All Products
Search
Document Center

Simple Log Service:Embed console pages and share log data

Last Updated:Jan 25, 2024

Simple Log Service allows you to embed console pages into a self-managed website. The pages are query and analysis pages and dashboard pages in the Simple Log Service console. This way, you can share the pages with other users, and the users can view your log data in password-free logon mode. This topic describes how to embed console pages and share log data.

How it works

After you configure collection and index settings in the Simple Log Service console, you can use the query and analysis pages and dashboard pages. You can also share the pages with other users to allow the users to view data on the pages. However, this share method involves multiple Resource Access Management (RAM) users, which increases the costs of RAM user management. Simple Log Service provides the console page embedding feature that allows you to embed query and analysis pages and dashboard pages into a self-managed website. This way, you can access the pages without the need to log on to the Simple Log Service console. You can also use RAM to manage access to the pages. For example, you can grant the read-only permissions to a RAM user that accesses the pages. For more information, see Step 2: Grant permissions to the RAM user.

The following figure shows the access process.访问流程

Usage notes

Before you use the console page embedding feature, take note of the following items:

  • The feature allows only RAM role-based access. You must create RAM roles and RAM users.

  • The AccessKey pairs and tokens that are generated by Security Token Service (STS) are temporary credentials. You can use the credentials to access the shared URLs of embedded pages only once in your browser. If you use the credentials to repeatedly access the URLs, a SigninToken-related error is reported. The shared URLs refer to password-free logon URLs, which are described in the following sections.

  • Verification logic is used in the backend. We recommend that you regenerate the shared URLs of embedded pages 5 minutes before your SigninToken expires. If you do not regenerate the shared URLs in time, your access to the pages in password-free logon mode becomes invalid after your SigninToken expires and a SigninToken-related error is reported.

  • You can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.

  • The host address in a shared URL is sls4service.console.aliyun.com. You must replace the host address for each page that you want to share.

Process

This section describes the process of embedding console pages. For more information about detailed steps, see Procedure.

  1. Generate the URL of the query and analysis page or dashboard page that you want to share.

    For example, you can share a dashboard page that can be accessed at the following URL in the Simple Log Service console:

    https://sls.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041

    Replace the host address in the URL with sls4service.console.aliyun.com to generate the following URL:

    https://sls4service.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041
  2. Create a RAM user and a RAM role and grant the required permissions.

    For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service and Create a RAM role whose trusted entity is an Alibaba Cloud account and authorize the RAM role to access Simple Log Service.

    After the RAM user and RAM role are created, you must obtain the following information for code debugging:

    • The AccessKey pair of the RAM user.

    • The Alibaba Cloud Resource Name (ARN) of the RAM role.

      Example: acs:ram::137******44:role/role-name.

  3. Generate the URL of the console page that you want to share to allow password-free logon to the console page. For ease of understanding, the URL is referred to as the password-free logon URL.

    To generate a password-free logon URL, perform the following steps:

    1. Access STS from your web server to obtain a temporary AccessKey pair and STS token.

      You can use Java, Python, Go, or PHP to obtain the temporary AccessKey pair and STS token. For more information, Examples.

    2. Call an STS SDK to generate a logon token that can be used to log on to Simple Log Service.

      You can use Java, Python, Go, or PHP to generate the logon token. For more information, Examples.

    3. Reconfigure the Maximum Session Duration parameter for the RAM role and the Logon Session Validity Period parameter for the RAM user.

      The default values of the parameters limit the validity period of access to the shared page in password-free logon mode. We recommend that you modify the parameters to increase the validity period.

    4. Generate a password-free logon URL.

      Run code to generate the password-free logon URL.

  4. Embed the password-free logon URL into your web page as an iFrame.

  5. Send the URL of the web page to a user. Then, the user can view data on the query and analysis page or dashboard page that you share.

Procedure

The following procedure describes how to generate a password-free logon URL:

  1. Log on to your self-managed website and use STS to obtain a temporary AccessKey pair and an STS token.

    You can use Java, Python, Go, or PHP to obtain the temporary AccessKey pair and STS token. For more information, Examples.

  2. Call an STS SDK to generate a logon token that can be used to log on to Simple Log Service.

    You can use Java, Python, Go, or PHP to generate the logon token. For more information, Examples.

    Note

    The STS token may contain special characters. Before you use the STS token, you must URL encode the special characters.

    Sample request:

    http://signin.aliyun.comsignin-intl.aliyun.com/federation?Action=GetSigninToken
                        &AccessKeyId=<The AccessKey ID of the temporary AccessKey pair that is returned by STS>
                        &AccessKeySecret=<The AccessKey secret of the temporary AccessKey pair that is returned by STS>
                        &SecurityToken=<The token that is returned by STS>
                        &TicketType=mini
  3. Change the validity period of the logon token.

