OBS is configured to accept only access requests from aspecific IP address.

How Does Authorization Work When Multiple Access Control MechanismsCo-Exist?

Based on the least-privilege principle, decisions default to deny, and an explicitdeny statement always take precedence over an allow statement. For example,IAM permissions grant a user the access to an object, a bucket policy denies theuser's access to that object, and there is no ACL. Then access will be denied.

If no method specifies an allow statement, then the request will be denied bydefault. Only if no method specifies a deny statement and one or more methodsspecify an allow statement, will the request be allowed. For example, if a buckethas multiple bucket policies with allow statements, the adding of a new bucketpolicy with an allow statement will simply add the allowed permissions to thebucket, but the adding of a new bucket policy with a deny statement will result ina re-arrangement of the permissions. The deny statement will take precedenceover allowed statements, even the denied permissions are allowed in other bucketpolicies.



https://support.huaweicloud.com/intl/en-us/perms-cfg-obs/obs_40_0041.html#section1

Figure 7-1 Authorization process

Figure 7-2 is a matrix of the IAM permissions, bucket policies, and ACLs (allowand deny effects).

Figure 7-2 Matrix of the IAM permissions, bucket policies, and ACLs (allow anddeny effects)

Related Concepts● Account: An account is automatically created when a user registers with

HUAWEI CLOUD. This account has full access permissions for the resourcesand IAM users under the account.

● Administrator: A user who has the admin permission created in IAM andmanages IAM users on behalf of the account to ensure security of an accountand resources.

NO TE

admin is a user group preset on the IAM system and has all operation permissions. Anadministrator added to the admin user group has the same resource managementand user management permissions as the account.

● IAM user: A user created by the administrator in IAM. An IAM user uses cloudservices and corresponds to an employee, system, or application. IAM usershave identity credentials (passwords and access keys) and can log in to themanagement console or access APIs.



7.2 Access Management on Department Public DataAn enterprise has a large number of files to archive but it does not want to putefforts on storage resources. Therefore, this enterprise subscribes to OBS forstoring the files, and expects that staff in different departments have differentaccess permissions. By doing so, data access permissions of staff in differentdepartments are isolated.

The enterprise expects that administrators have the full control permission todepartment public data stored on OBS, and that common users can only readthose data. Figure 7-3 shows the logical relationships.

Figure 7-3 Logical relationship

Solution and ProcessIn this scenario, you can assign permissions by configuring IAM permissions. Setthe permission of the user group containing common users to Tenant Guest, sothat common users can access OBS as guests and have only the read permission.Figure 7-4 shows the process.



Figure 7-4 Flowchart of managing access to department public data

Procedure

Step 1 Create an administrator.

1. Log in to the HUAWEI CLOUD console using the enterprise account.2. On the console homepage, choose Service List > Management &

Deployment > Identity and Access Management to access the IAM console.3. On the IAM console, choose User in the left navigation tree.4. On the User page, click Create User. On the page that is displayed, enter a

username and configure the following parameters:– Select Password for Credential Type.– Select admin from the drop-down list of User Groups.

5. Click Next. Select Set manually for Password Type.6. Enter the email address, mobile number, password, and confirm password.7. Click OK.

Step 2 Create a user group with the read-only permission.

1. On the IAM console, choose User Group in the left navigation tree.2. Click Create User Group, and enter a user group name and description.3. Click OK.

The user group list is displayed, including the newly created user group.4. Locate the newly created user group, and click Configure Permission in the

Operation column.



5. In the User Group Permissions area on the displayed page, select OBS andclick Configure Policy.

6. In the available policy list, select the Tenant Guest policy.7. Click OK to save the permission for the user group.

Step 3 Create a common user.

1. On the IAM console, choose User in the left navigation tree.2. On the User page, click Create User. On the page that is displayed, enter a

username and configure the following parameters:– Select Password for Credential Type.– Select the user group created in Step 2 for User Groups.

3. Click Next. Select Set manually for Password Type.4. Enter the email address, mobile number, password, and confirm password.5. Click OK.

Step 4 Verify the user permission.

After the permission is granted, you can verify the permissions using OBS Console,OBS Browser+, APIs, and SDKs. This section takes OBS Console as an example topresent how to verify the read-only permission of common users on departmentpublic data.

1. Log in to OBS Console as a common user and check whether you have thepermission to access the OBS page.– If a message indicating that you do not have the permission to access the

page is displayed, you cannot read data in the bucket. In this case, checkwhether the user permission is correctly configured.

– If a bucket list is displayed, you have the permission to read the bucketlist. Go to the next step.

2. Click the bucket to be operated. On the Summary page that is displayed, clickObjects to view the list of objects.– If the data cannot be obtained and the message Access denied is

displayed, you have no permission to read data in the bucket. In this case,check whether the user permission is correctly configured.

– If the data is displayed, you have the read permission. Go to the nextstep.

3. On the Objects page, perform operations including uploading and deletingobjects.– If the write and delete operations can be performed, it indicates the read-

only permission fails to be granted. Check whether the user permissionconfiguration is correct.

– If not, the read-only permission for common users is correctly configured.

----End

7.3 Data Sharing Among Departments/ProjectsAn enterprise has data that needs to be shared among different departments orprojects. To reduce the risks of mistaken deletion and tampering of shared data,



the data can only be downloaded but not modified or deleted by users of otherdepartments.

In this scenario, department A shares data in the bucket example-bucket todepartment B, allowing users of department B to download the data. This casedescribes how to leverage the least privilege principle to control accesspermissions for the shared data. Figure 7-5 shows the logical relationships amongadministrators, users, and buckets for data sharing between the two departmentsin this scenario.


Solution and ProcessIn this scenario, the administrator of department A can use bucket policies toimplement permission control, so that users of department B can only downloadbut not modify or delete the shared data. Figure 7-6 illustrates the bucket policyconfiguration process.



Figure 7-6 Configuration process of permission control for data sharing

PrerequisitesAdministrators and common users of departments A and B have been created onIAM. For details about how to create an IAM user, see Creating an IAM User.

NO TE

The administrator of department A needs to perform operations such as creating bucketsand configuring bucket policies. Therefore, when creating an administrator, the user groupto which the administrator belongs must be granted at least the OBS Administratorpermissions of OBS.

Procedure


1. Log in to the HUAWEI CLOUD console as the administrator of department A.2. On the console homepage, choose Service List > Storage > Object Storage

Service to access OBS Console.




3. On OBS Console, click Create Bucket in the upper right corner.4. Select a region, storage class, and bucket policy, and then enter the bucket

name.

NO TE

To ensure data security, set Bucket Policy to Private and set other parameters asprompted.


Step 2 Authorize users with the upload permission.

If the OBS policy for the user group to which users of department A belong isTenant Administrator, OBS Administrator, or OBS OperateAccess, skip this stepand go to Step 3. If the OBS policy is not configured or the policy is set to OBSBuckets Viewer, OBS ReadOnlyAccess, or Tenant Guest, the administrator ofdepartment A needs to perform the following steps to grant the uploadpermission to users of department A.

