全部产品
云市场

嵌套DAS控制台

更新时间:2020-05-12 11:08:43

您可以通过给阿里云创建RAM用户并授予STS权限策略,将DAS(原HDM)控制台免登录嵌套到自建的运维平台中。本文将介绍相关操作步骤。

前提条件

已经创建RAM用户并授予STS权限策略,详情请参见配置RAM用户授权

操作步骤

  1. 通过AssumeRole接口获取用户临时身份。关于如何获取用户临时身份,请参见AssumeRole

    关于更多RAM角色原理,请参见RAM角色概述

  2. 使用安全令牌获取登录令牌。关于如何获取登录令牌,请参见GetSigninToken

    TicketType主要分为normalmini
    默认使用normal,对应DAS域名:https://hdm.console.aliyun.com
    如果是mini应用于BID虚商,对应DAS域名:https://hdm4service.console.aliyun.com

  3. 构造访问DAS页面免登录链接。

    1. 构造URL格式如下:

      1. https://signin.aliyun.com/federation?Action=Login
      2. &LoginUrl=<登录失效跳转的地址,一般配置为自建WEB配置302跳转的URL>
      3. &Destination=<实际访问 DAS 服务页面>
      4. &SigninToken=<获取的登录TOKEN>

      Destination对应的DAS服务页面,受到步骤二中的TicketType参数影响。
      normal对应的DAS域名:https://hdm.console.aliyun.com
      mini应用于BID虚商对应的DAS域名:https://hdm4service.console.aliyun.com

    2. 如果要嵌入DAS的监控大盘,Destination可以设置为:https://hdm.console.aliyun.com/?hideTopbar=true&isShare=true&hideMenu=true#/dashboard/convoy

      #前面的 isShare=truehideTopbar=true 是必选参数。

      参数说明
      isShare=true外部控制台嵌入需要。
      hideTopbar=true隐藏DAS阿里云控制台边栏。
      hideMenu=true隐藏DAS外部菜单。
      hideInstanceMenu=true隐藏DAS实例详情页边栏和外部边栏。
    3. 参考代码如下:

      1. private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
      2. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
      3. builder.setParameter("Action", "Login");
      4. // 登录失效跳转的地址,一般配置为自建WEB配置302跳转的URL
      5. builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
      6. // 实际访问 DAS 的页面,比如全局大盘,实时大盘,某个实例详情等
      7. builder.setParameter("Destination", pageUrl);
      8. builder.setParameter("SigninToken", signInToken);
      9. HttpGet request = new HttpGet(builder.build());
      10. return request.getURI().toString();
      11. }

附录:

  • 完整代码
  1. import java.io.IOException;
  2. import java.net.URISyntaxException;
  3. import com.alibaba.fastjson.JSON;
  4. import com.alibaba.fastjson.JSONObject;
  5. import com.aliyuncs.DefaultAcsClient;
  6. import com.aliyuncs.exceptions.ClientException;
  7. import com.aliyuncs.profile.DefaultProfile;
  8. import com.aliyuncs.profile.IClientProfile;
  9. import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
  10. import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
  11. import org.apache.http.HttpStatus;
  12. import org.apache.http.client.methods.CloseableHttpResponse;
  13. import org.apache.http.client.methods.HttpGet;
  14. import org.apache.http.client.utils.URIBuilder;
  15. import org.apache.http.impl.client.CloseableHttpClient;
  16. import org.apache.http.impl.client.HttpClients;
  17. import org.apache.http.util.EntityUtils;
  18. /**
  19. * Created by tinker on 2019-07-09.
  20. *
  21. * @author tinker
  22. * @date 2019-07-09
  23. */
  24. public class StsService {
  25. private static String getRoleArn(String accountId, String roleName) {
  26. return String.format("acs:ram::%s:role/%s", accountId, roleName);
  27. }
  28. private static final String SIGN_IN_DOMAIN = "https://signin.aliyun.com/federation";
  29. /**
  30. * 使用安全令牌获取登录令牌
  31. * https://help.aliyun.com/document_detail/91913.html
  32. *
  33. * @param accesskeyId
  34. * @param accessKeySecret
  35. * @param securityToken
  36. * @return
  37. * @throws IOException
  38. * @throws URISyntaxException
  39. */
  40. private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken)
  41. throws IOException, URISyntaxException {
  42. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
  43. builder.setParameter("Action", "GetSigninToken")
  44. .setParameter("AccessKeyId", accesskeyId)
  45. .setParameter("AccessKeySecret", accessKeySecret)
  46. .setParameter("SecurityToken", securityToken)
  47. .setParameter("TicketType", "normal");
  48. HttpGet request = new HttpGet(builder.build());
  49. CloseableHttpClient httpclient = HttpClients.createDefault();
  50. try (CloseableHttpResponse response = httpclient.execute(request)) {
  51. if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
  52. String context = EntityUtils.toString(response.getEntity());
  53. JSONObject jsonObject = JSON.parseObject(context);
  54. return jsonObject.getString("SigninToken");
  55. } else {
  56. System.out.println(response.getStatusLine());
  57. }
  58. }
  59. return null;
  60. }
  61. private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
  62. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
  63. builder.setParameter("Action", "Login");
  64. // 登录失效跳转的地址,一般配置为自建WEB配置302跳转的URL
  65. builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
  66. // 实际访问 DAS 的页面,比如全局大盘,实时大盘,某个实例详情等
  67. builder.setParameter("Destination", pageUrl);
  68. builder.setParameter("SigninToken", signInToken);
  69. HttpGet request = new HttpGet(builder.build());
  70. return request.getURI().toString();
  71. }
  72. /**
  73. * 通过AssumeRole接口获取用户临时身份
  74. * 参考 https://help.aliyun.com/document_detail/28763.html
  75. *
  76. * @param accountId
  77. * @param accessKeyId
  78. * @param accessKeySecret
  79. * @param ramRole
  80. * @return
  81. * @throws ClientException
  82. */
  83. private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId,
  84. String accessKeySecret, String ramRole)
  85. throws ClientException {
  86. String defaultRegion = "cn-hangzhou";
  87. IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret);
  88. DefaultAcsClient client = new DefaultAcsClient(profile);
  89. AssumeRoleRequest request = new AssumeRoleRequest();
  90. // 设置RAMArn, accountId为资源Owner的UID,即主账号
  91. request.setRoleArn(getRoleArn(accountId, ramRole));
  92. // 用户自定义参数。此参数用来区分不同的令牌,可用于用户级别的访问审计。格式:^[a-zA-Z0-9\.@\-_]+$
  93. request.setRoleSessionName("session-name");
  94. // 指定的过期时间,单位为秒。过期时间范围:900 ~ 3600,默认值为 3600
  95. request.setDurationSeconds(3600L);
  96. AssumeRoleResponse response = client.getAcsResponse(request);
  97. return response.getCredentials();
  98. }
  99. public static void main(String[] args) throws IOException, URISyntaxException {
  100. try {
  101. /*
  102. Step 0 准备子账号和权限授权
  103. */
  104. String accountId = "";
  105. // 用来访问 DAS 产品的Role,可以按照需要添加AliyunHDMReadOnlyAccess(只读),AliyunHDMFullAccess 权限
  106. String ramRole = "";
  107. // 某个子账号AK,SK, 要求需要有 AliyunSTSAssumeRoleAccess 权限
  108. String accessKeyId = "";
  109. String accessKeySecret = "";
  110. /*
  111. Step 1 通过AssumeRole接口获取临时AK, SK, SecurityToken
  112. */
  113. AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRole);
  114. System.out.println("Expiration: " + credentials.getExpiration());
  115. System.out.println("Access Key Id: " + credentials.getAccessKeyId());
  116. System.out.println("Access Key Secret: " + credentials.getAccessKeySecret());
  117. System.out.println("Security Token: " + credentials.getSecurityToken());
  118. /*
  119. Step 2 获取SigninToken
  120. */
  121. String signInToken = getSignInToken(credentials.getAccessKeyId(),
  122. credentials.getAccessKeySecret(),
  123. credentials.getSecurityToken());
  124. System.out.println("Your SigninToken is: " + signInToken);
  125. /*
  126. Step 3 构造免登录链接,比如 DAS 的监控大盘
  127. */
  128. String pageUrl = getHdmLoginUrl("https://hdm.console.aliyun.com/?hideTopbar=true#/customDashboard?", signInToken);
  129. System.out.println("Your PageUrl is : " + pageUrl);
  130. } catch (ClientException e) {
  131. System.out.println("Failed:");
  132. System.out.println("Error code: " + e.getErrCode());
  133. System.out.println("Error message: " + e.getErrMsg());
  134. System.out.println("RequestId: " + e.getRequestId());
  135. }
  136. }
  137. }
  • POM 文件
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0"
  3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5. <modelVersion>4.0.0</modelVersion>
  6. <groupId>com.aliyun</groupId>
  7. <artifactId>hdm-login-demo</artifactId>
  8. <version>1.0-SNAPSHOT</version>
  9. <dependencies>
  10. <dependency>
  11. <groupId>com.aliyun</groupId>
  12. <artifactId>aliyun-java-sdk-core</artifactId>
  13. <version>3.5.0</version>
  14. </dependency>
  15. <dependency>
  16. <groupId>com.aliyun</groupId>
  17. <artifactId>aliyun-java-sdk-sts</artifactId>
  18. <version>3.0.0</version>
  19. </dependency>
  20. <dependency>
  21. <groupId>org.apache.httpcomponents</groupId>
  22. <artifactId>httpclient</artifactId>
  23. <version>4.5.9</version>
  24. </dependency>
  25. <dependency>
  26. <groupId>com.alibaba</groupId>
  27. <artifactId>fastjson</artifactId>
  28. <version>1.2.58</version>
  29. </dependency>
  30. </dependencies>
  31. <build>
  32. <plugins>
  33. <plugin>
  34. <groupId>org.apache.maven.plugins</groupId>
  35. <artifactId>maven-compiler-plugin</artifactId>
  36. <configuration>
  37. <source>1.8</source>
  38. <target>1.8</target>
  39. <encoding>UTF-8</encoding>
  40. </configuration>
  41. </plugin>
  42. </plugins>
  43. </build>
  44. </project>