ECS：OBS：存储区之间的复制失败，并显示 HTTP 403-SignatureDoesNotMatch

ERROR HTTP 403 (SignatureDoesNotMatch): The request signature we calculated does not match the signature you provided. Check your Secret Access Key and signing method. For more information, see REST Authentication and SOAP Authentication for details.)

其他存储区可能能够在存储区之间复制对象。

来自客户端的示例错误（以下示例中的 s3cmd）

user@ubuntu:~$ s3cmd cp s3://sourcebucket/0001.txt s3://destinationbucket/0001.txt --add-header=x-emc-copy-mode:deep
ERROR: Copy failed for: 's3://sourcebucket/0001.txt' (403 (SignatureDoesNotMatch): The request signature we calculated does not match the signature you provided. Check your Secret Access Key and signing method. For more information, see REST Authentication and SOAP Authentication for details.)

日志来源 svc_request 对于此会话：

x.x.x.159 02-20 11:43:04 0a3c129f:195052e2352:383d:6d0 s3 GET - x.x.x.253 200 454 4 y-test sourcebucket/0001.txt?acl
x.x.x.159 02-20 11:43:04 0a3c129f:195052e2352:37e3:1045 s3 HEAD - x.x.x.253 200 0 2 y-test sourcebucket/0001.txt
x.x.x.159 02-20 11:43:04 0a3c129f:195052e2352:383d:6d3 s3 PUT No x.x.x.253 400 - 7 y-test destinationbucket/0001.txt
x.x.x.159 02-20 11:43:04 0a3c129f:195052e2352:37e3:1048 s3 PUT No x.x.x.253 403 - 1 - destinationbucket/0001.txt

ECS 日志显示：

varray mismatch: source bucket has urn:storageos:VirtualArray:IDb.urn:storageos:ReplicationGroupInfo:ID:global, dest bucket has urn:storageos:VirtualArray:ID.urn:storageos:ReplicationGroupInfo:ID:global

跟踪 HTTP 400 请求时显示“varray mismatch”：

xxx.xxx.x.1 2025-02-20 11:43:04,682 0a3c129f:195052e2352:383d:6d3 x.x.x.159:9020 x.x.x.253:60062 y-test-1 - PUT y-test destinationbucket 0001.txt - HTTP/1.1 400 7 - - 6 - copy - - 'X-Forwarded-For: -' 'x-amz-meta-firstName: -' 'x-amz-meta-lastname: -' 'x-amz-meta-age: -' xxx.xxx.x.1 2025-02-20 11:43:04,682 0a3c129f:195052e2352:383d:6d3 x.x.x.159:9020 x.x.x.253:60062 y-test-1 - PUT y-test destinationbucket 0001.txt - HTTP/1.1 400 7 - - 6 - copy - - 'X-Forwarded-For: -' 'x-amz-meta-firstName: -' 'x-amz-meta-lastname: -' 'x-amz-meta-age: -' xxx.xxx.x.1 2025-02-20T11:43:04,675 [qtp2087040347-23314-0a3c129f:195052e2352:383d:6d3-s3-x.x.x.253] INFO V4Signer.java (line 118) credential: y-test-1/20250220/US-EAST-1/s3/aws4_request, amz_expires: null, amz_signed_headers: content-type;host;x-amz-content-sha256;x-amz-copy-source;x-amz-date;x-amz-meta-s3b-last-modified;x-amz-meta-sha256;x-amz-metadata-directive;x-amz-storage-class;x-emc-copy-mode;x-emc-mtime, amz_signature: 65edd5ab6e7b30a19993f88c160df46b826010f199583a41468272321c229ea0, payloadHash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, amz_date: 20250220T114323Z xxx.xxx.x.1 2025-02-20T11:43:04,678 [qtp2087040347-23314-0a3c129f:195052e2352:383d:6d3-s3-x.x.x.253] ERROR S3Exception.java (line 1733) got object access exception. RequestId 0a3c129f:195052e2352:383d:6d3 com.emc.storageos.objcontrol.object.exception.ObjectAccessException: varray mismatch: source bucket has urn:storageos:VirtualArray:<ID>.urn:storageos:ReplicationGroupInfo:<ID>:global, dest bucket has urn:storageos:VirtualArray:<ID>.urn:storageos:<ID>:global

在相同源上的存储桶之间进行复制时，大多数符合 AWS 标准的工具都使用 s3 复制选项 。此选项不会使用客户端下载和上传对象，而是要求目标执行复制作。

当源存储区和目标存储区托管在不同的复制组上时，拷贝会失败，ECS 仅允许在同一复制组中执行 S3 拷贝。Amazon AWS 中未使用复制组的概念，客户端工具不会检测到使用了不同的复制组。

如何验证存储区位于不同的复制组中：

从 CLI 运行： 

svc_bucket list -n <namespace>

admin@ecsnode2:~> svc_bucket list -n y-test 
svc_bucket v1.1.3 (svc_tools v2.24.0)                 Started 2025-07-29 07:18:45

                                                                                                                                       Bucket     Temp      
                                                                 Replication         Owner            Owner           API     FS       Versioning Failed    
Bucket Name                            Namespace                 Group               User             VDC             Type    Enabled  Enabled    (TSO)     

destinationbucket                      y-test                    local_vdc           y-test-1         VDC1            S3      False    Disabled   False       
destinationiam                         y-test                    local_vdc           urn:ec...t:root  VDC1            S3      False    Disabled   False       
destsamerg                             y-test                    RG1                 y-test-1         VDC1            S3      False    Disabled   False       
iam                                    y-test                    RG1                 urn:ec...t:root  VDC1            S3      False    Disabled   False       
iamsamerg                              y-test                    RG1                 urn:ec...t:root  VDC1            S3      False    Disabled   False       
new-bucket-37494b67                    y-test                    RG1                 y-test-1         VDC1            S3      False    Enabled    False       
s3                                     y-test                    RG1                 y-test-1         VDC1            S3      False    Disabled   False       
sourcebucket                           y-test                    RG1                 y-test-1         VDC1            S3      False    Disabled   False       
sourceiam                              y-test                    RG1                 urn:ec...t:root  VDC1            S3      False    Disabled   False       
steve                                  y-test                    RG1                 y-test-1         VDC1            S3      False    Disabled   False       
versioning-test                        y-test                    RG1                 y-test-1         VDC1            S3      False    Enabled    False

在上面的示例中，名称中包含 destination 的两个存储区都属于 local_vdc，而其他的则是 RG1
您可以在所有 RG1 以及两者之间的存储区 local_vdc 存储区，但不在存储区之间 local_vdc 和 rg1 桶。

这是正常现象。

将对象从 ECS 下载到客户端，然后重新上传到新源。或者，使用相同命名空间和复制组中的存储区。