All Products
Search
Document Center

Integrating DAS Console

Last Updated: Aug 25, 2020

You can create a RAM user for Alibaba Cloud and grant STS permission policies to integrate the DAS (formerly HDM) console without logging into the self-built operation and maintenance platform. This article will introduce related steps.

Prerequisites

You have created a RAM user and granted STS permission policies. For details, see Configuring RAM User Authorization.

Steps

  1. Obtain the user’s temporary identity through the AssumeRole interface.
    For how to obtain the user’s temporary identity, see AssumeRole.

    For details of RAM role principles, see RAM Role Overview.

  2. Use a security token to obtain a login token.

    TicketType is mainly classified into two types: normal and mini.
    normal is used by default, corresponding to the DAS domain name: HDM Console
    mini if applied to BID owner, corresponding to the DAS domain name: HDM Service Console

  3. Construct a login-free link to access the DAS page.

    1. The URL format is as follows:

      1. https://signin.aliyun.com/federation?Action=Login
      2. &LoginUrl=<Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URL>
      3. &Destination=<DAS service page that is accessed actually>
      4. &SigninToken=<Obtained login TOKEN>

      The DAS service page corresponding to Destination is affected by the TicketType parameter in the second step.
      normal corresponds to DAS domain name: HDM Console
      mini applied to BID owner corresponding to DAS domain name: HDM Service Console

    2. If you want to integrate the DAS dashboard, Destination can be set to: Aliyun Dashboard

      #The preceding isShare=true and hideTopbar=true are required parameters.

      ParameterDescription
      isShare=trueRequired for external console integration.
      hideTopbar=trueHide the DAS Alibaba Cloud console sidebar.
      hideMenu=trueHide DAS external menu.
      hideInstanceMenu=trueHide the DAS instance details page sidebar and external sidebar.
    3. The reference code is as follows:

      1. private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
      2. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
      3. builder.setParameter("Action", "Login");
      4. // Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URL
      5. builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
      6. // DAS service page that is accessed actually, for example, global dashboard, real-time dashboard, or some instance details page
      7. builder.setParameter("Destination", pageUrl);
      8. builder.setParameter("SigninToken", signInToken);
      9. HttpGet request = new HttpGet(builder.build());
      10. return request.getURI().toString();
      11. }

Appendix:

  • Full version
  1. import java.io.IOException;
  2. import java.net.URISyntaxException;
  3. import com.alibaba.fastjson.JSON;
  4. import com.alibaba.fastjson.JSONObject;
  5. import com.aliyuncs.DefaultAcsClient;
  6. import com.aliyuncs.exceptions.ClientException;
  7. import com.aliyuncs.profile.DefaultProfile;
  8. import com.aliyuncs.profile.IClientProfile;
  9. import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
  10. import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
  11. import org.apache.http.HttpStatus;
  12. import org.apache.http.client.methods.CloseableHttpResponse;
  13. import org.apache.http.client.methods.HttpGet;
  14. import org.apache.http.client.utils.URIBuilder;
  15. import org.apache.http.impl.client.CloseableHttpClient;
  16. import org.apache.http.impl.client.HttpClients;
  17. import org.apache.http.util.EntityUtils;
  18. /**
  19. * Created by tinker on 2019-07-09.
  20. *
  21. * @author tinker
  22. * @date 2019-07-09
  23. */
  24. public class StsService {
  25. private static String getRoleArn(String accountId, String roleName) {
  26. return String.format("acs:ram::%s:role/%s", accountId, roleName);
  27. }
  28. private static final String SIGN_IN_DOMAIN = "https://signin.aliyun.com/federation";
  29. /**
  30. * Use a security token to obtain a login token
  31. *
  32. * @param accesskeyId
  33. * @param accessKeySecret
  34. * @param securityToken
  35. * @return
  36. * @throws IOException
  37. * @throws URISyntaxException
  38. */
  39. private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken)
  40. throws IOException, URISyntaxException {
  41. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
  42. builder.setParameter("Action", "GetSigninToken")
  43. .setParameter("AccessKeyId", accesskeyId)
  44. .setParameter("AccessKeySecret", accessKeySecret)
  45. .setParameter("SecurityToken", securityToken)
  46. .setParameter("TicketType", "normal");
  47. HttpGet request = new HttpGet(builder.build());
  48. CloseableHttpClient httpclient = HttpClients.createDefault();
  49. try (CloseableHttpResponse response = httpclient.execute(request)) {
  50. if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
  51. String context = EntityUtils.toString(response.getEntity());
  52. JSONObject jsonObject = JSON.parseObject(context);
  53. return jsonObject.getString("SigninToken");
  54. } else {
  55. System.out.println(response.getStatusLine());
  56. }
  57. }
  58. return null;
  59. }
  60. private static String getHdmLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
  61. URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
  62. builder.setParameter("Action", "Login");
  63. // Address that the browser jumps to in case of login failure, generally configured as self-built WEB configuration 302 jump URL
  64. builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
  65. // DAS service page that is accessed actually, for example, global dashboard, real-time dashboard, or some instance details page.
  66. builder.setParameter("Destination", pageUrl);
  67. builder.setParameter("SigninToken", signInToken);
  68. HttpGet request = new HttpGet(builder.build());
  69. return request.getURI().toString();
  70. }
  71. /**
  72. * Obtain the user's temporary identity through the AssumeRole interface
  73. *
  74. * @param accountId
  75. * @param accessKeyId
  76. * @param accessKeySecret
  77. * @param ramRole
  78. * @return
  79. * @throws ClientException
  80. */
  81. private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId,
  82. String accessKeySecret, String ramRole)
  83. throws ClientException {
  84. String defaultRegion = "cn-hangzhou";
  85. IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret);
  86. DefaultAcsClient client = new DefaultAcsClient(profile);
  87. AssumeRoleRequest request = new AssumeRoleRequest();
  88. // Set RAMArn, accountId to be the UID of the resource owner, which is the main account
  89. request.setRoleArn(getRoleArn(accountId, ramRole));
  90. // User-defined parameter. This parameter is used to distinguish between different tokens and can be used for user-level access audit. Format: ^[a-zA-Z0-9\.@\-_]+$
  91. request.setRoleSessionName("session-name");
  92. // The specified expiration time, in seconds. Expiration time range: 900 ~ 3600, with the default value 3600
  93. request.setDurationSeconds(3600L);
  94. AssumeRoleResponse response = client.getAcsResponse(request);
  95. return response.getCredentials();
  96. }
  97. public static void main(String[] args) throws IOException, URISyntaxException {
  98. try {
  99. /*
  100. Step 0 Prepare sub-account and permission authorization
  101. */
  102. String accountId = "";
  103. // Role used to access DAS. If needed, you can add permissions AliyunHDMReadOnlyAccess (read-only), AliyunHDMFullAccess
  104. String ramRole = "";
  105. // Sub-account AK, SK, which has permission AliyunSTSAssumeRoleAccess
  106. String accessKeyId = "";
  107. String accessKeySecret = "";
  108. /*
  109. Step 1 Obtain temporary AK, SK, SecurityToken through the AssumeRole interface
  110. */
  111. AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRole);
  112. System.out.println("Expiration: " + credentials.getExpiration());
  113. System.out.println("Access Key Id: " + credentials.getAccessKeyId());
  114. System.out.println("Access Key Secret: " + credentials.getAccessKeySecret());
  115. System.out.println("Security Token: " + credentials.getSecurityToken());
  116. /*
  117. Step 2 Obtain SigninToken
  118. */
  119. String signInToken = getSignInToken(credentials.getAccessKeyId(),
  120. credentials.getAccessKeySecret(),
  121. credentials.getSecurityToken());
  122. System.out.println("Your SigninToken is: " + signInToken);
  123. /*
  124. Step 3 Construct a login-free link, for example, to access the DAS dashboard
  125. */
  126. String pageUrl = getHdmLoginUrl("https://hdm.console.aliyun.com/?hideTopbar=true#/customDashboard?", signInToken);
  127. System.out.println("Your PageUrl is : " + pageUrl);
  128. } catch (ClientException e) {
  129. System.out.println("Failed:");
  130. System.out.println("Error code: " + e.getErrCode());
  131. System.out.println("Error message: " + e.getErrMsg());
  132. System.out.println("RequestId: " + e.getRequestId());
  133. }
  134. }
  135. }
  • POM file
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0"
  3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5. <modelVersion>4.0.0</modelVersion>
  6. <groupId>com.aliyun</groupId>
  7. <artifactId>hdm-login-demo</artifactId>
  8. <version>1.0-SNAPSHOT</version>
  9. <dependencies>
  10. <dependency>
  11. <groupId>com.aliyun</groupId>
  12. <artifactId>aliyun-java-sdk-core</artifactId>
  13. <version>3.5.0</version>
  14. </dependency>
  15. <dependency>
  16. <groupId>com.aliyun</groupId>
  17. <artifactId>aliyun-java-sdk-sts</artifactId>
  18. <version>3.0.0</version>
  19. </dependency>
  20. <dependency>
  21. <groupId>org.apache.httpcomponents</groupId>
  22. <artifactId>httpclient</artifactId>
  23. <version>4.5.9</version>
  24. </dependency>
  25. <dependency>
  26. <groupId>com.alibaba</groupId>
  27. <artifactId>fastjson</artifactId>
  28. <version>1.2.58</version>
  29. </dependency>
  30. </dependencies>
  31. <build>
  32. <plugins>
  33. <plugin>
  34. <groupId>org.apache.maven.plugins</groupId>
  35. <artifactId>maven-compiler-plugin</artifactId>
  36. <configuration>
  37. <source>1.8</source>
  38. <target>1.8</target>
  39. <encoding>UTF-8</encoding>
  40. </configuration>
  41. </plugin>
  42. </plugins>
  43. </build>
  44. </project>