All Products
Search

This Product

    Simple Log Service:Embed console pages and share log data (new version)

    Document Center

    Simple Log Service:Embed console pages and share log data (new version)

    Last Updated:Sep 10, 2024

    This topic describes how to share the pages of query and analysis results and dashboard pages of Simple Log Service with other users and how to embed the Simple Log Service console pages into third-party systems. This way, users can view your logs in password-free and logon-free mode. The URLs of the shared pages are referred to as password-free and logon-free URLs.

    Background information

    A ticket is a token that is valid for a short period of time. A ticket is used to generate a password-free and logon-free URL. After a user obtains a password-free and logon-free URL, the user can directly access specified query and analysis pages or dashboard pages without the need to log on to the Simple Log Service console by using an Alibaba Cloud account.

    Procedure:

    1. Grant the required permissions to a Resource Access Management (RAM) user.

    2. Obtain the URL of a Simple Log Service console page.

    3. Call the CreateTicket operation to obtain a ticket.

    4. Generate a password-free and logon-free URL based on the ticket and the URL of the Simple Log Service console page.

    Warning

    For a password-free and logon-free URL, the operations that can be performed on the landing page vary based on the permissions of the caller of the CreateTicket operation on Simple Log Service. To mitigate the data security risks that arise when you use an Alibaba Cloud account to call the CreateTicket operation, we recommend that you use a RAM user to call the CreateTicket operation and grant permissions to the RAM user based on the principle of least privilege. For more information, see Step 1: Grant the required permissions to a RAM user.

    Generate a password-free and logon-free URL

    Step 1: Grant the required permissions to a RAM user

    If you use an Alibaba Cloud account, you can skip this step and go to Step 2.

    1. Create a RAM user.

    2. Grant the permissions on resources such as projects and Logstores and the permissions to call the CreateTicket operation to the RAM user.

      1. For more information about how to grant permissions on specific resources, see Examples of using custom policies to grant permissions to a RAM user.

      2. For more information about how to grant permissions to call the CreateTicket operation, see Grant permissions to a RAM user and Create custom policies. 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "log:CreateTicket",
            "Resource": "acs:log:*:*:ticket/*"
        }
    ]
}

    Step 2: Obtain the URL of a Simple Log Service console page

    • Query and analysis page:

      https://sls.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?slsRegion=<Region where the project resides>&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true

      For more information about project names, see Manage a project. For more information about Logstore names, see Manage a Logstore. For more information about the supported regions of projects, see the Region ID column in Endpoints.

    • Query page:

      https://sls.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?slsRegion=<Region where the project resides>&isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true

    • Dashboard page:

      Important

      Dashboard ID is displayed only in the URL of a dashboard page. The ID is not the name that is displayed on the dashboard. You can share dashboard pages in password-free mode in the Simple Log Service console. For more information, see Share dashboards or charts without passwords. 

      https://sls.console.aliyun.com/lognext/project/<Project name>/dashboard/<Dashboard ID>?slsRegion=<Region where the project resides>&isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true

    Step 3: Obtain a ticket

    Important

    • If you want to call the CreateTicket operation to obtain a ticket, you must use the Simple Log Service endpoint for the China (Shanghai) or Singapore region. After you obtain the ticket, you can use the ticket regardless of the region.

    • A ticket can be used only once. The default validity period is one day and the maximum validity period is 30 days. For more information about how to dynamically obtain a ticket, see How does the system dynamically obtain a ticket?

    image

    Step 4: Generate a password-free and logon-free URL

    1. Concatenate the ticket obtained in Step 3 and the URL of a Simple Log Service console page obtained in Step 2 to generate a password-free and logon-free URL. 

      https://sls.console.aliyun.com/lognext/project/<Project name>/dashboard/<Dashboard ID>?slsRegion=<Region where the project resides>&sls_ticket=eyJ***************.eyJ******************.KUT****************&isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true

    2. Test the password-free and logon-free URL. You can enter the URL in the address bar of your browser to test the URL. If you can access the Simple Log Service console page, the URL is valid.

      Warning

      • The first time you access a password-free and logon-free URL in a browser, you can test the URL. After the test is complete, the ticket becomes invalid. You must call the CreateTicket operation again to obtain a new ticket.

      • We recommend that you copy a password-free and logon-free URL to a file and transfer the file. If you directly send a password-free and logon-free URL to a third-party software, the URL may become invalid after the software reads the URL.

    FAQ

    How do I extend the validity periods of URLs to embedded console pages?

    For more information, see Extend the validity periods of URLs to embedded console pages.

    How is a ticket dynamically generated?

