Core concepts

This article will explain key concepts related to the Baidu AI Cloud Object Storage (BOS) product to help you gain a better understanding of BOS.

Object

In BOS, the basic data unit for user operations is an object. Each object consists of three parts: key, meta, and data. The key is the name of the object, meta contains the user-defined descriptions as name-value pairs, and data represents the content of the object.

Bucket

A bucket serves as a container for storing data, resembling a storage bucket. Each bucket has a regional attribute and is confined to a single region. Since the name and region of a bucket cannot be changed once created, it is advisable to place it close to the business area to optimize upload and download speeds and improve access efficiency. Bucket names are globally unique. Every object must reside within a bucket. Users can create up to 100 buckets, but there are no restrictions on the number or total size of objects stored in each bucket, as scalability is automatically managed.

Referer allow list

The referer allow list, also known as the access list, is an anti-leeching measure based on the HTTP header's referer field, designed to prevent unauthorized access to data stored on BOS. Users can set the referer field's allow list in the BOS console. Once configured, only requests with referer fields matching the allow list can access the stored data, while others will be denied. However, if the referer field is empty, access will be permitted by default and will not be restricted by the allow list.

Region

A Region represents a distinct geographical area. Except for certain services, like account services, that are globally valid within Baidu AI Cloud, most services operate in isolation across regions. Each region's services are deployed independently and do not affect one another. Data sharing between regions requires explicit duplication. When creating a bucket, you must specify a region, and this choice cannot be changed later.

Baidu AI Cloud currently supports multiple regions. Please refer to [Instructions for region selection](Reference/Region Selection Instructions/Region.md).

When referring to a region in the API, you must use the service domain name associated with that region.

When accessing the BOS service, users can designate the target Region for their request through the URL. For instance, http(s)://bj.bcebos.com directs the request to the Beijing region.

Access Key ID / Secret Access Key

After users activate the BOS service, the system will automatically assign a pair of Access Key ID (AK)/Secret Access Key (SK). This key pair will be used for signature verification when users initiate requests to BOS. The Access Key ID is used to identify the user, and the Secret Access Key is the key used by the user to encrypt the signature string and by the BOS service to verify the signature string. Please refer to [ Retrieve AK/SK ](Reference/Retrieve AK and SK/How to Obtain AKSK.md).

In addition to the system-assigned access keys, users may apply for up to 20 customized pairs of AK/SK.

Permission control

BOS offers a permission management method that seamlessly integrates user signature verification, access control lists (ACLs), and time-limited object access to ensure secure and reliable data protection for users. User signature verification employs the AK/SK asymmetric encryption method to sign URLs, enabling user identity authentication. Once the user identity is verified through the signature, ACL determines the access permissions for the requested bucket and processes the request accordingly. Meanwhile, time-limited object access lets users generate URLs with a custom validity period, ideal for scenarios like downloading.

CDN acceleration

CDN accelerates the loading of static web elements such as maps, images, and documents, while also offering enhanced performance for audio, downloads, and gaming applications. This ensures high-speed website access and significantly improves the overall user experience.