    By default, the validity period of a logon token ranges from 15 minutes to 60 minutes. You can perform the following operations to change the maximum validity period of your logon token to 12 hours:

    1. In the RAM console, change the value of the Maximum Session Duration parameter to 12 hours for the RAM role that you use.

      ran角色

    2. In the RAM console, change the value of the Logon Session Validity Period parameter to 12 hours for the RAM user that you use.

      ram用户

    3. Change the value of the setDurationSeconds field that is included in the logon-free code to 43200L.

      The following sample code provides an example on how to perform the preceding configurations in Java. For more information, visit Java code.

      AssumeRoleRequest assumeRoleReq = new AssumeRoleRequest();
      assumeRoleReq.setRoleArn(roleArn);
      assumeRoleReq.setRoleSessionName(roleSession);
      assumeRoleReq.setMethod(MethodType.POST);
      assumeRoleReq.setDurationSeconds(43200L);
  4. Generate a password-free logon URL.

    1. Obtain the URL of the Simple Log Service page that you want to use.

      Note

      You can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.

      • Complete query and analysis page:

        https://sls4service.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
      • Query page:

        https://sls4service.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
      • Dashboard page:

        https://sls4service.console.aliyun.com/lognext/project/<Project name>/dashboard/<Dashboard ID>?isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
        Note

        The preceding Dashboard ID appears only in the URL of a dashboard page. The ID is not the name that appears on the dashboard.

      • Full-stack Observability pages

        In this example, the Trace analysis page is used. For more information, see Embed Full-stack Observability pages.

        https://sls4service.console.aliyun.com/lognext/app/observability/trace/<Project name>/<ID of a Full-stack Observability instance>?resource=/trace/<ID of a Full-stack Observability instance>/explorer&hideTopbar=true&isShare=true
    2. Generate a logon-free URL by using the logon token and the page URL.

      You can use Java, Python, Go, or PHP to generate the password-free logon URL. For more information, see Examples.

      The following example shows a password-free logon URL:

      http://signin.aliyun.comsignin-intl.aliyun.com/federation?Action=Login
                                  &LoginUrl=<The URL to which you are redirected when your logon fails. We recommend that you specify the URL to which you are redirected when the HTTP status code 302 is returned on your self-managed website. You must use encodeURL to transcode the URL. >
                                  &Destination=<The URL of a query and analysis page or a dashboard page in the Simple Log Service console. If parameters are configured, you must use encodeURL to transcode the parameters. >
                                  &SigninToken=<The logon token that is obtained. You must use encodeURL to transcode the token. >
  5. Optional. Test the password-free logon URL. You can embed the password-free logon URL generated in Step 4 into the following HTML code for testing. If you can access the shared page, the URL is valid.

    Important

    You can test a password-free logon URL only if this is your first time to access the URL in your browser. After the test is complete, the temporary AccessKey pair and STS token that are used become invalid. You must regenerate a password-free logon URL.

    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Console page URL</title>
    </head>
    <body>
    <iframe width="1280" height="720" src="Password-free logon URL"> </iframe>
    </body>
    </html>

Examples

For more information about the sample code that is written in PHP, Python, and Go, visit the following URLs:

Important

The scheme of the URL in the following code is http. You can change the scheme to https. We recommend that you use a scheme that is the same as the scheme of external URLs.

  • Java

    <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-sts</artifactId>
        <version>3.0.0</version>
    </dependency>
    <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-core</artifactId>
        <version>3.5.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.5.5</version>
    </dependency>
    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.68.noneautotype</version>
    </dependency>
  • PHP

  • Python

  • Go

FAQ

  • Issue

    When a password-free logon URL is embedded into a web page as an iFrame, the following error is reported:

    Refused to frame 'https://signin.aliyun.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.aliyun.com"
  • Cause

    For security purposes, cross-domain iFrames are not supported.

  • Solution

    Modify the Content-Security-Policy (CSP) header.

    You can specify an exact domain name or a wildcard domain name in a CSP directive to allow page embedding from the specified website. For example, you can use the following CSP directive to allow page embedding from the aliyun.com and *.aliyun.com websites:

    Content-Security-Policy: frame-ancestors 'self' aliyun.com *.aliyun.com;

    You can use the wildcard character (*) in a CSP directive to allow page embedding from all websites. Example:

    Content-Security-Policy: frame-ancestors *;

    If you allow page embedding from all websites, security risks arise. We recommend that you do not allow page embedding from all websites unless required. For more information, see https://content-security-policy.com/.