1. On OBS Console, click the name of the bucket where the shared data is storedand the Summary page of the bucket is displayed.

2. In the navigation pane on the left, choose Permissions > Bucket Policy.3. Click Create Bucket Policy.4. In the first row of the bucket policy template, click Create Custom Policy.5. Set the following parameters to grant users in department A the permissions

to access the bucket (list objects) and upload objects.

Table 7-3 Parameters for granting permissions to access buckets and uploadobjects

Parameter Description

Policy View Select Visual editor.

Policy Name Custom

PolicyContent

Effect Select Allow.

Principal – Principal: Current account– Sub-user: Select the users of department A

who are allowed to upload data.– User Policy: Include specified users.

Resources – Resource: Select Current bucket and Objectin bucket and then select All objects underObject in bucket.

– Resource Policy: Include specifiedresources.

Actions – Select ListBucket and PutObject.– Operation Strategy: Include selected

actions.



6. Click Next in the lower right corner.7. Click Create.

Step 3 Authorize users with the download permission.

If the policy for the user group to which users of department B belong is TenantAdministrator, OBS Administrator, OBS OperateAccess, or Tenant Guest, skipthis step and go to step 4. If the OBS policy is not configured or the policy is setto OBS Buckets Viewer or OBS ReadOnlyAccess, the administrator ofdepartment A needs to perform the following steps to grant the downloadpermission to users of department B.

1. On OBS Console, click the name of the bucket where the shared data is storedand the Overview page of the bucket is displayed.

2. In the navigation pane on the left, choose Permissions > Bucket Policy.3. Click Create Bucket Policy.4. In the first row of the bucket policy template, click Create Custom Policy.5. Set the following parameters to grant users in department B the permission

to download objects.

Table 7-4 Parameters for authorizing the permission to download objects



Policy Name Custom

PolicyContent


Principal – Principal: Current account– Sub-user: Select the users of department B

who are allowed to download data.– User Policy: Include specified users.

Resources – Resource: Select Current bucket and Objectin bucket and then select All objects underObject in bucket.If you need to share only a folder or a set ofobjects in the bucket, select Specific objectsunder Object in bucket, and, underResource path, enter the name of the folder(for example, example-folder/) or an objectset with a wildcard character (for example,*.doc, indicating all objects whose nameends with .doc). You can add multiple objectname prefixes.





Actions – Select ListBucket, GetObject, andGetObjectVersion.

– Operation Strategy: Include selectedactions.

6. Click Next in the lower right corner.

7. Click Create.

Step 4 Prevent users from modifying and deleting the shared data.

1. On OBS Console, click the name of the bucket where the shared data is storedand the Overview page of the bucket is displayed.

2. In the navigation pane on the left, choose Permissions > Bucket Policy.

3. Click Create Bucket Policy.

4. In the first row of the bucket policy template, click Create Custom Policy.

5. Set the following parameters to prevent users in department B from writingor deleting the shared data.

Table 7-5 Parameters for preventing users from writing or deleting data


Policy View Visual editor

Policy Name Custom

PolicyContent

Effect Deny

Principal – Principal: Current account– Sub-user: Select users of department B who

are not allowed to write or delete data.– User Policy: Include specified users.

Resources – Resource: Select Current bucket and Objectin bucket and then select All objects underObject in bucket.If you need to prevent users from writing ordeleting only a folder or a set of objects inthe bucket, select Specific objects underObject in bucket, and, under Resourcepath, enter the name of the folder (forexample, example-folder/) or an object setwith a wildcard character (for example,*.doc, indicating all objects whose nameends with .doc). You can add multiple objectname prefixes.





Actions – Select the following actions:

▪ PutObject

▪ PutObjectAcl

▪ PutObjectVersionAcl

▪ DeleteObject

▪ DeleteObjectVersion

▪ AbortMultipartUpload

– Operation Strategy: Include selectedactions.


Step 5 Upload data.

Users in department A can upload data through OBS Console, OBS Browser+, APIs,and SDKs. This section takes the operations on OBS Console as an example todescribe how to upload data.

1. Log in to OBS Console as a user of department A.2. In the bucket list, click the name of the bucket that stores the shared data.3. In the navigation pane on the left, click Objects and then Upload Object.4. In the displayed Upload Object dialog box, select the upload mode, storage

class, and data to be uploaded.5. Click Upload.

You can click Task Management in the lower part of the page to view theupload progress and result.

Step 6 Verify the permission.

After the permission is configured, users of department B can verify thepermissions using OBS Console, OBS Browser+, APIs, and SDKs. This section takesOBS Console as an example to present how to verify that users of department Bcan only read the shared data.

1. Log in to OBS Console as an IAM user of department B.2. In the bucket list, click the name of the target bucket.3. In the left navigation pane, click Objects. The object list is displayed.4. Click Download in the row where a public data record is located.

– If the download fails, the download permission fails to be granted. Checkwhether the user group permission configuration is correct.

– If the download is successful, the download permission is grantedsuccessfully. Go to the next step.



5. Click Upload Object, select a file, and click Upload.– If the upload is successful, the permission configuration for preventing

write and deletion by users of other departments fails. Check whether thebucket policy is correctly configured.

– If the upload fails, the permission configuration is successful. Go to thenext step.

6. Click Delete in the row where a public data record is located.– If the deletion is successful, the permission configuration for preventing

write and deletion by users of other departments fails. Check whether thebucket policy is correctly configured.

– If the deletion fails, the permission configuration is successful.

----End

7.4 Authorizing Business Departments withIndependent Resource Permissions

A company usually consists of multiple business departments, and eachdepartment requires independent data management. In this scenario, you canallocate IAM users of different roles to each department, and configure bucketpolicies to authorize the IAM users with independent resource permissions.

Scenario AssumptionAssume that a company has two business departments: A and B. Each departmentneeds a separate bucket to store data, and users of each department have thepermission to upload data to their own department's bucket.

Figure 7-7 shows the logical relationships among administrators, users, andbuckets between the two departments.




NO TE

This example describes how to configure the upload permission for users of a department.You can configure other permissions based on the site requirements. For details aboutbucket policy permissions, see Bucket Policy.

Solution and Process

The administrators of department A and department B can configure bucketpolicies to allow only users of their own department to upload data to their owndepartment's bucket. For details about the configuration process, see Figure 7-8.

Figure 7-8 Permission control process

Prerequisites

You have an enterprise account of the company.

Procedure

Step 1 Create an administrator for each department and create users.

You need to use the enterprise account of the company to create IAM users asadministrators and common users. A department administrator can also createcommon users. In this example, each department has an administrator and severalusers.




Add the administrator to the admin user group, which has the permissions tocreate users and buckets and configure bucket policies. Other users only need thepermission to list buckets under the account but not permissions to create users orbuckets or configure bucket policies. Therefore, add other users to user groupswith the OBS Buckets Viewer permissions. For details about permissions, seePermissions Management.

