Embedding LTS in Huawei Cloud User-built Systems (Password-free Login)
Introduction
Log query pages can be embedded into your systems. You can use the federation proxy mechanism of Identity and Access Management (IAM) for custom identity broker and embed a login link to your systems so you can view LTS logs in your systems without logging in to the Huawei Cloud console.
Scenario
- With this function, you can log in to LTS from a user-built system without entering a password. However, you still need to enter a username and password to log in to the Huawei Cloud LTS console.
- You can quickly integrate the query and analysis capabilities of LTS in external systems (such as an internal O&M or operations system).
- You do not need to manage multiple Huawei Cloud IAM users, facilitating log data sharing and viewing.
Procedure
Perform steps 1 to 5 to create an identity broker and an agency, which are closely related to the IAM service. After the operations on IAM are complete, perform steps 6 to 8 to embed the log page.
- Log in to the IAM console, for example, as DomainA.
- Create an IAM user group (for example, GroupC) on the User Groups page and grant the Agent Operator permission in global service to the user group. This permission can only be switched to the delegated account to access the authorized services. For details, see Creating a User Group and Assigning Permissions.
- Create an IAM user (for example, UserB) on the IAM console and add the user to GroupC by referring to Adding Users to a User Group.
Ensure that the IAM user can use LTS through programmatic access or on the console. For details about how to change the IAM user access mode, see Modifying IAM User Information.
- In the navigation pane, choose Agencies. Then, click Create Agency in the upper right corner.
- Configure agency parameters.
- For example, set Agency Name to iam_for_lts, Agency Type to Account, Delegated Account to DomainA, and Validity Period to Unlimited, and click Next.
- Set the minimum authorization scope, select the LTS ReadOnlyAccess permission (read-only permission of LTS, which can only query LTS data but cannot modify LTS settings), and click Next, as shown in the following figure.
Figure 1 Selecting a policy/role
- Specify the authorization scope, select Region-specific projects, select the corresponding region as required, and click OK.
- Use tools such as Postman to obtain the X-Subject-LoginToken parameter. (The following figures are for reference only.)
- Obtain the X-Subject-Token of UserB using the account and password.
API type: POST
API URL: Enter https://Endpoint/v3/auth/tokens, select the user-defined format for the parameters, and enter the following parameters: name indicates the tenant name, username, and tenant name from top to bottom, and password indicates the user password.
An endpoint is the request address for calling an API. Endpoints vary depending on services and regions. For the endpoints of IAM, see Regions and Endpoints.
{ "auth" : { "identity" : { "methods" : [ "password" ], "password" : { "user" : { "domain" : { "name" : "xxxxxxx" }, "name" : "xxxxxx", "password" : "xxxxxx" } } }, "scope" : { "domain" : { "name" : "xxxxxx" } } } }Obtain the X-Subject-Token field in the response header.
Figure 2 Response
- Obtain the temporary access key based on the X-Subject-Token obtained in 1.
Add the X-Auth-Token field to the request header and set its value to the value of X-Subject-Token obtained in 1, as shown in the following figure.
API type: POST
API URL: Enter https://Endpoint/v3.0/OS-CREDENTIAL/securitytokens, select the user-defined format for the parameters, and enter the following parameters: agency_name indicates the agency name, domain_name indicates the tenant name, duration_seconds indicates the token expiration time (in second), and name indicates the username.{ "auth" : { "identity" : { "methods" : [ "assume_role" ], "assume_role" : { "agency_name" : "iam_for_lts", "domain_name" : "xxxxxx", "duration_seconds" : 86400, "session_user" : { "name" : "xxxxxx" } } } } }Obtain the temporary access key from the response body, as shown in the following figure.
Figure 3 Obtaining a temporary access key
- Obtain the login X-Subject-LoginToken based on the temporary access key obtained in 2.
API type: POST
API URL: Enter https://Endpoint/v3.0/OS-AUTH/securitytoken/logintokens, select the user-defined format for the parameters, and enter the following parameters: The values of access, secret, and id are the values of access, secret, and securitytoken returned in 2, respectively. duration_seconds indicates the token expiration time (in second).{ "auth" : { "securitytoken" : { "access" : "xxxxxx", "secret" : "xxxxxx", "id" : "xxxxxx", "duration_seconds" : 43200 } } }Obtain the X-Subject-LoginToken field in the response header.
Figure 4 Obtaining X-Subject-LoginToken
- Obtain the X-Subject-Token of UserB using the account and password.
- Construct a proxy URL based on the X-Subject-LoginToken obtained in 3 to complete password-free login.
