Embed the Database Autonomy Service (DAS) console into your O&M platform so your users can access database monitoring without a separate logon. The integration uses Security Token Service (STS) temporary credentials and Alibaba Cloud's federation endpoint to generate a logon-free URL that loads the DAS console inside an iframe.
The process has three steps:
-
Call AssumeRole to get temporary credentials for a RAM role.
-
Exchange the credentials for a logon token at the federation endpoint.
-
Construct a logon-free URL and load it in an iframe.
Prerequisites
Before you begin, ensure that you have:
-
A RAM user with the STS policy attached. For setup instructions, see Grant permissions to a RAM user
Step 1: Get temporary credentials
Call the AssumeRole API operation to assume a RAM role and receive temporary credentials (access key ID, access key secret, and security token).
For background on RAM roles, see RAM role overview.
Step 2: Exchange credentials for a logon token
Use the security token to obtain a logon token.
The DAS domain used in subsequent steps depends on the TicketType value you specify:
TicketType value |
DAS domain |
|---|---|
normal (default) |
https://hdm.console.alibabacloud.com |
mini (partner BID) |
https://hdm4servims.console.alibabacloud.com |
Step 3: Construct the logon-free URL
URL format
Build the logon-free URL using the following format:
https://signin.aliyun.com/federation?Action=Login
&LoginUrl=<URL on your platform that returns HTTP 302>
&Destination=<DAS page to load>
&SigninToken=<logon token from step 2>
The DAS domain in the Destination parameter must match the TicketType you used in step 2:
-
TicketType=normal→https://hdm.console.alibabacloud.com -
TicketType=mini→https://hdm4servims.console.alibabacloud.com
Configure the Destination URL
Set Destination to the DAS page you want to embed. To embed the DAS dashboard, use:
https://hdm.console.alibabacloud.com/?hideTopbar=true&isShare=true&hideMenu=true#/dashboard/convoy
isShare=true and hideTopbar=true are required parameters and must appear before # in the URL.
Use the following query parameters to customize the DAS console UI:
| Parameter | Description |
|---|---|
isShare=true |
Enables embedding the DAS console in an external console |
hideTopbar=true |
Hides the top navigation bar |
hideMenu=true |
Hides the external menu |
hideInstanceMenu=true |
Hides the sidebars on the instance details page and the external bars of the DAS console |
hideAutonomousButton=true |
Hides the autonomy service switch |
Code example
The following Java example shows how to build the logon-free URL. Comments reference the step numbers in this guide.
private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
// Step 3: Build the federation URL with all required parameters
URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
builder.setParameter("Action", "Login");
// LoginUrl: the URL on your platform that returns HTTP 302 to redirect the user
builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
// Destination: the DAS page to load (e.g., global dashboard, instance details)
builder.setParameter("Destination", pageUrl);
// SigninToken: the logon token obtained in step 2
builder.setParameter("SigninToken", signInToken);
HttpGet request = new HttpGet(builder.build());
return request.getURI().toString();
}
What's next
-
To adjust RAM role permissions, see RAM role overview.