1. Create a department administrator and some IAM users. For details, seeCreating an IAM User.

2. Add the administrator to the admin user group, and add other users to usergroups with the OBS Buckets Viewer permissions. For details, see AssigningPermissions to an IAM User.


The administrator of department A creates a bucket for its own department, sodoes the administrator of department B.

1. Log in to OBS Console as the administrators of the two departments insequence.

2. On the console homepage, choose Service List > Storage > Object StorageService to access OBS Console.

3. In the navigation pane on the left, choose Object Storage. On the page thatis displayed, click Create Bucket in the upper right corner.

4. Select a region, storage class, and bucket policy, and then enter the bucketname.

NO TE



Step 3 Authorize users with the upload permission.

The two administrators configure the upload permission for their own departmentusers in their own bucket separately.



3. In the navigation pane on the left, choose Object Storage. In the bucket list,click the department's bucket to go to the Summary page of the bucket.

4. In the navigation pane on the left, choose Permissions > Bucket Policy.5. Click Create Bucket Policy.6. In the first row of the bucket policy template, click Create Custom Policy.7. Set the following parameters to grant users in the department the

permissions to access the bucket (list objects) and upload objects.







Table 7-6 Parameters for granting permissions to access buckets and uploadobjects



Policy Name Custom

PolicyContent


Principal – Principal: Current account– Sub-user: Select the users who are allowed

to upload data in the department.– User Policy: Include specified users.

Resources – Resource: Select Current bucket and Objectin bucket.

▪ If the data can be uploaded to any folderin the bucket, select All objects underObject in bucket.

▪ If you want to upload the data only toone or more folders in the bucket, selectSpecified objects under Object inbucket, and, under Resource path, enterthe folder path and put a wild characterat its end (for example, example-folder/*). You can configure multipleresource paths.



actions.



After the permission is configured, users of department A and department B canverify the permissions by uploading objects through OBS Console, OBS Browser+,APIs, and SDKs.

The permission verification should focus on the following aspects (takingdepartment A for an example):

1. Users of department A can successfully upload objects to the bucket ofdepartment A.If users are allowed to upload objects to only the specified folder, ensure that:

a. Objects can be successfully uploaded to the specified folder.



b. Upload of objects to folders other than the specified one will fail.

2. Users of department A fail to upload objects to the bucket of department B.

3. Users of department A fail to download or delete any object from the bucketof department A.

4. Users of department A fail to download or delete any object from the bucketof department B.

If the preceding requirements are met, the permission configuration is successful.

----End

Department Administrator Permission Control

After the preceding configuration, all department administrators have fullpermissions for buckets of other departments. If you want to deny otherdepartment administrators' access to bucket resources of your department,configure a bucket policy according to the following procedure:

Step 1 Log in to the HUAWEI CLOUD management console as an administrator of yourdepartment.

Step 2 On the console homepage, choose Service List > Storage > Object StorageService to access OBS Console.

Step 3 In the navigation pane on the left, choose Object Storage. In the bucket list, clickthe department's bucket to go to the Summary page of the bucket.

Step 4 In the navigation pane on the left, choose Permissions > Bucket Policy.

Step 5 Click Create Bucket Policy.

Step 6 In the first row of the bucket policy template, click Create Custom Policy.

Step 7 Set the following parameters to prevent administrators of other departments fromaccessing the bucket of the department.

Table 7-7 Parameters for denying other department administrators' access to thebucket of the current department



Policy Name Custom

PolicyContent

Effect Select Deny.

Principal ● Principal: Current account● Sub-user: Select the administrators of other

departments.● User Policy: Include specified users.




Resources ● Resource: Select Current bucket and Object inbucket and then select All objects underObject in bucket.

● Resource Policy: Include specified resources.

Actions ● Select * (indicating all actions).● Operation Strategy: Include selected actions.

Step 8 Click Next in the lower right corner.

Step 9 Click Create.

----End

7.5 Isolating Bucket Resources Between BusinessDepartments

According to the permission control configured in Authorizing BusinessDepartments with Independent Resource Permissions, users in differentdepartments can only access resources of their own departments. However, theycan read all bucket resources under the enterprise account. This section describeshow to use OBS Browser+ to isolate bucket resources between businessdepartments by adding external buckets.

Scenario AssumptionAssume that a company has two business departments: A and B. Each departmentneeds a separate bucket to store data, and users of each department can view andupload data to only their own department's bucket.

Figure 7-9 shows the logical relationships among administrators, users, andbuckets between the two departments.




NO TE

This example describes how to configure the upload permission for users of a department.You can configure other permissions based on the site requirements. For details aboutbucket policy permissions, see Bucket Policy.

Solution and ProcessThis solution should focus on the following aspects:

1. Do not grant OBS access permissions to users created by a departmentadministrator.

2. Configure a bucket policy that allows users of their own department toperform list and upload operations only in their own bucket.

Figure 7-10 shows the process.




Figure 7-10 Permission control process

Prerequisites

You have an enterprise account of the company.

Procedure

Step 1 Create an administrator for each department and create users.

You need to use the enterprise account of the company to create IAM users asadministrators and common users. A department administrator can also createcommon users. In this example, each department has an administrator and severalusers.

Add the administrator to the admin user group, which has the permissions tocreate users and buckets and configure bucket policies. In this example, you donot need to log in to the IAM console and grant common users of the departmentwith any OBS permissions. For details about permissions, see PermissionsManagement.

1. Create a department administrator and some IAM users. For details, seeCreating an IAM User.

2. Add the administrator to the admin user group. Do not add other users touser groups with OBS access permissions. For details, see AssigningPermissions to an IAM User.









The administrator of department A creates a bucket for its own department, sodoes the administrator of department B.



3. In the navigation pane on the left, choose Object Storage. On the page thatis displayed, click Create Bucket in the upper right corner.

4. Select a region, storage class, and bucket policy, and then enter the bucketname.

NO TE



Step 3 Configure the permission to list objects in the bucket and upload objects tothe bucket.

The two administrators configure the permissions for their own department usersin their own bucket separately.



3. In the navigation pane on the left, choose Object Storage. In the bucket list,click the department's bucket to go to the Summary page of the bucket.

4. In the navigation pane on the left, choose Permissions > Bucket Policy.5. Click Create Bucket Policy.6. In the first row of the bucket policy template, click Create Custom Policy.7. Set the following parameters to grant the permissions to list objects in and

upload objects to the bucket.

Table 7-8 Parameters for granting permissions to list and upload objects



Policy Name Custom

PolicyContent


Principal – Principal: Current account– Sub-user: Select users in the department

who are allowed to view the bucket andupload objects to the bucket.

– User Policy: Include specified users.





▪ If the data can be uploaded to any folderin the bucket, select All objects underObject in bucket.