The rules for constructing a proxy URL are as follows:
https://auth.huaweicloud.com/authui/federation/login?service={target_console_url}&logintoken={logintoken}&idp_login_url={enterprise_system_loginURL}
Table 1 URL parameters Parameter
Description
{target_console_url}
URLEncode encoding result of the LTS address description. For details, see LTS URL.
{logintoken}
URLEncode encoding result of X-Subject-LoginToken obtained in 3.
{enterprise_system_loginURL}
(Optional) URLEncode encoding result of the customer's page address. When the loginToken verification fails, the page is displayed.
- The preceding three parameters must be encoded using URLEncode. Otherwise, password-free login may fail.
- To perform URLEncode encoding, open a browser, press F12 to enter the developer mode, select console, enter encodeURIComponent("*"), and press Enter to view the returned URLEncode value. * indicates the information to be encoded.
The value of {target_console_url} is the URLEncode code of the URL of the LTS frontend service. The URL before encoding is as follows. The following table describes the parameters.
https://console-intl.huaweicloud.com/lts/?region={regionId}&cfModuleHide=header_sidebar_floatlayer#/lts/logEventsLeftMenu/events?groupId={groupId}&topicId={topicId}&epsId={epsId}&condition={condition}
Parameter
Description
{regionId}
Region ID. After logging in to the console, obtain the region ID from the address bar of the browser.
{groupId}
Log group ID.
{topicId}
Log stream ID.
{epsId}
ID of the enterprise project of a log stream. If there is no enterprise project, the value is 0.
{condition}
Log search criteria, for example, name:a and age:12 and addr:xx.
- Optional
- The format of a single keyword is key:value.
- Separate keywords with and.
- A keyword cannot contain semicolons (;) or colons (:).
- A keyword that contains special characters (+, =, ?, #, %, and &) must be converted into a hexadecimal value, that is, an ASCII code starting with % (%2B, %3D, %3F, %23, %25, and %26).
- After the preceding steps are complete, you can log in to LTS from your user-built system without entering a password.
Use the following iframe embedding. The value of src is the proxy URL obtained in 7.
<body> <iframe src="target_url" width="100%" height="96%" id="ltsIframePage"></iframe> </body>
LTS URL
- The basic URL of the Log Tank Service (LTS) homepage is as follows.
https://console-intl.huaweicloud.com/lts/?region={regionId}&cfModuleHide=header_sidebar_floatlayer#/cts/manager/groups
Table 2 Parameters Parameter
Mandatory
Type
Description
regionId
Yes
String
Region ID. After logging in to the console, obtain the region ID from the address bar of the browser.
- The basic URL of the log search page is as follows.
https://console-intl.huaweicloud.com/lts/?region={regionId}&cfModuleHide=header_sidebar_floatlayer#/cts/logEventsLeftMenu/events?groupId={groupId}&topicId={topicId}&epsId={epsId}&hideHeader={hideHeader}&fastAnalysisCollapsed={fastAnalysisCollapsed}&hideDashboard={hideDashboard}&hideFeedback={hideFeedback}&isFoldLabel={isFoldLabel}&hideStreamName={hideStreamName}&showK8sFilter={showK8sFilter}&clusterId={clusterId}&hideBarChart={hideBarChart}&hideTabs={hideTabs}&condition={condition}
Table 3 Parameters Parameter
Mandatory
Type
Default Value
Description
regionId
Yes
String
None
Region ID. After logging in to the console, obtain the region ID from the address bar of the browser.
groupId
Yes
String
None
Log group ID.
topicId
Yes
String
None
Log stream ID.
epsId
No
String
None
ID of the enterprise project of a log stream. If there is no enterprise project, the value is 0.
hideHeader
No
Boolean
false
Whether to hide the list on the left and the horizontal log stream list on the top. If yes, set this parameter to true.
NOTE:This parameter takes effect only for iframe embedding.
fastAnalysisCollapsed
No
Boolean
false
Whether to collapse quick analysis. If yes, set this parameter to true.
hideDashboard
No
Boolean
false
Whether to hide the dashboard creation icon. If yes, set this parameter to true.
hideFeedback
No
Boolean
false
Whether to hide the comment button. If yes, set this parameter to true.
isFoldLabel
No
Boolean
true
Whether to display the label field in a new line in the log table. If yes, set this parameter to true.
hideStreamName
No
Boolean
false
Whether to hide the log stream name. If yes, set this parameter to true.
showK8sFilter
No
Boolean
false
Whether to display the container log filter criteria. For container log search, you can set this parameter to true.
clusterId
No
String
None
Cluster ID. This parameter is mandatory only when showK8sFilter is set to true.
hideBarChart
No
Boolean
false
Whether to collapse the log quantity statistics chart by default. If yes, set this parameter to true.
hideTabs
No
Boolean
false
Whether to hide the Raw Logs, Visualization, and Real-Time Logs tabs. By default, the tabs are not hidden. To hide them, set this parameter to true.
hideShare
No
Boolean
false
Whether to hide the sharing button. By default, the button is not hidden. To hide it, set this parameter to true. This parameter is available only in CN North-Beijing4.
condition
No
String
None
Log search criteria, for example, name:a and age:12 and addr:xx.
