You can create a RAM user for Alibaba Cloud and grant STS permission policies to integrate the DAS (formerly HDM) console without logging into the self-built operation and maintenance platform. This article will introduce related steps.
Prerequisites
You have created a RAM user and granted STS permission policies. For details, see Configuring RAM User Authorization.
Steps
Obtain the user’s temporary identity through the AssumeRole interface.
For how to obtain the user’s temporary identity, see AssumeRole.For details of RAM role principles, see RAM Role Overview.
Use a security token to obtain a login token.
TicketType is mainly classified into two types: normal and mini.
normal is used by default, corresponding to the DAS domain name: HDM Console
mini if applied to BID owner, corresponding to the DAS domain name: HDM Service ConsoleConstruct a login-free link to access the DAS page.
The URL format is as follows:
https://signin.aliyun.com/federation?Action=Login&LoginUrl=<Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URL>&Destination=<DAS service page that is accessed actually>&SigninToken=<Obtained login TOKEN>
The DAS service page corresponding to Destination is affected by the TicketType parameter in the second step.
normal corresponds to DAS domain name: HDM Console
mini applied to BID owner corresponding to DAS domain name: HDM Service ConsoleIf you want to integrate the DAS dashboard, Destination can be set to: Aliyun Dashboard
#The precedingisShare=trueandhideTopbar=trueare required parameters.Parameter Description isShare=true Required for external console integration. hideTopbar=true Hide the DAS Alibaba Cloud console sidebar. hideMenu=true Hide DAS external menu. hideInstanceMenu=true Hide the DAS instance details page sidebar and external sidebar. The reference code is as follows:
private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);builder.setParameter("Action", "Login");// Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URLbuilder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");// DAS service page that is accessed actually, for example, global dashboard, real-time dashboard, or some instance details pagebuilder.setParameter("Destination", pageUrl);builder.setParameter("SigninToken", signInToken);HttpGet request = new HttpGet(builder.build());return request.getURI().toString();}
Appendix:
- Full version
import java.io.IOException;import java.net.URISyntaxException;import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.JSONObject;import com.aliyuncs.DefaultAcsClient;import com.aliyuncs.exceptions.ClientException;import com.aliyuncs.profile.DefaultProfile;import com.aliyuncs.profile.IClientProfile;import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;import org.apache.http.HttpStatus;import org.apache.http.client.methods.CloseableHttpResponse;import org.apache.http.client.methods.HttpGet;import org.apache.http.client.utils.URIBuilder;import org.apache.http.impl.client.CloseableHttpClient;import org.apache.http.impl.client.HttpClients;import org.apache.http.util.EntityUtils;/*** Created by tinker on 2019-07-09.** @author tinker* @date 2019-07-09*/public class StsService {private static String getRoleArn(String accountId, String roleName) {return String.format("acs:ram::%s:role/%s", accountId, roleName);}private static final String SIGN_IN_DOMAIN = "https://signin.aliyun.com/federation";/*** Use a security token to obtain a login token** @param accesskeyId* @param accessKeySecret* @param securityToken* @return* @throws IOException* @throws URISyntaxException*/private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken)throws IOException, URISyntaxException {URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);builder.setParameter("Action", "GetSigninToken").setParameter("AccessKeyId", accesskeyId).setParameter("AccessKeySecret", accessKeySecret).setParameter("SecurityToken", securityToken).setParameter("TicketType", "normal");HttpGet request = new HttpGet(builder.build());CloseableHttpClient httpclient = HttpClients.createDefault();try (CloseableHttpResponse response = httpclient.execute(request)) {if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {String context = EntityUtils.toString(response.getEntity());JSONObject jsonObject = JSON.parseObject(context);return jsonObject.getString("SigninToken");} else {System.out.println(response.getStatusLine());}}return null;}private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);builder.setParameter("Action", "Login");// Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URLbuilder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");// DAS service page that is accessed actually, for example, global dashboard, real-time dashboard, or some instance details page.builder.setParameter("Destination", pageUrl);builder.setParameter("SigninToken", signInToken);HttpGet request = new HttpGet(builder.build());return request.getURI().toString();}/*** Obtain the user's temporary identity through the AssumeRole interface** @param accountId* @param accessKeyId* @param accessKeySecret* @param ramRole* @return* @throws ClientException*/private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId,String accessKeySecret, String ramRole)throws ClientException {String defaultRegion = "cn-hangzhou";IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret);DefaultAcsClient client = new DefaultAcsClient(profile);AssumeRoleRequest request = new AssumeRoleRequest();// Set RAMArn, accountId to be the UID of the resource owner, which is the main accountrequest.setRoleArn(getRoleArn(accountId, ramRole));// User-defined parameter. This parameter is used to distinguish between different tokens and can be used for user-level access audit. Format: ^[a-zA-Z0-9\.@\-_]+$request.setRoleSessionName("session-name");// The specified expiration time, in seconds. Expiration time range: 900 ~ 3600, with the default value 3600request.setDurationSeconds(3600L);AssumeRoleResponse response = client.getAcsResponse(request);return response.getCredentials();}public static void main(String[] args) throws IOException, URISyntaxException {try {/*Step 0 Prepare sub-account and permission authorization*/String accountId = "";// Role used to access DAS. If needed, you can add permissions AliyunHDMReadOnlyAccess (read-only), AliyunHDMFullAccessString ramRole = "";// Sub-account AK, SK, which has permission AliyunSTSAssumeRoleAccessString accessKeyId = "";String accessKeySecret = "";/*Step 1 Obtain temporary AK, SK, SecurityToken through the AssumeRole interface*/AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRole);System.out.println("Expiration: " + credentials.getExpiration());System.out.println("Access Key Id: " + credentials.getAccessKeyId());System.out.println("Access Key Secret: " + credentials.getAccessKeySecret());System.out.println("Security Token: " + credentials.getSecurityToken());/*Step 2 Obtain SigninToken*/String signInToken = getSignInToken(credentials.getAccessKeyId(),credentials.getAccessKeySecret(),credentials.getSecurityToken());System.out.println("Your SigninToken is: " + signInToken);/*Step 3 Construct a login-free link, for example, to access the DAS dashboard*/String pageUrl = getHdmLoginUrl("https://hdm.console.aliyun.com/?hideTopbar=true#/customDashboard?", signInToken);System.out.println("Your PageUrl is : " + pageUrl);} catch (ClientException e) {System.out.println("Failed:");System.out.println("Error code: " + e.getErrCode());System.out.println("Error message: " + e.getErrMsg());System.out.println("RequestId: " + e.getRequestId());}}}
- POM file
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.aliyun</groupId><artifactId>hdm-login-demo</artifactId><version>1.0-SNAPSHOT</version><dependencies><dependency><groupId>com.aliyun</groupId><artifactId>aliyun-java-sdk-core</artifactId><version>3.5.0</version></dependency><dependency><groupId>com.aliyun</groupId><artifactId>aliyun-java-sdk-sts</artifactId><version>3.0.0</version></dependency><dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient</artifactId><version>4.5.9</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.2.58</version></dependency></dependencies><build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><configuration><source>1.8</source><target>1.8</target><encoding>UTF-8</encoding></configuration></plugin></plugins></build></project>