▪ If you want to upload the data only toone or more folders in the bucket, selectSpecified objects under Object inbucket, and, under Resource path, enterthe folder path and put a wild characterat its end (for example, example-folder/*). You can configure multipleresource paths.



actions.

8. Click Next in the lower right corner.

9. Click Create.


After the permission is configured, users of department A and department B canverify the permission through OBS Browser+.

NO TE

Users in the two departments have only the permission to access a specified bucket.Therefore, it is normal that these users are prompted that their access is restricted whenlogging in to OBS Console.

In this case, use OBS Browser+ to add the bucket of your own department to OBS Browser+as an external bucket for permission verification and subsequent upload operations.

To verify the permission on OBS Browser+, perform the following steps:

1. Download OBS Browser+.

2. Log in to OBS Browser+ as a department user.

NO TE

Due to the preceding permission configuration, it is normal that the system displays amessage indicating that the access is restricted after a department user logs in to OBSBrowser+.

3. In the navigation pane on the left, choose External Bucket.

4. Click Add. The dialog box for adding an external bucket is displayed. Enter thename of the authorized bucket.




Figure 7-11 Adding an external bucket

5. Click OK. The external bucket is displayed in the bucket list.6. Upload a file to the bucket and verify the upload permission.

The permission verification should focus on the following aspects (takingdepartment A for an example):

1. When users in department A log in to OBS Browser+ for the first time, amessage is displayed indicating that the access is restricted and no bucket isdisplayed.

2. Users of department A can successfully add the bucket of department A onOBS Browser+.

3. Users of department A fail to add the bucket of department B.4. Users of department A can successfully upload objects to the bucket of

department A.If users are allowed to upload objects to only the specified folder, ensure that:

a. Objects can be successfully uploaded to the specified folder.b. Upload of objects to folders other than the specified one will fail.

5. Users of department A fail to download or delete any object from the bucketof department A.

If the preceding requirements are met, the permission configuration is successful.

----End

Department Administrator Permission ControlAfter the preceding configuration, all department administrators have fullpermissions for buckets of other departments. If you want to deny otherdepartment administrators' access to bucket resources of your department,configure a bucket policy according to the following procedure:

Step 1 Log in to the HUAWEI CLOUD management console as an administrator of yourdepartment.

Step 2 On the console homepage, choose Service List > Storage > Object StorageService to access OBS Console.

Step 3 In the navigation pane on the left, choose Object Storage. In the bucket list, clickthe department's bucket to go to the Summary page of the bucket.

Step 4 In the navigation pane on the left, choose Permissions > Bucket Policy.



Step 5 Click Create Bucket Policy.

Step 6 In the first row of the bucket policy template, click Create Custom Policy.

Step 7 Set the following parameters to prevent administrators of other departments fromaccessing the bucket of the department.

Table 7-9 Parameters for denying other department administrators' access to thebucket of the current department



Policy Name Custom

PolicyContent

Effect Select Deny.

Principal ● Principal: Current account● Sub-user: Select the administrators of other

departments.● User Policy: Include specified users.

Resources ● Resource: Select Current bucket and Object inbucket and then select All objects underObject in bucket.

● Resource Policy: Include specified resources.

Actions ● Select * (indicating all actions).● Operation Strategy: Include selected actions.

Step 8 Click Next in the lower right corner.

Step 9 Click Create.

----End



8 Verifying Data Consistency

8.1 Overview

BackgroundData inconsistency may occur due to network hijacking, cache, and other reasonsduring object upload and download.

SolutionOBS verifies data consistency by calculating the MD5 value when data is uploadedor downloaded. By default, OBS does not automatically verify data consistency.You can enable data consistency verification when uploading and downloadingobjects. Methods are explained in the following table.

NO TE

● The consistency verification methods are compatible with each other. Specifically, youcan use one method to verify data consistency when uploading objects, and use anothermethod to verify data consistency during download of the objects.

● During object download, the MD5 verification takes effect only when the object to bedownloaded has an MD5 value.

Table 8-1 Data consistency verification methods

Method Description Operation Guide

obsutil With obsutil, a command linetool, you can run a simplecommand to upload ordownload objects and specifywhether to enable MD5verification.

Using obsutil to VerifyData Consistency DuringUpload

Using obsutil to VerifyData Consistency DuringDownload

Object Storage ServiceBest Practices 8 Verifying Data Consistency


Method Description Operation Guide

OBS Browser+

With OBS Browser, a GUI-basedtool, you can enable or disableMD5 verification through a fewclicks. OBS Browser also providestask management that allowsyou to view the verificationstatus.

Using OBS Browser+ toVerify Data ConsistencyDuring Upload

Using OBS Browser+ toVerify Data ConsistencyDuring Download

OBS SDK If you are a developer, you canuse the OBS SDK to conductsecondary development for MD5verification, and then proceedwith the verification resultaccording to your service needs.

Using OBS SDKs to VerifyData Consistency DuringUpload

Using OBS SDKs to VerifyData Consistency DuringDownload

When an object is being uploaded, OBS calculates the MD5 value of the object onthe client before uploading the object. Then OBS server calculates the MD5 valueof the uploaded object and compares it with the MD5 value carried in the uploadrequest. If the two values are consistent, the upload is successful. If the two valuesare inconsistent, the upload fails. Figure 8-1 illustrates how to use the MD5 valueto verify data consistency during upload.



Figure 8-1 Verifying data consistency during upload

When an object is being downloaded, OBS calculates the MD5 value of thedownloaded object and compares it with its original MD5 value. If the two valuesare consistent, the download is successful. If the two values are inconsistent, thedownload fails. Figure 8-2 illustrates how to use the MD5 value to verify dataconsistency during download.



Figure 8-2 Verifying data consistency during download

Impact

Enabling MD5 verification will affect upload and download performance.

8.2 Verifying Data Consistency During Uploadobsutil, OBS Browser+, and OBS SDKs support verification of data consistencyduring upload. You can select a method that meets your requirements. This topicprovides guidance on how to use these methods to verify data consistency duringobject upload.

Using obsutil to Verify Data Consistency During Upload

obsutil supports data consistency verification through the additional parametervmd5.

For example, to upload the test.txt file drive D on a Windows OS to bucketmytestbucket, run the following command to enable consistency verification:

obsutil cp D:\test.txt obs://mytestbucket/test.txt -vmd5

The object is uploaded after the verification passes, and Upload successfully isdisplayed in the command output.



Using OBS Browser+ to Verify Data Consistency During Upload

By default, MD5 verification is disabled on OBS Browser+. To enable MD5verification and upload objects through OBS Browser+, perform the followingsteps:


Step 2 Click in the upper right corner of displayed page and click AdvancedSettings.

Step 3 Select MD5 Verification. For details, see Figure 8-3.

Figure 8-3 Configuring MD5 verification

Step 4 Click OK.

Step 5 Select the bucket to which the file is to be uploaded and upload the file.