    If you want to embed Simple Log Service console pages into third-party systems, you must dynamically call the CreateTicket operation in your application to obtain a ticket on a regular basis. If you use an AccessKey pair of a RAM user to call the CreateTicket operation, the procedure is simple but poses high security risks. We recommend that you use a RAM role that has a Security Token Service (STS) token to call the CreateTicket operation. This reduces security risks.

    1. Create a RAM user and create a RAM role whose trusted entity is an Alibaba Cloud account.

    2. Grant the AliyunSTSAssumeRoleAccess permission to the RAM user. Grant the permissions to call the CreateTicket operation and the permissions related to Simple Log Service to the RAM role. For more information, see Grant permissions to a RAM role and Examples of using custom policies to grant permissions to a RAM user.

    3. Use the RAM role to call the CreateTicket operation.

      1. Use the RAM user to call the AssumeRole operation to obtain an STS token and an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKeyId and AccessKeySecret parameters specify the AccessKey ID and AccessKey secret. The SecurityToken parameter specifies the STS token.

      2. Use the RAM user to assume the RAM role based on the SecurityToken, AccessKeySecret, and AccessKeyId parameters. Then, call the CreateTicket operation to obtain a ticket.

        SDK examples

        Java

        1. Add Maven dependencies.

          Open the pom.xml file in the root directory of your Java project and add the following code:

              <dependency>
      <groupId>com.aliyun</groupId>
      <artifactId>sls20201230</artifactId>
      <version>5.2.1</version>
    </dependency>
    <dependency>
      <groupId>com.aliyun</groupId>
      <artifactId>tea-openapi</artifactId>
      <version>0.3.2</version>
    </dependency>
    <dependency>
      <groupId>com.aliyun</groupId>
      <artifactId>tea-console</artifactId>
      <version>0.0.1</version>
    </dependency>
    <dependency>
      <groupId>com.aliyun</groupId>
      <artifactId>tea-util</artifactId>
      <version>0.2.21</version>
    </dependency>

        2. Write code to obtain a ticket. 

          import com.aliyun.tea.*;

public class Sample {

    /**
     * Use your AccessKey ID and AccessKey secret to initialize a client.
     * @return Client
     * @throws Exception
     */
    public static com.aliyun.sls20201230.Client createClient() throws Exception {
        // If the project code is leaked, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. The following sample code is provided only for reference. 
        // We recommend that you use STS tokens, which provide higher security. 
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured. 
                .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured. 
                .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // For more information about endpoints, see https://api.aliyun.com/product/Sls.
        config.endpoint = "cn-shanghai.log.aliyuncs.com";
        return new com.aliyun.sls20201230.Client(config);
    }

    public static void main(String[] args_) throws Exception {
        java.util.List<String> args = java.util.Arrays.asList(args_);
        com.aliyun.sls20201230.Client client = Sample.createClient();
        com.aliyun.sls20201230.models.CreateTicketRequest createTicketRequest = new com.aliyun.sls20201230.models.CreateTicketRequest();
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        java.util.Map<String, String> headers = new java.util.HashMap<>();
        try {
            com.aliyun.sls20201230.models.CreateTicketResponse resp = client.createTicketWithOptions(createTicketRequest, headers, runtime);
            com.aliyun.teaconsole.Client.log(com.aliyun.teautil.Common.toJSONString(resp));
        } catch (TeaException error) {
            // Handle exceptions with caution in your actual business scenario and do not ignore exceptions in your project. In this example, error messages are printed for reference only. 
            // Display an error message.
            System.out.println(error.getMessage());
            // Display information for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            // Handle exceptions with caution in your actual business scenario and do not ignore exceptions in your project. In this example, error messages are printed for reference only. 
            // Display an error message.
            System.out.println(error.getMessage());
            // Display information for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        }
    }
}

        Python

        # -*- coding: utf-8 -*-
# This file is auto-generated, don't edit it. Thanks.
import os
import sys

from typing import List

from alibabacloud_sls20201230.client import Client as Sls20201230Client
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_sls20201230 import models as sls_20201230_models
from alibabacloud_tea_util import models as util_models
from alibabacloud_tea_util.client import Client as UtilClient