- Optional
- The format of a single keyword is key:value.
- Separate keywords with and.
- A keyword cannot contain semicolons (;) or colons (:).
- A keyword that contains special characters (+, =, ?, #, %, and &) must be converted into a hexadecimal value.
- The basic URL of the visualized log search page is as follows.
https://console-intl.huaweicloud.com/lts/?region={regionId}&cfModuleHide=header_sidebar_floatlayer#/cts/logEventsLeftMenu/events?visualization=true&groupId={groupId}&topicId={topicId}&epsId={epsId}&sql={sql}
Table 4 Parameters Parameter
Mandatory
Type
Default Value
Description
regionId
Yes
String
None
Region ID. After logging in to the console, obtain the region ID from the address bar of the browser.
groupId
Yes
String
None
Log group ID.
topicId
Yes
String
None
Log stream ID.
epsId
No
String
None
ID of the enterprise project of a log stream. If there is no enterprise project, the value is 0.
hideHeader
No
Boolean
false
Whether to hide the list on the left and the horizontal log stream list on the top. If yes, set this parameter to true.
sql
No
String
None
SQL query statement, for example, SELECT count (*).
- The basic URL of the dashboard page is as follows.
https://console-intl.huaweicloud.com/lts/?region={regionId}&cfModuleHide=header_sidebar_floatlayer#/cts/manager/dashboard?dashboardId={dashboardId}&hideDashboardList={hideDashboardList}&showCurrentdashboardGroup={showCurrentdashboardGroup}&streamId={streamId}&streamDisabled={streamDisabled}&readonly={readonly}&filter=key1:value1,value2;key2:value3,value4&autoFresh={autoFresh}
Table 5 Parameters Parameter
Mandatory
Type
Default Value
Description
Example Value
regionId
Yes
String
None
Region ID. After logging in to the console, obtain the region ID from the address bar of the browser.
region=xx-xx-xx
dashboardId
No
String
None
ID of the dashboard to be displayed. The default value is "".
Add this parameter when you want to display a dashboard by default.
dashboardId=xxxxxxxx
hideDashboardList
No
Boolean
false
Indicates whether to hide the dashboard drop-down list box. By default, the drop-down list box is not hidden. To hide it, set this parameter to true.
Set this parameter to true when you want to hide the dashboard drop-down list box.
hideDashboardList=true
showCurrentdashboardGroup
No
Boolean
false
Indicates whether to display only the dashboard of the current group or template. The default value is false.
Set this parameter to true when you want to display only the dashboard of the current group or template.
Note: If hideDashboardList is set to true, this parameter is invalid.
showCurrentdashboardGroup=true
streamId
No
String
None
Log stream ID: The default value is "".
This parameter applies only to dashboard templates. Add this parameter when you want to select a specified log stream by default.
streamId=xxxxxx
streamDisabled
No
Boolean
false
By default, log streams can be selected from the log stream drop-down list. If you set this parameter to true, log streams cannot be selected from the drop-down list.
This parameter applies only to dashboard templates. Add this parameter when you want to disable the log stream drop-down list.
streamDisabled=true
filter
No
String
None
Filter parameter. The value is the name of the filter to be selected and the selected item.
key1 and key2 indicate the filter names. value1 and value2 indicate the values to be selected for key1. value3 and value4 indicate the values to be selected for key2. Separate filters by semicolons (;), and selected items by commas (,).
Add this parameter when the keys and values of some filters need to be selected by default on the embedded dashboard page.
filter=key1:value1,value2;key2:value3,value4
readonly
No
Boolean
false
Indicates whether the scenario is read-only. In the read-only scenario, operation-related buttons are hidden, for example, creating a filter and adding, modifying, or deleting a dashboard.
Add this parameter when you only need to display the dashboard and do not need the operation permission.
readonly=true
autoFresh
No
String
None
Scheduled refresh interval. The default value is "".
Add this parameter when you need to specify the default scheduled refresh interval. Currently, the refresh interval can be 0m (irregular refresh), 1m (scheduled refresh per 1 min), 5m (scheduled refresh per 5 min), or 15m (scheduled refresh per 15 min).
autoFresh=1m
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