● If the MD5 verification is successful, the file will be uploaded successfully.



● If the MD5 verification fails, the file upload will fail and the failure cause willbe displayed on the task management page: failed to verify the file MD5value.

----End

Using OBS SDKs to Verify Data Consistency During UploadOBS provides SDKs for multiple programming languages such as Java and Python.You can specify the Content-MD5 parameter to enable consistency verificationwhen uploading objects through any OBS SDK. For details about how to computeand set the MD5 value of an object, see section "Setting Object Properties" in OBSSDK of the programming language that you use.

For example, to upload file text.txt from drive D on a Windows OS to bucketmytestbucket by using OBS Java SDK, you can use the following sample code toverify data consistency through the MD5 value:

String endPoint = "https://your-endpoint";String ak = "*** Provide your Access Key ***";String sk = "*** Provide your Secret Key ***";// Create an instance of ObsClient.ObsClient obsClient = new ObsClient(ak, sk, endPoint);// Compute and set the MD5 value.ObjectMetadata metadata = new ObjectMetadata();File file = new File("D:\\text.txt");FileInputStream fis = new FileInputStream(file);InputStream is = (InputStream)fis;String contentMd5 = obsClient.base64Md5(is);metadata.setContentMd5(contentMd5);// Upload a file that has the MD5 value.obsClient.putObject("mytestbucket", "text.txt", file, metadata);

NO TE

● The MD5 value of an object must be a Base64-encoded digest.● The OBS server will compare this MD5 value with the MD5 value obtained by object

data calculation. If the two values are not the same, the upload fails and the HTTPstatus code 400 is returned. If the two values are consistent, the object is successfullyuploaded and the HTTP status code 200 is returned.

8.3 Verifying Data Consistency During DownloadOBS Browser+, obsutil, and OBS SDKs support consistency verification duringobject download. You can select a verification method that meets yourrequirements. This topic provides guidance on how to use these methods to verifydata consistency during object download.

PrerequisitesThe object to be downloaded has an MD5 value. Data consistency is not verified, ifthe object does not have an MD5 value. The MD5 value of an object needs to becomputed and set when the object is uploaded. For details, see Verifying DataConsistency During Upload.



https://support.huaweicloud.com/intl/en-us/sdkreference-obs/obs_02_0001.html


Using obsutil to Verify Data Consistency During Downloadobsutil supports data consistency verification through the additional parametervmd5.

For example, to download the test.txt file from bucket mytestbucket to aWindows PC, perform the following steps to enable data consistency verification:

Step 1 Run the following command to check whether the object to be downloaded hasMD5 information:obsutil stat obs://test-bucket/test.txt

● If the returned information contains MD5 information, as shown in thefollowing figure, go to Step 2.

● If MD5 information is not contained, consistency verification cannot beperformed when the object is downloaded.

Step 2 Run the following command to download the object:obsutil cp obs://mytestbucket/test.txt D:\test.txt -vmd5

● The message highlighted in the following figure is displayed in the commandoutput when the object is downloaded and the consistency verification passes.

● If the object does not have an MD5 value, the object can be successfullydownloaded but data consistency is not verified. The message highlighted inthe following figure is displayed in the command output:

----End



Using OBS Browser to Verify Data Consistency During DownloadBy default, MD5 verification is disabled on OBS Browser+. To enable MD5verification and download objects from OBS Browser+, perform the followingsteps:


Step 2 Click in the upper right corner of displayed page and click AdvancedSettings.

Step 3 Select MD5 Verification. For details, see Figure 8-4.

Figure 8-4 Configuring MD5 verification

Step 4 Click OK.

Step 5 Select the bucket from which you want to download the object and download theobject.● If the MD5 verification is successful, the file will be downloaded successfully.● If the MD5 verification fails, the file download will fail and the failure cause

will be displayed on the task management page: failed to verify the file MD5value.

----End

Using OBS SDKs to Verify Data Consistency During DownloadThe verification compares the MD5 value in the custom metadata of the object tobe downloaded with that of the downloaded object to check whether thedownloaded object is consistent with the original object.

For example, to download file text.txt from bucket mytestbucket to drive D on aWindows OS by using OBS Java SDK, you can use the following sample code toverify data consistency through the MD5 value:String endPoint = "https://your-endpoint";String ak = "*** Provide your Access Key ***";



String sk = "*** Provide your Secret Key ***";// Create an instance of ObsClient.final ObsClient obsClient = new ObsClient(ak, sk, endPoint);// Obtain the MD5 value of the object.ObjectMetadata metadata = obsClient.getObjectMetadata("mytestbucket", "test.txt");String md5Origin = metadata.getUserMetadata("contentMd5");// Compute the MD5 value of the downloaded object.Obsobject obsobject = obsClient.getObject("mytestbucket", "test.txt");String md5Download = obsClient.base64Md5(obsobject.getObjectContent());// Compare the MD5 values.if(md5Origin.contentEquals(md5Download)) System.out.println("Object MD5 validation passes!\n");else System.out.println("Object MD5 validation failed!\n");

NO TE

In the preceding sample code, the contentMd5 parameter used to obtain the MD5 value ofan object is a customized metadata specified when the object is uploaded. Replace it withthe one that you customized for the actual development.



9 Performance Optimization

OBS manages partitions based on the UTF-8 code range of object names andimplements horizontal expansion and dynamic load balancing accordingly. If youuse sequential prefixes (such as timestamps or alphabetical order) in objectnaming, object access requests may be concentrated in a specific partition, causingaccess hotspots. The request rate in a hotspot partition is limited, as a result,access delay increases.

Random prefixes for object naming are recommended so that requests areevenly distributed across partitions, allowing horizontal expansion.

Example:

In a typical scenario of log archiving, the names of objects to be uploaded are asfollows:

yourbucket/obslog/20190610-01.log.tar.gzyourbucket/obslog/20190610-02.log.tar.gzyourbucket/obslog/20190610-03.log.tar.gzyourbucket/obslog/20190610-04.log.tar.gz...yourbucket/obslog/20190611-01.log.tar.gzyourbucket/obslog/20190611-02.log.tar.gzyourbucket/obslog/20190611-03.log.tar.gzyourbucket/obslog/20190611-04.log.tar.gz

You are advised to add a hexadecimal hash prefix with three or more digits to theobject name.

yourbucket/6ac-obslog/20140610-01.log.tar.gzyourbucket/b42-obslog/20140610-02.log.tar.gzyourbucket/17f-obslog/20140610-03.log.tar.gzyourbucket/ac9-obslog/20140610-04.log.tar.gz...yourbucket/95d-obslog/20140611-01.log.tar.gzyourbucket/4a5-obslog/20140611-02.log.tar.gzyourbucket/ea2-obslog/20140611-03.log.tar.gzyourbucket/ba3-obslog/20140611-04.log.tar.gz

Object Storage ServiceBest Practices 9 Performance Optimization


10 Accessing OBS from App Clients

ContextOBS is widely used as the storage for web apps and mobile apps (Android andiOS). When accessing OBS from Android or iOS apps, do not directly save accesskeys (AK and SK), which may be cracked by hacker software, and as a result,data stored in the cloud storage may be stolen or even tampered with. To betterprotect data and prevent data leakage and unauthorized access after attacks, youare advised to use the following two methods. Method 1 is recommended.

