Embed Managed Service for OpenTelemetry console pages in a self-managed web application - Managed Service for OpenTelemetry

You can embed Managed Service for OpenTelemetry console pages in your self-managed web application. This way, you can view the console pages from the application without the need to switch between systems or log on to the Managed Service for OpenTelemetry console.

Overview

Expected results

After you embed the Managed Service for OpenTelemetry console pages in your self-managed web application based on this topic, you can perform the following operations:

You can log on to your system and view information about applications, application details, and traces on the embedded console pages.
You can hide the top navigation bar and left-side navigation pane of the Managed Service for OpenTelemetry console pages.
You can use Resource Access Management (RAM) to manage permissions on the Managed Service for OpenTelemetry console pages. For example, you can change full permissions to read-only permissions.

Access process

The following figure shows how to access the Managed Service for OpenTelemetry console pages.

Step 1: Create a RAM user and grant permissions to the RAM user

Use your Alibaba Cloud account to create a RAM user and authorize the RAM user to call the AssumeRole operation of Security Token Service (STS).

Log on to the RAM console using your Alibaba Cloud account or RAM administrator account (such as the AliyunRAMFullAccesspolicy).
In the left-side navigation pane, choose Identity > Users.
On the Users page, click Create User.
On the Create User page, set the Logon Name and Display Name parameters in the User Account Information section. In the Access Mode section, select Using permanent AccessKey to access and click OK.
Important
RAM automatically generates an AccessKey pair for the RAM user. This way, the RAM user can call operations to access the Managed Service for OpenTelemetry console. For security reasons, you can view or download an AccessKey secret in the RAM console only once. Therefore, you must keep the AccessKey secret strictly confidential when you create an AccessKey pair.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant one or more permissions to the RAM user.
1. Set Resource Scope.
  - Account: The permission takes effect on the current Alibaba account.
  - ResourceGroup: The permission takes effect in a specific resource group. For information about how to grant permissions to a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
    Important
    Before setting Resource Scope to ResourceGroup, ensure that the involved cloud services and resources support resource groups. For more information, see Services that work with Resource Group.
2. Set Principal.
  The principal is the RAM user to which you want to grant permissions. The system automatically selects the current RAM user group as the principal.
3. In the Policy section, select AliyunSTSAssumeRoleAccess.
4. Click Grant permissions.
Click Close.

Step 2: Create a RAM role and grant permissions to the RAM role

Create a RAM role and authorize the RAM role to access the Managed Service for OpenTelemetry console. This way, the RAM user that you create can assume this RAM role to access the Managed Service for OpenTelemetry console.

Create a RAM role for a trusted Alibaba Cloud account.
Grant AliyunTracingAnalysisFullAccess or AliyunTracingAnalysisReadOnlyAccess permissions to the RAM role.
- To grant full permissions on Managed Service for OpenTelemetry to the RAM role, select the AliyunTracingAnalysisFullAccess policy.
- To grant read-only permissions on Managed Service for OpenTelemetry to the RAM role, select the AliyunTracingAnalysisReadOnlyAccess policy.

Step 3: Obtain a temporary AccessKey pair and STS token

Log on to the self-managed web application and call the AssumeRole operation of STS from the web application server to obtain a temporary AccessKey pair and STS token. You can call this operation by using one of the following methods:

Use OpenAPI Explorer.
Use RAM SDK for Java.

You must replace the values of the following parameters in the sample code with actual values:

String akId = "<accessKeyId>";
String ak = "<accessKeySecret>";
String roleArn = "<roleArn>";

Replace the <accessKeyId> and <accessKeySecret> variables with the AccessKey ID and AccessKey secret of the RAM user that you create in Step 1. For more information, see Create an AccessKey pair.

Replace the <roleArn> variable with the Alibaba Cloud Resource Name (ARN) of the RAM role that you create. You can obtain the ARN on the details page of the RAM role in the RAM console.

Step 4: Obtain a logon token

After you call the AssumeRole operation of STS to obtain the temporary AccessKey pair and STS token, call the GetSigninToken operation to obtain a logon token.

Important

The temporary STS token may contain special characters. Before you use the token, you must use the URL encoding method to encode the special characters.

Sample request:

http://signin4service.alibabacloud.com/federation?Action=GetSigninToken
    &AccessKeyId=<The temporary AccessKey ID returned by STS>
    &AccessKeySecret=<The temporary AccessKey secret returned by STS>
    &SecurityToken=<The token returned by STS>
    &TicketType=mini

Note

If your self-managed web application is deployed on a partner's cloud platform, you must add the &TicketType=mini parameter.

Step 5: Generate a logon-free URL

Use the obtained logon token and the URL of a Managed Service for OpenTelemetry console page that you want to embed to generate a logon-free URL. This URL can be used to access the console page from your self-managed web application. This way, you do not need to log on to the Managed Service for OpenTelemetry console.

Note

A temporary token is valid for 3 hours. We recommend that you configure the URL in the self-managed web application to generate a new logon token for each request and perform a 302 redirect to the console page.

In the Managed Service for OpenTelemetry console, obtain the URL of the console page that you want to embed. For example. the following URL is the URL of the Applications page for the China (Hangzhou) region:
```
https://trace4servims.console.alibabacloud.com/#/overview/cn-hangzhou
```
Note
To hide the top navigation bar and the left-side navigation pane of the Managed Service for OpenTelemetry console page, set the hideTopbar and hideSidebar parameters to true.

Use the obtained logon token and the URL of the Managed Service for OpenTelemetry console page to generate a logon-free URL for the page.

Sample request:

http://signin.alibabacloud.com/federation?Action=Login
&LoginUrl=<The URL to which you are redirected when the logon fails and the 302 HTTP status code is returned on your self-managed website>
&SigninToken=<The logon token you obtained>
&Destination=<The URL of the Managed Service for OpenTelemetry console page>

Result

The following figure shows the Managed Service for OpenTelemetry console page that is embedded in the self-managed web application.

Sample code

The sample code used in this topic is based on the SDK for Java. The sample code is used to embed the Applications page of the Managed Service for OpenTelemetry console to your self-managed web application.

Download link: sample code.