Appendix
- Full sample code:
import java.io.IOException; import java.net.URISyntaxException; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.profile.DefaultProfile; import com.aliyuncs.profile.IClientProfile; import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest; import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse; import org.apache.http.HttpStatus; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.utils.URIBuilder; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; /** * Created by tinker on 2019-07-09. * * @author tinker * @date 2019-07-09 */ public class StsService { private static String getRoleArn(String accountId, String roleName) { return String.format("acs:ram::%s:role/%s", accountId, roleName); } private static final String SIGN_IN_DOMAIN = "https://signin.aliyun.com/federation"; /** * Use the security token to get a logon token. * https://help.aliyun.com/document_detail/91913.html * * @param accesskeyId * @param accessKeySecret * @param securityToken * @return * @throws IOException * @throws URISyntaxException */ private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken) throws IOException, URISyntaxException { URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN); builder.setParameter("Action", "GetSigninToken") .setParameter("AccessKeyId", accesskeyId) .setParameter("AccessKeySecret", accessKeySecret) .setParameter("SecurityToken", securityToken) .setParameter("TicketType", "normal"); HttpGet request = new HttpGet(builder.build()); CloseableHttpClient httpclient = HttpClients.createDefault(); try (CloseableHttpResponse response = httpclient.execute(request)) { if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) { String context = EntityUtils.toString(response.getEntity()); JSONObject jsonObject = JSON.parseObject(context); return jsonObject.getString("SigninToken"); } else { System.out.println(response.getStatusLine()); } } return null; } private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException { URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN); builder.setParameter("Action", "Login"); // The URL to which the user is redirected if the logon expires. This is typically the URL for a 302 redirect configured on your custom web server. builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm"); // The actual DAS page to access, such as the global dashboard, real-time dashboard, or instance details page. builder.setParameter("Destination", pageUrl); builder.setParameter("SigninToken", signInToken); HttpGet request = new HttpGet(builder.build()); return request.getURI().toString(); } /** * Call the AssumeRole API operation to get temporary user credentials. * For more information, see https://help.aliyun.com/document_detail/28763.html * * @param accountId * @param accessKeyId * @param accessKeySecret * @param ramRole * @return * @throws ClientException */ private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId, String accessKeySecret, String ramRole) throws ClientException { String defaultRegion = "cn-hangzhou"; IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret); DefaultAcsClient client = new DefaultAcsClient(profile); AssumeRoleRequest request = new AssumeRoleRequest(); // Set RoleArn. accountId is the UID of the resource owner, which is the Alibaba Cloud account. request.setRoleArn(getRoleArn(accountId, ramRole)); // A custom parameter. This parameter is used to distinguish different tokens and can be used for user-level access auditing. Format: ^[a-zA-Z0-9\.@\-_]+$ request.setRoleSessionName("session-name"); // The validity period of the token in seconds. The value must be between 900 and 3600. The default value is 3600. request.setDurationSeconds(3600L); AssumeRoleResponse response = client.getAcsResponse(request); return response.getCredentials(); } public static void main(String[] args) throws IOException, URISyntaxException { try { /* Step 0: Prepare the RAM user and grant permissions. */ String accountId = ""; // The role used to access the DAS product. You can add the AliyunHDMReadOnlyAccess (read-only) or AliyunHDMFullAccess permission as needed. String ramRole = ""; // The AccessKey ID and AccessKey secret of a RAM user that has the AliyunSTSAssumeRoleAccess permission. String accessKeyId = ""; String accessKeySecret = ""; /* Step 1: Call the AssumeRole API operation to get a temporary AccessKey ID, AccessKey secret, and security token. */ AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRole); System.out.println("Expiration: " + credentials.getExpiration()); System.out.println("Access Key Id: " + credentials.getAccessKeyId()); System.out.println("Access Key Secret: " + credentials.getAccessKeySecret()); System.out.println("Security Token: " + credentials.getSecurityToken()); /* Step 2: Get the SigninToken. */ String signInToken = getSignInToken(credentials.getAccessKeyId(), credentials.getAccessKeySecret(), credentials.getSecurityToken()); System.out.println("Your SigninToken is: " + signInToken); /* Step 3: Construct a logon-free URL, for example, for the DAS monitoring dashboard. */ String pageUrl = getHdmLoginUrl("https://hdm.console.aliyun.com/?hideTopbar=true#/customDashboard?", signInToken); System.out.println("Your PageUrl is : " + pageUrl); } catch (ClientException e) { System.out.println("Failed:"); System.out.println("Error code: " + e.getErrCode()); System.out.println("Error message: " + e.getErrMsg()); System.out.println("RequestId: " + e.getRequestId()); } } } - POM file:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.aliyun</groupId> <artifactId>hdm-login-demo</artifactId> <version>1.0-SNAPSHOT</version> <dependencies> <dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-core</artifactId> <version>3.5.0</version> </dependency> <dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-sts</artifactId> <version>3.0.0</version> </dependency> <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.5.9</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.83</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <configuration> <source>1.8</source> <target>1.8</target> <encoding>UTF-8</encoding> </configuration> </plugin> </plugins> </build> </project>