免登訪問(wèn)DMS控制臺(tái)
您可以在自己的研發(fā)平臺(tái)或工具平臺(tái)嵌入免登訪問(wèn)DMS控制臺(tái)鏈接,實(shí)現(xiàn)無(wú)需使用阿里云賬號(hào)或RAM用戶登錄就可以直接訪問(wèn)DMS控制臺(tái),使用DMS的相關(guān)功能。本文介紹構(gòu)造免登訪問(wèn)DMS控制臺(tái)鏈接的操作步驟。
操作流程
創(chuàng)建訪問(wèn)DMS的RAM角色,并為其授權(quán),再創(chuàng)建一個(gè)RAM用戶(子賬號(hào))并為其授予AliyunSTSAssumeRoleAccess權(quán)限。創(chuàng)建及授權(quán)的詳細(xì)信息,請(qǐng)參見(jiàn)準(zhǔn)備工作。
獲取扮演角色的臨時(shí)身份憑證,包含AccessKey ID、AccessKey Secret和SecurityToken,該憑證用于獲取登錄令牌(SigninToken)。具體的操作步驟,請(qǐng)參見(jiàn)步驟一:獲取扮演角色的臨時(shí)身份憑證。
獲取SigninToken,用于構(gòu)造免登錄訪問(wèn)鏈接。具體的操作步驟,請(qǐng)參見(jiàn)步驟二:獲取SigninToken。
構(gòu)造免登錄訪問(wèn)鏈接。具體的操作步驟,請(qǐng)參見(jiàn)步驟三:構(gòu)造免登錄訪問(wèn)鏈接。
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core</artifactId>
<version>4.5.25</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>2.0.53</version>
</dependency>import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.auth.sts.AssumeRoleRequest;
import com.aliyuncs.auth.sts.AssumeRoleResponse;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import org.apache.http.HttpStatus;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import java.io.IOException;
import java.net.URISyntaxException;
/*
創(chuàng)建子賬號(hào)、授權(quán)賬號(hào)
*/
String accountId = "主賬號(hào)UID";
// 用來(lái)訪問(wèn)DMS產(chǎn)品的Role,根據(jù)您的需求添加AliyunDMSReadOnlyAccess(只讀),AliyunDMSFullAccess權(quán)限
String ramRoleArn = "準(zhǔn)備工作中創(chuàng)建的RoleArn";
// 子賬號(hào)的AccessKey ID、AccessKey Secret,還需要AliyunSTSAssumeRoleAccess權(quán)限
String accessKeyId = "";
String accessKeySecret = "";
/*
Step1 通過(guò)AssumeRole接口獲取臨時(shí)的AccessKey ID、AccessKey Secret和SecurityToken
*/
AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRoleArn);
System.out.println("Expiration: " + credentials.getExpiration());
System.out.println("Access Key Id: " + credentials.getAccessKeyId());
System.out.println("Access Key Secret: " + credentials.getAccessKeySecret());
System.out.println("Security Token: " + credentials.getSecurityToken());
/*
Step2 獲取SigninToken
*/
String signInToken = getSignInToken(credentials.getAccessKeyId(),
credentials.getAccessKeySecret(),
credentials.getSecurityToken());
System.out.println("Your SigninToken is: " + signInToken);
/*
Step3 構(gòu)造免登錄訪問(wèn)鏈接,例如DMS控制臺(tái)首頁(yè)
*/
String pageUrl = getDmsLoginUrl("https://dms.aliyun.com", signInToken);
System.out.println("Your PageUrl is : " + pageUrl);準(zhǔn)備工作
若您已具備如下全部條件,可直接根據(jù)步驟一、二、三進(jìn)行操作。
創(chuàng)建訪問(wèn)DMS的RAM角色。具體操作,請(qǐng)參見(jiàn)創(chuàng)建可信實(shí)體為阿里云賬號(hào)的RAM角色。