● Method 1: Using Temporary Access Keys and Security Token Obtainedfrom IAM to Access OBS

● Method 2: Using a Presigned URL to Access OBS

Method 1: Using Temporary Access Keys and Security Token Obtained fromIAM to Access OBS

By accessing OBS using temporary access keys and security token obtainedfrom IAM, you can directly upload data to OBS from app clients, and downloaddata from OBS. Figure 10-1 describes the process.

Object Storage ServiceBest Practices 10 Accessing OBS from App Clients






Figure 10-1 Using temporary access keys and security token to access OBS

Prerequisites

A bucket has been created on OBS Console.

You have configured the bucket to be read/written privately, or read publicly andwritten privately.

For details, see Creating a Bucket and Creating a Custom Bucket Policy.

Role Analysis

● App client: A mobile app of an end user. An app client sends a registration orlogin request to the app server, and accesses OBS to upload or downloaddata.

● App server: A backend provided by developers of Android or iOS apps. An appserver manages user accounts and authorization.

● OBS: A HUAWEI CLOUD object storage service that processes data requestsfrom mobile apps.

● IAM: HUAWEI CLOUD Identity and Access Management that generates atemporary credential.

Workflow

1. An app client requests a temporary credential for data upload from an appserver.

2. The app server requests a temporary credential from IAM.3. IAM returns a temporary credential to the app server.





4. The app server returns the AK, SK and token to the app client.5. The app client uses OBS SDKs to upload data to and download data from

OBS.

Procedure

Step 1 Obtain the OBS SDK and IAM SDK.

Obtain the Java SDK from the Java SDK developer guide listed in SDK Overview.

Step 2 Simulate the app server to request the AK/SK corresponding to the temporarycredential from IAM and request IAM to return the temporary credential.

Perform the following operations:

1. Obtain the user's IAM token.Obtain the token by following the instructions provided in Obtaining a UserToken Through Password Authentication. For Java SDK, see IAM Java SDKDemo.

2. Obtain the temporary AK, SK and token based on a request with the tokenand policy parameters.Obtain the access keys and token by following the instruction provided inObtaining a Temporary Access Key and SecurityToken Through a Token.For Java SDK, see IAM Java SDK Demo.

Example: Request for restricting the user to upload data only to a specific directoryof an OBS bucket based on the IAM fine-grained policy.

{ "auth":{ "identity":{ "policy":{ "Version":"1.1", "Statement":[STS { "Action":[ "obs:object:PutObject" ], "Resource":[ "obs:*:*:object:hi-company/APPClient/APP-1/*" ], "Effect":"Allow" } ] }, "token":{ "duration-seconds":900, "id":"MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..." }, "methods":[ "token" ] } }}

Step 3 Initialize the OBS Client.

Initialization example:

● For Android appsprivate static final String endPoint = "https://your-endpoint";private static final String ak = "*** Provide your Access Key ***";




https://support.huaweicloud.com/intl/en-us/api-iam/iam_30_0001.html


https://support.huaweicloud.com/intl/en-us/devg-sdk/sdk_01_0012.html




private static final String sk = "*** Provide your Secret Key ***";private static final String token = "*** Provide your Secret Key ***";private static ObsClient obsClient;// Create an ObsClient instance.ObsConfiguration config = new ObsConfiguration();config.setSocketTimeout(30000);config.setConnectionTimeout(10000);config.setEndPoint(endPoint);obsClient = new ObsClient(ak, sk,token,config); // Use the instance to access OBS.// Close ObsClient.obsClient.close();

● For iOS appsNSString *endPoint = @"your-endpoint";NSString *SK = @"*** Provide your Secret Key ***";NSString *AK = @"*** Provide your Access Key ***";// Initialize identity authentication.OBSStaticCredentialProvider *credentailProvider = [[OBSStaticCredentialProvider alloc] initWithAccessKey:AK secretKey:SK];securityTokencredentailProvider.securityToken = @"*** Provide your Security Token ***";// Initialize service configuration.OBSServiceConfiguration *conf = [[OBSServiceConfiguration alloc] initWithURLString:endPoint credentialProvider:credentailProvider];// Perform initialization.clientOBSClient *client = [[OBSClient alloc] initWithConfiguration:conf];

● For JavaScript web apps// AMD is not introduced. Use the constructor to create an ObsClient instance: var obsClient = new ObsClient({ access_key_id: '*** Provide your Access Key ***', secret_access_key: '*** Provide your Secret Key ***', security_token: '*** Provide your STS Token ***' server : 'https://your-endpoint'}); // Use the new ObsClient to access OBS.

// AMD is introduced. Use the injected constructor to create an ObsClient instance: var obsClient;define(['ObsClient'], function(ObsClient){ obsClient = new ObsClient({ access_key_id: '*** Provide your Access Key ***', secret_access_key: '*** Provide your Secret Key ***', security_token: '*** Provide your STS Token ***' server : 'https://your-endpoint' }); // Use the instance to access OBS});

----End

Method 2: Using a Presigned URL to Access OBSEach request initiated by an app client applies for a presigned URL from the appserver. The validity period of the presigned URL is determined by the app server.Figure 10-2 describes the process.



Figure 10-2 Using a presigned URL to access OBS

Prerequisites

1. A bucket has been created on OBS Console.You have configured the bucket to be read/written privately, or read publiclyand written privately.For details, see Creating a Bucket and Creating a Custom Bucket Policy.

2. Access keys (AK and SK) have been obtained.The presigned URL is generated using the access keys. For details about howto obtain access keys, see Access Keys (AK/SK). The user who uses the accesskeys (AK and SK) needs to have the minimum required permissions. Fordetails about how to authorize the permissions, see Creating a User andGranting OBS Permissions.

Role Analysis

● App client: A mobile app of an end user. An app client requests presignedURLs from the app server, and accesses OBS to upload or download data.

● App server: A backend provided by developers of Android or iOS apps. An appserver manages credential information and issue presigned URLs.

● OBS: A HUAWEI CLOUD object storage service that processes data requestsfrom mobile apps.

Workflow

1. An app client requests a presigned URL from an app server.Access keys (AK and SK) are not required for accessing OBS from the appclient. But a presigned URL must be obtained from the app server beforeaccessing OBS, and required information must be carried in the URL, includingthe request type, resource path, and resource name. For example, an uploadrequest needs to indicate that the URL is for uploading data. In the URL, the





https://support.huaweicloud.com/intl/en-us/productdesc-obs/obs_03_0208.html#section0



upload path and object name are specified. Similarly, a URL for downloadingdata should contain the name of the object to be downloaded.For details about how to compute a presigned URL, see Authentication ofSignature in a URL.

