You can embed the Tracing Analysis console pages in self-managed web applications. Then, you can view the console pages from the web applications without the need to switch between systems or to log on to the Tracing Analysis console.
After you perform the steps in this topic, you can obtain the following results:
- You can log on to your system and browse the embedded pages that show applications, application details, and traces.
- You can hide the top navigation bar and left-side navigation pane of the Tracing Analysis console pages.
- You can use Resource Access Management (RAM) to control access to the Tracing Analysis console pages. For example, you can change the full permissions to read-only permissions.
Preparation: Create a RAM user and grant permissions
Use your Alibaba Cloud account to create a RAM user and authorize the RAM user to call the AssumeRole API operation of Security Token Service (STS).
- Log on to the RAM console. In the left-side navigation pane, choose . On the Users page, click Create User.
- On the Create User page, set the Logon Name and Display Name parameters in the User Account Information section. In the Access Mode section, select Open API Access and click OK. Notice RAM automatically generates an AccessKey pair for the RAM user. This way, the RAM user can access Tracing Analysis by calling the required API operations. For security reasons, the RAM console allows you to view or download an AccessKey secret only once. Therefore, you must keep the related AccessKey secret strictly confidential when you create an AccessKey pair.
- On the Users page, find the created RAM user and click Add Permissions in the Actions column.
- In the Select Policy section of the Add Permissions panel, enter a keyword in the search box to search for the AliyunSTSAssumeRoleAccess policy. Click the policy to add it to the Selected list on the right side of the section. Then, click OK.
- In the Add Permissions panel, view the authorization result in the Authorization section and click Complete.
Preparation: Create a RAM role and grant permissions
Create a RAM role and authorize the RAM role to access the Tracing Analysis console. This way, the RAM user that you just created can assume this RAM role to access the Tracing Analysis console.
- Log on to the RAM console. In the left-side navigation pane, choose . On the Roles page, click Create Role.
- In the Create Role panel, perform the following operations:
- In the Select Role Type step, set the Trusted entity type parameter to Alibaba Cloud Account. Then, click Next.
- In the Configure Role step, enter a role name in the RAM Role Name field and click OK.
- In the Finish step, click Add Permissions to RAM Role.
- In the Select Policy section of the Add Permissions panel, enter the keyword of the policy that you want to add in the search box. Click
the policy to add it to the Selected list on the right side of the section. Then, click OK.
- To grant full permissions on Tracing Analysis to the RAM role, select the AliyunTracingAnalysisFullAccess policy.
- To grant read-only permissions on Tracing Analysis to the RAM role, select the AliyunTracingAnalysisReadOnlyAccess policy.
- In the Add Permissions panel, view the authorization information summary in the Authorization section and click Complete.
Step 1: Obtain a temporary AccessKey pair and STS token
Log on to the self-managed web application. Call the AssumeRole API operation of STS from the application server to obtain a temporary AccessKey pair and STS token. You can call the API operation by using one of the following methods:
You must replace the values of the following parameters in the sample code with the actual values:
String akId = "<accessKeyId>"; String ak = "<accessKeySecret>"; String roleArn = "<roleArn>";
Replace the <accessKeyId> and <accessKeySecret> variables with the AccessKey ID and AccessKey secret of the RAM user that you created.
Replace the <roleArn> variable with the Alibaba Cloud Resource Name (ARN) of the RAM role that you created. You can obtain the ARN on the details page of the RAM role in the RAM console.
Step 2: Obtain a logon tokenAfter you call the AssumeRole API operation of STS to obtain the temporary AccessKey pair and STS token, call the GetSigninToken API operation to obtain a logon token.
http://signin4service.aliyun.com/federation?Action=GetSigninToken &AccessKeyId=<The temporary AccessKey ID that is returned by STS> &AccessKeySecret=<The temporary AccessKey secret that is returned by STS> &SecurityToken=<The temporary token that is returned by STS> &TicketType=mini
Step 3: Generate a logon-free URLUse the obtained STS token for logons and the URL of a Tracing Analysis console page that you want to embed to generate a logon-free URL. This URL can be used to access the Tracing Analysis console page from your self-managed web application. This way, you do not need to log on to the Tracing Analysis console.
- In the Tracing Analysis console, obtain the URL of the console page that you want
to embed. For example, the following URL is for the Applications page for the China (Hangzhou) region:
https://tracing-analysis.console.aliyun.com/?hideTopbar=true&hideSidebar=true#/appList/cn-hangzhouNote To hide the top navigation bar and the left-side navigation pane of the Tracing Analysis console page, set the hideTopbar and hideSidebar parameters to true.
- Use the STS token for logons that you obtained in Step 2 and the URL of the Tracing
Analysis console page to generate a logon-free URL for the page. Sample request:
http://signin.aliyun.com/federation?Action=Login &LoginUrl=<A URL that returns HTTP status code 302 and redirects you to the user-created website> &Destination=<The URL of the Tracing Analysis console page> &SigninToken=<The obtained logon token>