為RAM角色授權(quán)。具體操作,請(qǐng)參見(jiàn)為RAM角色授權(quán)。
創(chuàng)建RAM用戶(子賬號(hào))。具體操作,請(qǐng)參見(jiàn)創(chuàng)建RAM用戶。
為RAM用戶授予AliyunSTSAssumeRoleAccess權(quán)限。具體操作,請(qǐng)參見(jiàn)為RAM用戶授權(quán)。
步驟一:獲取扮演角色的臨時(shí)身份憑證
以RAM用戶或RAM角色調(diào)用AssumeRole接口,獲取扮演角色的臨時(shí)身份憑證。關(guān)于AssumeRole接口的更多信息,請(qǐng)參見(jiàn)AssumeRole。
Java代碼示例如下。
/**
* 通過(guò)AssumeRole接口獲取用戶臨時(shí)身份
*
* @param accountId
* @param accessKeyId
* @param accessKeySecret
* @param ramRoleArn
* @return
* @throws ClientException
*/
private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId,
String accessKeySecret, String ramRoleArn)
throws ClientException {
String defaultRegion = "cn-hangzhou";
IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret);
DefaultAcsClient client = new DefaultAcsClient(profile);
AssumeRoleRequest request = new AssumeRoleRequest();
// ARN是角色的全局資源描述符,用來(lái)指定具體角色
request.setRoleArn(ramRoleArn);
// 用戶自定義參數(shù)。此參數(shù)用來(lái)區(qū)分不同的令牌,可用于用戶級(jí)別的訪問(wèn)審計(jì),格式:^[a-zA-Z0-9\.@\-_]+$
request.setRoleSessionName("session-name");
// 指定的過(guò)期時(shí)間,單位為秒。過(guò)期時(shí)間范圍:900~3600,默認(rèn)值為3600
request.setDurationSeconds(3600L);
AssumeRoleResponse response = client.getAcsResponse(request);
return response.getCredentials();
}步驟二:獲取SigninToken
調(diào)用GetSigninToken接口,獲取SigninToken。關(guān)于GetSigninToken接口的更多信息,請(qǐng)參見(jiàn)GetSigninToken。
Java代碼示例如下。
/**
* 使用安全令牌獲取SigninToken
*
* @param accesskeyId
* @param accessKeySecret
* @param securityToken
* @return
* @throws IOException
* @throws URISyntaxException
*/
private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken)
throws IOException, URISyntaxException {
URIBuilder builder = new URIBuilder("http://signin.aliyun.com/federation");
builder.setParameter("Action", "GetSigninToken")
.setParameter("AccessKeyId", accesskeyId)
.setParameter("AccessKeySecret", accessKeySecret)
.setParameter("SecurityToken", securityToken)
.setParameter("TicketType", "normal");
HttpGet request = new HttpGet(builder.build());
CloseableHttpClient httpclient = HttpClients.createDefault();
try (CloseableHttpResponse response = httpclient.execute(request)) {
if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
String context = EntityUtils.toString(response.getEntity());
JSONObject jsonObject = JSON.parseObject(context);
return jsonObject.getString("SigninToken");
} else {
System.out.println(response.getStatusLine());
}
}
return null;