2. The app server stores access keys (AK and SK). After verifying that the clientis valid, the app server generates a presigned URL using the stored access keys(AK and SK), in accordance with the operation type and resources to beaccessed by the client. A sample URL:https://examplebucket.obs.cn-north-4.myhuaweicloud.com/objectkey?AccessKeyId=AccessKeyID&Expires=1532779451&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D

3. The app client obtains the URL and uses it to upload or download data.The URL contains information such as the AK, signature, validity period, andresources. Anyone who has the URL can perform related operations. OBSreceives the request and verifies the signature, deeming that the operation isperformed by the user who issues the URL. For example, if a URL carryingsignature information is constructed for downloading an object, anyone whohas the URL can download the object, but the URL is valid only before theexpiration time specified by Expires. If temporary access keys are used, theURL will be valid within the validity period of the access keys or before thetime specified by the minimum value of Expires. With the signature containedin a presigned URL, users can be authenticated to perform predefinedoperations, even if they have no SK.

Procedure

Step 1 Configure an app server.

1. Obtain the SDK.Obtain the Java SDK from the Java SDK developer guide listed in SDKOverview.

2. Generate the code for issuing a presigned URL.The following example describes how to use Java for development on the appserver.

NO TE

The app server needs to identify whether a common request header or a user-definedrequest header is used based on the operation type, and add the header to thecomputing for generating a presigned URL.– For details about common request headers, see Constructing a Request.– For details about user-defined request headers, see the corresponding API

Reference. For example, for PUT upload, see Uploading Objects - PUT.//Endpoint of the requested bucketString endPoint = "http://your-endpoint";

//Provide your AK and SK.String ak = "*** Provide your Access Key ***"; String sk = "*** Provide your Secret Key ***";

//Create an ObsClient instance.ObsClient obsClient = new ObsClient(ak, sk, endPoint); //Define the expiration time, in seconds.long expireSeconds = 3600L;

//Specify the requested operation.TemporarySignatureRequest request = new TemporarySignatureRequest(HttpMethodEnum.PUT, expireSeconds);



https://support.huaweicloud.com/intl/en-us/api-obs/obs_04_0011.html






//Specify the bucket name and object name involved in this operation.request.setBucketName("bucketname"); request.setObjectKey("objectname");

TemporarySignatureResponse response = obsClient.createTemporarySignature(request);

//The presigned URL is returned, and you can print the following URL information:System.out.println(response.getSignedUrl());

For more information and code samples, see Accessing OBS Using aTemporary URL.

Step 2 Use the presigned URL to initiate a request for accessing OBS.public class Demo extends Activity{ private static String bucketName = "my-obs-bucket-demo"; private static String objectKey = "my-obs-object-key-demo"; private static OkHttpClient httpClient; private static StringBuffer sb;

@Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); sb = new StringBuffer(); /* * Constructs a client instance with your account for accessing OBS */ httpClient = new OkHttpClient.Builder().followRedirects(false).retryOnConnectionFailure(false) .cache(null).build(); final TextView tv = (TextView)findViewById(R.id.tv); tv.setText("Click to start test"); tv.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View v) { tv.setClickable(false); AsyncTask<Void, Void, String> task = new DownloadTask(); task.execute(); } }); }

class DownloadTask extends AsyncTask<Void, Void, String> { @Override protected String doInBackground(Void... params) { try { /* * You need to construct an object upload request and send it to the app server to generate a presigned URL for accessing OBS. * If the response result is stored in response, obtain the URL using the getSignedUrl() method. */ sb.append("Uploading a new object to OBS from a file\n\n"); Request.Builder builder = new Request.Builder(); // Use a PUT request to upload an object. Request httpRequest = builder.url(response.getSignedUrl()).put(RequestBody.create(MediaType.parse(contentType), "Hello OBS".getBytes("UTF-8"))).build(); Call c = httpClient.newCall(httpRequest); Response res = c.execute(); sb.append("\tStatus:" + res.code()); if (res.body() != null) { sb.append("\tContent:" + res.body().string() + "\n");



https://support.huaweicloud.com/intl/en-us/sdk-java-devg-obs/obs_21_0901.html

https://support.huaweicloud.com/intl/en-us/sdk-java-devg-obs/obs_21_0901.html

} res.close();

/* * You need to construct an object download request and send it to the app server to generate a presigned URL for accessing OBS. * If the response result is stored in response, obtain the URL using the getSignedUrl() method. */ sb.append("Downloading an object\n\n"); Request.Builder builder = new Request.Builder(); // Use a GET request to download an object. Request httpRequest = builder.url(response.getSignedUrl()).get().build(); OkHttpClient httpClient = new OkHttpClient.Builder().followRedirects(false).retryOnConnectionFailure(false).cache(null).build(); Call c = httpClient.newCall(httpRequest); Response res = c.execute(); System.out.println("\tStatus:" + res.code()); if (res.body() != null) { sb.append("\tContent:" + res.body().string() + "\n"); } res.close();

return sb.toString(); } catch (Exception e) { sb.append("\n\n"); sb.append(e.getMessage()); return sb.toString(); } finally { if (httpClient != null) { try { /* * Close obs client */ httpClient.close(); } catch (IOException e) { } } } }

@Override protected void onPostExecute(String result) { TextView tv = (TextView)findViewById(R.id.tv); tv.setText(result); tv.setOnClickListener(null); tv.setMovementMethod(ScrollingMovementMethod.getInstance()); } }}

----End



11 Accessing OBS Through an NGINXReverse Proxy

BackgroundGenerally, you can access OBS through a bucket access domain name (forexample, https://bucketname.obs.cn-north-4.myhuaweicloud.com) provided byOBS or through a user-defined domain name bound to an OBS bucket.

In some cases, you may need to use a fixed IP address to access OBS. For securitypurposes, some enterprises need to set a blacklist and a whitelist of external IPaddresses. In this case, a fixed IP address is required. Also for security purposes, anOBS bucket does not have a fixed IP address, because the DNS service of HUAWEICLOUD resolves the bucket access domain name to different IP addresses.

In this case, you can set up an NGINX reverse proxy server on an ECS so that youcan access OBS through a fixed IP address.

PrinciplesThis part explains how to deploy NGINX on an ECS and set up an NGINX reverseproxy server. The proxy is imperceptible. Requests are sent to the reverse proxyserver, which then obtains the required data from OBS and returns the data tousers. The reverse proxy server and OBS work as a whole. Only the IP address ofthe proxy server is exposed, while the actual domain name or IP address of OBS ishidden.

