All Products
Search
Document Center

Simple Log Service:Embed console pages and share log data

Last Updated:Aug 28, 2024

Simple Log Service allows you to embed console pages, such as query and analysis pages and dashboard pages, into a self-managed web application. This way, you can share the pages with other users, and the users can view your log data in password-free access mode. The URLs of the shared pages are referred to as logon-free URLs.

How it works

Important

To allow users to view your log data in password-free mode, we recommned that you use the ticket solution. For more information, see Embed console pages and share log data (new version).

The Single Sign On (SSO) service (signin.aliyun.com) provided by Resource Access Management (RAM) supports the integration of a logon token into a logon URL. When a user accesses a logon-free URL, SSO is first called. If SSO detects a valid logon token, the user is redirected to the specified page. This way, the user can view log data on the page in password-free access mode. The following figure shows the access process.

访问流程

  1. A user accesses your web application.

  2. The web server accesses Security Token Service (STS) to obtain a security token by using the AccessKey pair of the required RAM user.

  3. STS returns a security token.

  4. The web server accesses SSO to obtain a logon token by using the security token.

  5. SSO returns a logon token.

  6. The web server creates a logon-free URL for a page of the Simple Log Service console and returns the URL to the client. The client uses the logon-free URL to access the page.

Precautions

Before you use the console page embedding feature, take note of the following items:

  • The feature supports only RAM role-based access.

  • The STS-generated tokens are temporary credentials. You can use the credentials to access the logon-free URLs of embedded pages only once in your browser. If you use the credentials to repeatedly access the URLs, a SigninToken-related error is reported.

  • Verification logic is used in the backend. We recommend that you regenerate the logon-free URLs of embedded pages 5 minutes before your SigninToken expires. If you do not regenerate the logon-free URLs in time, your access to the embedded pages becomes invalid after your SigninToken expires, and a SigninToken-related error is reported.

  • You can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.

Procedure

Prepare a pending-sharing URL

  1. Obtain the URL of the query and analysis page or dashboard page that you want to share.

    Note

    You can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.

    • Complete query and analysis page:

      https://sls.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?slsRegion=<Region of the project>&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
    • Query page:

      https://sls.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?slsRegion=<Region of the project>&isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
    • Dashboard page:

      https://sls.console.aliyun.com/lognext/project/<Project name>/dashboard/<Dashboard ID>?slsRegion=<Region of the project>&isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
      Note

      The preceding Dashboard ID appears only in the URL of a dashboard page. The ID is not the name that appears on the dashboard.

    • Full-stack Observability page

      In this example, the Trace analysis page is used. For more information, see Embed Full-stack Observability pages.

      https://sls4service.console.aliyun.com/lognext/app/observability/trace/<Project name>/<ID of a Full-stack Observability instance>?resource=/trace/<ID of a Full-stack Observability instance>/explorer&hideTopbar=true&isShare=true
  2. Replace the host address in the URL with sls4service.console.aliyun.com.

    For example, you can share a dashboard page that can be accessed by using the following URL in the Simple Log Service console:

    https://sls.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041

    Replace the host address sls.console.aliyun.com with sls4service.console.aliyun.com to generate the following pending-sharing URL:

    https://sls4service.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041

Create a RAM user and RAM role

Create a RAM user and grant it the permissions to assume a RAM role. Then, create a RAM role and grant it the permissions to access the pages that you want to share, such as a dashboard page.

Create a RAM user

  1. Create a RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service. Select OpenAPI Access when you create the RAM user. After the RAM user is created, record the AccessKey pair of the user.

  2. Grant the RAM user the permissions to assume a RAM role.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "*"
            }
        ]
    }

Create a RAM role

  1. Create a RAM role that can be assumed by a RAM user or RAM role within the current Alibaba Cloud account. For more information, see Create a RAM role whose trusted entity is an Alibaba Cloud account and grant the RAM role the permissions to access Simple Log Service.

  2. Grant the RAM role the permissions to access the URL of the page that you want to share. For example, you can grant the read-only permissions on Simple Log Service.

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:Get*",
                    "log:List*",
                    "log:Query*"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  3. Record the Alibaba Cloud Resource Name (ARN) of the RAM role in the acs:ram::137******44:role/role-name format.

Generate a logon-free URL

Generate the logon-free URL of the console page that you want to share to allow password-free access to the console page. For more information about sample code that is written in programming languages such as Java and Python, see Sample code.

