All Products
Search
Document Center

Managed Service for OpenTelemetry:Embed the Managed Service for OpenTelemetry console pages in a self-managed web application

Last Updated:Apr 11, 2024

You can embed the Managed Service for OpenTelemetry console pages in your self-managed web application. This way, you can view the console pages from the application without the need to switch between systems or log on to the Managed Service for OpenTelemetry console.

Overview

Expected results

After you embed the Managed Service for OpenTelemetry console pages in your self-managed web application based on this topic, you can perform the following operations:

  • You can log on to your system and view information about applications, application details, and traces on the embedded console pages.

  • You can hide the top navigation bar and left-side navigation pane of the Managed Service for OpenTelemetry console pages.

  • You can use Resource Access Management (RAM) to manage permissions on the Managed Service for OpenTelemetry console pages. For example, you can change full permissions to read-only permissions.

Access process

The following figure shows how to access the Managed Service for OpenTelemetry console pages.

image

Step 1: Create a RAM user and grant permissions to the RAM user

Use your Alibaba Cloud account to create a RAM user and authorize the RAM user to call the AssumeRole operation of Security Token Service (STS).

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. On the Create User page, configure the Logon Name and Display Name parameters in the User Account Information section. In the Access Mode section, select OpenAPI Access and click OK.

    Create RAM User

    Important

    RAM automatically generates an AccessKey pair for the RAM user. This way, the RAM user can call operations to access the Managed Service for OpenTelemetry console. For security reasons, you can view or download an AccessKey secret in the RAM console only once. Therefore, you must keep the AccessKey secret strictly confidential when you create an AccessKey pair.

  5. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  6. In the Select Policy section of the Add Permissions panel, enter a keyword in the search box to search for the AliyunSTSAssumeRoleAccess policy, click the policy to add it to the Selected list on the right, and then click OK.

    Add Permission for User

  7. Click OK.

  8. Click Complete.

Step 2: Create a RAM role and grant permissions to the RAM role

Create a RAM role and authorize the RAM role to access the Managed Service for OpenTelemetry console. This way, the RAM user that you create can assume this RAM role to access the Managed Service for OpenTelemetry console.

  1. Log on to the RAM console as a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, perform the following operations:

    1. In the Select Role Type step, set the Select Trusted Entity parameter to Alibaba Cloud Account and click Next.

    2. In the Configure Role step, configure the RAM Role Name parameter and click OK.

    3. In the Finish step, click Add Permissions to RAM Role.

  5. On the page that appears, click Grant Permission on the Permissions tab. In the Select Policy section of the Grant Permission panel, enter a keyword in the search box to search for the policy that you want to attach to the RAM role, click the policy to add it to the Selected list on the right, and then click OK.

    Add Permission for Role

    • To grant full permissions on Managed Service for OpenTelemetry to the RAM role, select the AliyunTracingAnalysisFullAccess policy.

    • To grant read-only permissions on Managed Service for OpenTelemetry to the RAM role, select the AliyunTracingAnalysisReadOnlyAccess policy.

  6. In the Grant Permissions panel, view the authorization result and click Complete.

Step 3: Obtain a temporary AccessKey pair and STS token

Log on to the self-managed web application and call the AssumeRole operation of STS from the web application server to obtain a temporary AccessKey pair and STS token. You can call this operation by using one of the following methods:

You must replace the values of the following parameters in the sample code with actual values:

String akId = "<accessKeyId>";
String ak = "<accessKeySecret>";
String roleArn = "<roleArn>";

Replace the <accessKeyId> and <accessKeySecret> variables with the AccessKey ID and AccessKey secret of the RAM user that you create in Step 1. For more information, see Create an AccessKey pair.

Example AccessKey

Replace the <roleArn> variable with the Alibaba Cloud Resource Name (ARN) of the RAM role that you create. You can obtain the ARN on the details page of the RAM role in the RAM console.

Example ARN

Step 4: Obtain a logon token

After you call the AssumeRole operation of STS to obtain the temporary AccessKey pair and STS token, call the GetSigninToken operation to obtain a logon token.

Important

The temporary STS token may contain special characters. Before you use the token, you must use the URL encoding method to encode the special characters.

Sample request:

http://signin4service.aliyun.com/federation?Action=GetSigninToken
    &AccessKeyId=<The temporary AccessKey ID that is returned by STS>
    &AccessKeySecret=<The temporary AccessKey secret that is returned by STS>
    &SecurityToken=<The token that is returned by STS>
Note

If your self-managed web application is deployed on a partner's cloud platform, you must add the &TicketType=mini parameter.

Step 5: Generate a logon-free URL

Use the obtained logon token and the URL of a Managed Service for OpenTelemetry console page that you want to embed to generate a logon-free URL. This URL can be used to access the console page from your self-managed web application. This way, you do not need to log on to the Managed Service for OpenTelemetry console.

Note

A temporary token is valid for 3 hours. We recommend that you configure the URL in the self-managed web application to generate a new logon token for each request and perform a 302 redirect to the console page.

  1. In the Managed Service for OpenTelemetry console, obtain the URL of the console page that you want to embed. For example. the following URL is the URL of the Applications page for the China (Hangzhou) region:

    https://tracing-analysis.console.aliyun.com/?hideTopbar=true&hideSidebar=true#/appList/cn-hangzhou
    Note

    To hide the top navigation bar and the left-side navigation pane of the Managed Service for OpenTelemetry console page, set the hideTopbar and hideSidebar parameters to true.

  2. Use the obtained logon token and the URL of the Managed Service for OpenTelemetry console page to generate a logon-free URL for the page. Sample request:

    http://signin.aliyun.com/federation?Action=Login
        &LoginUrl=<The URL to which you are redirected when the logon fails and the 302 HTTP status code is returned on your self-managed website>
        &Destination=<The URL of the Managed Service for OpenTelemetry console page>
        &SigninToken=<The obtained logon token>

Sample code

The sample code used in this topic is based on the SDK for Java. The sample code is used to embed the Applications page of the Managed Service for OpenTelemetry console to your self-managed web application.

Download link: sample code.