Object Storage ServiceBest Practices 11 Accessing OBS Through an NGINX Reverse Proxy


Figure 11-1 Principles of accessing OBS through an NGINX reverse proxy

Prerequisites● You have known the region where the bucket resides and bucket access

domain name of the bucket. For example, the access domain name of thebucket in the CN North-Beijing4 region is nginx-obs.obs.cn-north-4.myhuaweicloud.com. Viewing Basic Information of a Bucket

● You have a Linux ECS in the same region. CentOS is used here as an example.Purchasing an ECS with Customized Configurations

● The ECS is bound with an EIP, so that you can download the NGINXinstallation package over the public network.

Procedure

Step 1 Install NGINX on an ECS.

1. Log in to the ECS on which you will set up the NGINX reverse proxy server.2. Run the wget command to download the NGINX installation package for

your operating system in use. We use CentOS 7.6 as an example.wget http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

3. Run the following command to create a YUM repository for NGINX. Also weuse CentOS 7.6 as an example.rpm -ivh nginx-release-centos-7-0.el7.ngx.noarch.rpm

4. Run the following command to install NGINX:yum -y install nginx

5. Run the following commands to start NGINX and configure NGINX to startupon system startup:systemctl start nginxsystemctl enable nginx




https://support.huaweicloud.com/intl/en-us/qs-ecs/ecs_02_0009.html

6. Use a browser on any device to access http://ECS EIP. If the followinginformation is displayed, NGINX is successfully installed.

Figure 11-2 NGINX installed successfully

Step 2 Modify the NGINX configuration file to configure the reverse proxy for yourOBS bucket.

1. Run the following command to open the default.conf file:vim /etc/nginx/conf.d/default.conf

2. Press the i key to go to the edit mode and modify the default.conf file.server { listen 80; server_name **.**.**.**; # Enter the EIP of the ECS. location / { proxy_pass https://nginx-obs.obs.cn-north-4.myhuaweicloud.com; # Enter the bucket access domain name, starting with http:// or https://. index index.html index.htm ; }}

Table 11-1 Parameters in the configuration file


server_name IP address that provides the reverse proxy service. It is thefixed IP address that is exposed to end users for access.Enter the EIP of the ECS where the NGINX reverse proxyservice is deployed.

proxy_pass IP address of the proxied server.Enter the OBS bucket access domain name required inPrerequisites. The domain name must start with http:// orhttps://. Example:https://nginx-obs.obs.cn-north-4.myhuaweicloud.com

3. Press the Esc key and enter :wq to save the configuration and exit.4. Run the following command to check the status of the NGINX configuration

file:nginx -t

5. Run the following command to restart the NGINX service for theconfiguration to take effect:systemctl stop nginxsystemctl start nginx



Step 3 Configure an OBS bucket policy to allow the IP address of the NGINX proxyserver to access OBS.

To ensure data security in the bucket, configure the following two bucket policiesbased on a private bucket (without any bucket policies) to allow only the IPaddress of the Nginx proxy server to access the OBS bucket.

1. On OBS Console, in the navigation pane on the left, choose Object Storage.2. In the bucket list, click a bucket name, and then the Overview page of the

bucket is displayed.3. In the navigation pane on the left, choose Permissions > Bucket Policy.4. Click Create Bucket Policy.5. In the first row of the bucket policy template, click Create Custom Policy.6. Configure the following parameters.

Table 11-2 Bucket policy parameters



Policy Name Custom

PolicyContent


Principal – Principal: Anonymous user– User Policy: Include specified users.



Actions – Select Get* and List*.– Operation Strategy: Include selected

actions.

Conditions – Conditional Operator: IpAddress– Key: SourceIp– Value:

▪ If the ECS uses the private DNS ofHUAWEI CLOUD, the value is100.64.0.0/10.

▪ If the ECS uses a public DNS, the value isthe EIP of the ECS.


Step 4 Verify the reverse proxy configuration.



On any device, use the ECS EIP and object name to access specified OBS resources.If the resources are properly accessed, the configuration is successful.

For example, visit http://ECS EIP/ocean.jpg.

Figure 11-3 Using a fixed IP address to access OBS resources

----End



12 Migrating Data Between HUAWEICLOUD OBS Buckets

This section describes how to migrate data between HUAWEI CLOUD OBS bucketsthat are under different accounts or deployed in the same or different regions.

HUAWEI CLOUD Object Storage Migration Service (OMS) is an online datamigration service. It helps you migrate data from a third-party data storageservice to HUAWEI CLOUD OBS or migrate data between OBS buckets.

When you use OMS, you need only to specify the source data address anddestination OBS address on the console, and then create a migration task ormigration task group. For details about the differences between a migration taskand a migration task group, see What Are the Application Scenarios ofMigration Tasks and Migration Task Groups? After the migration task starts, youcan view and manage the task on the console.

CA UTION

● OMS is free until January 1, 2022. After the free trial expires, you will be billedonly for data migrated by OMS. During the migration, the APIs of the sourceand destination storage services are called to upload and download data. Youwill be billed for the API requests as well as data download and upload. Fordetails about the fees, see Pricing Details.

● OMS does not support the migration of objects of multiple versions.

Migration ProcessFigure 12-1 shows the migration process. For details, see Migrating DataBetween HUAWEI CLOUD OBS Buckets.


12 Migrating Data Between HUAWEI CLOUD OBSBuckets


https://support.huaweicloud.com/intl/en-us/oms_faq/oms_faq_0129.html

https://support.huaweicloud.com/intl/en-us/oms_faq/oms_faq_0129.html


https://support.huaweicloud.com/intl/en-us/bestpractice-oms/oms_05_0056.html

https://support.huaweicloud.com/intl/en-us/bestpractice-oms/oms_05_0056.html

Figure 12-1 Migrating data between HUAWEI CLOUD OBS buckets


12 Migrating Data Between HUAWEI CLOUD OBSBuckets


A Change History

ReleaseDate

What's New

2020-08-31 This issue is the eighth official release.This issue incorporates the following change:● Added the case of accessing OBS through an NGINX reverse

proxy.

2020-03-24 This issue is the seventh official release.This issue incorporates the following changes:● Added section "Verifying Data Consistency".

2019-12-14 This issue is the sixth official release.This issue incorporates the following change:● Added the section "Using a Presigned URL to Access OBS".

2019-11-05 This issue is the fifth official release.This issue incorporates the following change:● Added the topic "Isolating Bucket Resources Between Business

Departments" to the "Enterprise Data Access Control" section.

2019-10-09 This issue is the fourth official release.This issue incorporates the following change:● Added the topic "Authorizing Business Departments with

Independent Resource Permissions" to the "Enterprise DataAccess Control" section.

2019-07-06 This issue is the third official release.This issue incorporates the following change:● Added the section "Performance Optimization".

2018-11-30 This issue is the second official release.This issue incorporates the following change:● Added the section "Overview of OBS Best Practices."

Object Storage ServiceBest Practices A Change History


ReleaseDate

What's New

2018-09-30 This issue is the first official release.

Object Storage ServiceBest Practices A Change History


best practices - huawei cloudexample: periodically backing up files from an ftp server to obs cdm...

Documents