  1. Use the AccessKey of the RAM user to access STS and obtain a security token. You can specify the validity period of the token based on your business requirements. Sample code:

    DefaultProfile.addEndpoint("", "", "Sts", stsHost);
    IClientProfile profile = DefaultProfile.getProfile("", <AccessKeyId>, <AccessKeySecret>);
    DefaultAcsClient client = new DefaultAcsClient(profile);
    AssumeRoleRequest assumeRoleReq = new AssumeRoleRequest();
    assumeRoleReq.setRoleArn(roleArn); // The ARN of the RAM role.
    assumeRoleReq.setRoleSessionName(roleSession);
    assumeRoleReq.setMethod(MethodType.POST);
    assumeRoleReq.setDurationSeconds(3600L);
    AssumeRoleResponse assumeRoleRes = client.getAcsResponse(assumeRoleReq);
  2. Access SSO and obtain a logon token. The following example shows the format of the access request. Make sure that the value of TicketType is mini.

    http://signin.aliyun.com/federation?Action=GetSigninToken
                        &AccessKeyId=<The AccessKey ID of the temporary AccessKey pair that is returned by STS>
                        &AccessKeySecret=<The AccessKey secret of the temporary AccessKey pair that is returned by STS>
                        &SecurityToken=<The token that is returned by STS>
                        &TicketType=mini

    Returned data:

    {
        "RequestId": "02b47c77c5fd48789d23773af853e9f7_936be_1706585994094_1.229",
        "SigninToken": "svX6LGcBbWLExKD5hcwdLu6RsLQbv36fWZN36WhxkTXpTcDpmzs2K6X8uFvCqGsBTU4KWJMffYz2rAVbdJXHMECgUfyzS869wh2DBdFEQo3e2fJgZ5YtcMSVnoX7pterS2f7926jFvdBXVFEF54JkUCMrDAutNRv1u7ZReC7v8oQoG5UmjJBbHUyvLTn5UDDvDfNowMVyRskrZRFUKT2qAMZ4Gnc****"
    }
  3. Add the logon token to the pending-sharing URL to generate a logon-free URL.

    http://signin.aliyun.com/federation?Action=Login
                                &LoginUrl=<The URL to which you are redirected when your logon fails. We recommend that you specify the URL to which you are redirected when the HTTP status code 302 is returned on your self-managed application. You must use encodeURL to transcode the URL. >
                                &Destination=<The pending-sharing URL of the query and analysis page or dashboard page that you want to share. If parameters are configured, you must use encodeURL to transcode the parameters. >
                                &SigninToken=<The logon token that is obtained. You must use encodeURL to transcode the token. >

Embed the logon-free URL as an iFrame

Embed the logon-free URL into your web page as an iFrame.

Important

The first time you access a logon-free URL in your browser, you can test the URL. After the test is complete, the logon token that is used becomes invalid. You must regenerate a logon-free URL.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Share a console page</title>
</head>
<body>
<iframe width="1280" height="720" src="Logon-free URL"> </iframe>
</body>
</html>

Sample code

For more information about the sample code that is written in PHP, Python, and Go, visit the following links:

  • Sample code in Java

    The following sample code shows the Maven dependencies in Java:

    <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-sts</artifactId>
        <version>3.0.0</version>
    </dependency>
    <dependency>
        <groupId>com.aliyun</groupId>
        <artifactId>aliyun-java-sdk-core</artifactId>
        <version>3.5.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.5.5</version>
    </dependency>
    <dependency>
        <groupId>com.alibaba</groupId>
        <artifactId>fastjson</artifactId>
        <version>1.2.68.noneautotype</version>
    </dependency>
  • Sample code in PHP

  • Sample code in Python

  • Sample code in Go

FAQ

  • Problem description

    When a logon-free URL is embedded into a web page as an iFrame, the following error is reported:

    Refused to frame 'https://signin.aliyun.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.aliyun.com"
  • Cause

    For security reasons, cross-domain iFrames are not supported.

  • Solutions

    Modify the Content-Security-Policy (CSP) header.

    You can specify an exact domain name or a wildcard domain name in a CSP directive to allow page embedding from the specified website. For example, you can use the following CSP directive to allow page embedding from the aliyun.com and *.aliyun.com websites:

    Content-Security-Policy: frame-ancestors 'self' aliyun.com *.aliyun.com;

    You can use the wildcard character (*) in a CSP directive to allow page embedding from all websites. Example:

    Content-Security-Policy: frame-ancestors *;

    If you allow page embedding from all websites, security risks arise. We recommend that you do not allow page embedding from all websites unless required. For more information, visit https://content-security-policy.com/.