}步驟三:構(gòu)造免登錄訪問(wèn)鏈接
獲取的SigninToken在構(gòu)造訪問(wèn)鏈接時(shí)只能使用一次,如有業(yè)務(wù)需要再次使用SigninToken,請(qǐng)重新獲取。
Java代碼示例如下。
請(qǐng)求示例:
private static String getDmsLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
URIBuilder builder = new URIBuilder("http://signin.aliyun.com/federation");
builder.setParameter("Action", "Login");
// 登錄失效跳轉(zhuǎn)的地址,一般配置為自建WEB配置302跳轉(zhuǎn)的URL
builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
// 實(shí)際訪問(wèn)DMS的頁(yè)面
builder.setParameter("Destination", pageUrl);
builder.setParameter("SigninToken", signInToken);
HttpGet request = new HttpGet(builder.build());
return request.getURI().toString();
}返回示例:
Expiration: 2020-11-30T06:16:20Z
Access Key Id: STS.NT7L6Jp5Y8W9LNvGQku2x****
Access Key Secret: 4nU8F6rv8MCDR8tygMDnXvN9yCNBCVrxnqArj1n1****
Security Token: CAIS/gF1q6Ft5B2yfSjIr5e****+nep4j5XSTmjHo1E+eb1Ujo7xijz2IH9IeXhpB****/43nWlU7PkYlrloRoReREvCKM1565kSqFn6O11Qf****+5qsoasPETOITyZtZagToeUZdfZfejXGDKgvyRvwLz****/Vli+S/OggoJmadJlNWvRL0AxZrFsKxBltdUROF****+pKWSKuGfLC1dysQcO4gEWq4bHm5zAs0OH1QOhlrVP+N+qfqLJNZc8YM1NNP6ux/Fze6b71ypd1gNH7q8ejtYfpmua74jBXgUAuU3faraOrYd1SwZ9Z7knH****/n6ifBjpvw9Hlk0R9OcVhqAAXpZx****+STGa8vctRwyTWdMM5LByes3cr1D46jaj0****/lTMkoXCwjMlCs7sc+DA9xjJCcl57eKC7A3ThnJAWQyyeKZfIGgeHN7yUS5ND8r7TBn6bMUqwvfVX****/cbkzBX6iV6jrataHZPZdtQYHH6GgvQ5XZUZJjoD****
Your SigninToken is: 06ec409b9d8c48f6ac5dcd18a0513ee1dhUkhcRn5CMsDqffC4wxsuFt9xjYtYePmYTHEWSMVKLFyXXnSq3IUbon1v46wCmKPwrAejDvw2i8rilolPSuxpKRDxz****
Your PageUrl is : http://signin.aliyun.com/federation?Action=Login&LoginUrl=https%3A%2F%2Fsignin.aliyun.com%2Flogin.htm&Destination=https%3A%2F%2Fdms.aliyun.com&SigninToken=06ec409b9d8c48f6ac5dcd18a0513ee1dhUkhcRn5CMsDqffC4wxsuFt9xjYtYePmYTHEWSMVKLFyXXnSq3IUbon1v46wCmKPwrAejDvw2i8rilolPSuxpKRDxzD****免登錄訪問(wèn)鏈接(PageUrl)的格式示例如下。
http://signin.aliyun.com/federation?Action=Login
&LoginUrl=<登錄失效跳轉(zhuǎn)的地址,一般配置為自建WEB配置302跳轉(zhuǎn)的URL>
&Destination=<實(shí)際訪問(wèn)DMS服務(wù)頁(yè)面>
&SigninToken=<獲取的登錄TOKEN>Destination對(duì)應(yīng)的DMS服務(wù)頁(yè)面,與TicketType類型有關(guān)。
若類型為normal,則對(duì)應(yīng)的DMS域名為
http://dms.aliyun.com。若類型為mini,則一般應(yīng)用于BID虛擬商。對(duì)應(yīng)的域名
http://dms-ent4service.aliyun.com。
后續(xù)步驟
通過(guò)構(gòu)造的免登錄訪問(wèn)鏈接(PageUrl)進(jìn)入DMS控制臺(tái)。效果圖如下所示:
常見(jiàn)問(wèn)題
Q:若您使用iFrame嵌入免登鏈接,在DMS頁(yè)面內(nèi)登錄無(wú)效(如下圖),該如何處理?
A:請(qǐng)先在步驟二獲取SigninToken時(shí),將TicketType設(shè)置為mini,然后在步驟三中指定pageUrl為https://dms-ent4service.aliyun.com,即可成功登錄。