Azure: Table acl GET using Azure REST API do not w

2020-07-30 00:11发布

问题:

I am following the Azure REST documentation for GET ACL Table, Authentication for the Azure Storage Services.

Below is the code snippet for REST operation I am performing.

//Input your Storage Account and access-key associated to it.
const yourStorageAccountName = '';
const accessKeyStorageAccount = '';
const Client = require('node-rest-client').Client;
const crypto = require("crypto");

async function getTableAcl() {
    let now = new Date();
    let nowUTC = now.toUTCString();
    let contentType = "application/json"
    // construct input value
    let stringToSign = `GET\n\n\n${nowUTC}\n/${yourStorageAccountName}/tablename\ncomp:acl`;
    let accesskey = accessKeyStorageAccount;
    // create base64 encoded signature
    let key = new Buffer(accesskey, "base64");
    let hmac = crypto.createHmac("sha256", key);
    hmac.update(stringToSign);
    let sig = hmac.digest("base64");
    console.log("SIGNATURE : " + sig);
    console.log("nowutc : " + nowUTC);
    let args = {
        headers: {
            "Authorization": "SharedKey " + yourStorageAccountName + ":" + sig,
            "Date": nowUTC,
            "x-ms-version": "2015-12-11"
        }
    };
    let restClient = new Client();
    restClient.get(`https://${yourStorageAccountName}.table.core.windows.net/tablename?comp=acl`, args, function (data, response) {
        console.log(JSON.stringify(data));
        //console.log(response);
    });
}

getTableAcl()

The catch here is that there is no mention of Content-Type in Azure Table ACL documentation but in Authorization header part it is given to include Content-Type. Hence I am keeping the content-type as empty in "stringToSign" and am not providing the Content-Type header in the REST call. I might be missing something but I am not able to determine what it could be.

Can you let me know if I am mising anything in this case?

回答1:

Basically the issue is that you're generating canonicalized resource string correctly.

The documentation states the following:

2009-09-19 and later Shared Key Lite and Table service format

This format supports Shared Key and Shared Key Lite for all versions of the Table service, and Shared Key Lite for version 2009-09-19 and later of the Blob and Queue services and version 2014-02-14 and later of the File service. This format is identical to that used with previous versions of the storage services. Construct the CanonicalizedResource string in this format as follows:

  1. Beginning with an empty string (""), append a forward slash (/), followed by the name of the account that owns the resource being accessed.
  2. Append the resource's encoded URI path. If the request URI addresses a component of the resource, append the appropriate query string. The query string should include the question mark and the comp parameter (for example, ?comp=metadata). No other parameters should be included on the query string.

Based on this, your stringToSign should be:

let stringToSign = `GET\n\n\n${nowUTC}\n/${yourStorageAccountName}/tablename?comp=acl`;

Give it a try, it should work.