class Sample:
    def __init__(self):
        pass

    @staticmethod
    def create_client() -> Sls20201230Client:
        """
        Use your AccessKey ID and AccessKey secret to initialize a client.
        @return: Client
        @throws Exception
        """
        # If the project code is leaked, the AccessKey pair may be leaked and the security of all resources in your account may be compromised. The following sample code is provided only for reference. 
        # We recommend that you use STS tokens, which provide higher security. For more information about authentication methods, see https://help.aliyun.com/document_detail/378659.html. 
        config = open_api_models.Config(
            # Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured. ,
            access_key_id=os.environ['ALIBABA_CLOUD_ACCESS_KEY_ID'],
            # Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured. ,
            access_key_secret=os.environ['ALIBABA_CLOUD_ACCESS_KEY_SECRET'],
            # Required. Make sure that the STS token is configured.
            security_token=os.environ['ALIBABA_CLOUD_Token']
        )
        # For more information about endpoints, see https://api.aliyun.com/product/Sls.
        config.endpoint = f'cn-shanghai.log.aliyuncs.com'
        return Sls20201230Client(config)

    @staticmethod
    def main(
        args: List[str],
    ) -> None:
        client = Sample.create_client()
        create_ticket_request = sls_20201230_models.CreateTicketRequest(
            expiration_time=300
        )
        runtime = util_models.RuntimeOptions()
        headers = {}
        try:
            # If you copy and run the sample code, add code to display the API call results.
            client.create_ticket_with_options(create_ticket_request, headers, runtime)
        except Exception as error:
            # Handle exceptions with caution in your actual business scenario and do not ignore exceptions in your project. In this example, error messages are printed for reference only. 
            # Display an error message.
            print(error.message)
            # Display information for troubleshooting.
            print(error.data.get("Recommend"))
            UtilClient.assert_as_string(error.message)

    @staticmethod
    async def main_async(
        args: List[str],
    ) -> None:
        client = Sample.create_client()
        create_ticket_request = sls_20201230_models.CreateTicketRequest(
            expiration_time=300
        )
        runtime = util_models.RuntimeOptions()
        headers = {}
        try:
            # If you copy and run the sample code, add code to display the API call results.
            await client.create_ticket_with_options_async(create_ticket_request, headers, runtime)
        except Exception as error:
            # Handle exceptions with caution in your actual business scenario and do not ignore exceptions in your project. In this example, error messages are printed for reference only. 
            # Display an error message.
            print(error.message)
            # Display information for troubleshooting.
            print(error.data.get("Recommend"))
            UtilClient.assert_as_string(error.message)


if __name__ == '__main__':
    Sample.main(sys.argv[1:])

    4. Generate password-free and logon-free URLs based on the tickets that are obtained and allow different operations.

    When I use Simple Log Service SDK to call the CreateTicket operation, the InvalidMethod error is reported. Why?

    You must use the Simple Log Service endpoint for the China (Shanghai) or Singapore region to call the CreateTicket operation. However, after you obtain the ticket, you can use the ticket regardless of the region.

    What are the limits on tickets?

    • The default validity period of a ticket is one day and the maximum validity period is 30 days.

    • You can use a ticket to access a URL only in the same browser or host. For example, if you access a password-free and logon-free URL in Browser A by using a ticket, you can continuously access the URL before the validity period of the ticket ends. However, you cannot use the ticket to access the URL in Browser B.

    • The total number of tickets is unlimited. You can call the CreateTicket operation up to 10 times per second per account.

    What are the limits on third-party cookies?

    You can embed console pages and share log data without the need to use third-party cookies. For more information, see Embed console pages and share log data (new version).

    What is the loading speed of embedded pages?

    Simple Log Service provides old and new versions of the feature that you can use to embed console pages and share log data. If you use the new version, embedded pages can be loaded faster. For more information, see Embed console pages and share log data (new version).

    What do I do if I want to open multiple embedded pages that support the same operation permissions?

    1. You can obtain a ticket and refresh embedded pages in the same browser. If the ticket expires, obtain a new ticket and replace the expired ticket with the new ticket on all pages.

    2. Different browsers or computers are considered different users. A ticket can be used only once. If you use a different browser or computer, you cannot use the same ticket and the following error message is returned:

      {"code":"TicketUnavailable","message":"There are no more tickets available.","requestId":"xxxxxx","success":false}

    What do I do if I want to open multiple embedded pages that support different operation permissions?

    1. You can obtain multiple tickets that are associated with different permissions. However, you can refresh only the embedded pages that use the last ticket in this case. This is because the system records only one cookie as the credential of the current user and refreshes pages only based on the recorded cookie. The recorded cookie corresponds to the last ticket.

    2. If you do not refresh pages, cookies are not required. You can switch between pages and perform different operations on different pages.

    3. If you refresh an embedded page that does not use the last ticket, the following error message is returned:

      {"code":"TicketUnavailable","message":"There are no more tickets available.","requestId":"xxxxxx","success":false}