tencent cloud

Feedback

Embedding CLS Console

Last updated: 2024-01-20 17:09:26

    Use Cases

    CLS allows you to embed the CLS console into an external system, so that you can conduct log search and analysis without logging in to the Tencent Cloud console. This feature offers the following benefits:
    Quickly integrate CLS search and analysis capabilities into an external service system (e.g., for business maintenance or operation).
    Easily share your log data with others without needing to manage additional Tencent Cloud sub-accounts.

    Demo Code for Login-Free Implementation

    Directions

    1. On the CAM page, create a CAM role, set the role entity to Tencent Cloud Account, and select Allow the current role to access console. Then, configure the target access permission for the CAM role, for example, the read-only policy permission QcloudCLSReadOnlyAccess, name it CLSReadOnly, and copy its RoleArn information.
    2. On the Policies page, create a custom policy and select Create by Policy Generator. Then, select the JSON tag and enter the following information in Policy Content. Note that you need to replace ${YOUR_UIN} with the account UIN (the resource content is the RoleArn of the created role; modify the policy name in case of any inconsistency). Click Next and set Policy Name to PlayClsPolicy.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action":[
    "sts:AssumeRole"
    ],
    "resource": [
    "qcs::cam::uin/${YOUR_UIN}:roleName/CLSReadOnly"
    ]
    }
    ]
    }
    3. On the Create User page, select Custom Creation and set Type to Access Resources and Receive Messages, Username to PlayClsUser, Access Method to Programming access, and User permissions to PlayClsPolicy created in the previous step. After submitting the user creation operation, copy the generated SecretId and SecretKey.
    4. Clone the demo codecls-iframe-demo for login-free implementation. As instructed in the ReadMe content of the demo project, create the .env file in the root directory and enter the required parameters RoleArn, SecretId, and SecretKey.
    Note:
    Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
    Check the effect after running the project as instructed in the ReadMe document of the demo program for login-free implementation.
    Note:
    This example does not include the authentication logic of external systems. After deployment, all users (even if they have not logged in to Tencent cloud) can view the data under their accounts with the role permissions configured in the example. To ensure data privacy and security, add the authentication logic of external systems or restrict their access to the private network only to ensure that only authorized users can view the page.
    5. Concatenate the destination login-free address s_url of CLS (optional). If you enter the obtained address in the configuration file of the login-free project, access to the login-free service will be automatically redirected to this address. The basic address of the CLS search and analysis page:
    https://console.tencentcloud.com/cls/search?region=<region>&topic_id=<topic_id>
    Parameters in the CLS search and analysis page URL:
    Parameter
    Required
    Type
    Description
    region
    Yes
    String
    Region abbreviation, e.g., ap-shanghai for Shanghai region. For other available region abbreviations, see Available Regions
    topic_id
    No
    String
    Log topic ID
    logset_name
    No
    String
    Logset name
    topic_name
    No
    String
    Log topic name
    time
    No
    String
    Time range for log search. Format example:2021-07-15T10:00:00.000,2021-07-15T12:30:00.000
    queryBase64
    No
    String
    Search and analysis statement, which is base64Url-encoded
    hideWidget
    No
    Boolean
    Indicates whether to hide agent/documentation button in the bottom-right corner. `true`: Yes; `false`: No (default)
    hideTopNav
    No
    Boolean
    Indicates whether to hide the top navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
    hideLeftNav
    No
    Boolean
    Indicates whether to hide the left navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
    hideTopicSelect
    No
    Boolean
    Indicates whether to hide the log topic selection controls (including the region, logset, and log topic controls). `true`: Yes; `false`: No (default)
    hideHeader
    No
    Boolean
    Indicates whether to hide the log topic selection control and the row where the control resides. `true`: Yes; `false`: No (default). This parameter is valid only when `hideTopicSelect` is `true`.
    hideTopTips
    No
    Boolean
    Indicates whether to hide the announcements on the top of the page. `true`: Yes; `false`: No (default)
    hideConfigMenu
    No
    Boolean
    Indicates whether to hide the log topic configuration management menu. `true`: Yes; `false`: No (default)
    hideLogDownload
    No
    Boolean
    Indicates whether to hide the raw log download button. `true`: Yes; `false`: No (default)
    Note:
    You can specify the log topic to search using URL parameters in either the following modes:
    topic_id: use the log topic ID to specify the log topic to search.
    logset_name+topic_name: use the logset name and log topic name to specify the log topic to search. Note that if the logset or log topic name changes, the URL adopting this mode will become invalid.
    If `topic_id`, `logset_name`, and `topic_name` exist at the same time, `topic_id` prevails.
    Relationship between hidden parameters and page modules:
    
    

    Self-Development for Login-Free Implementation

    Directions

    Note:
    Note: Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
    1. Configure the CLS read-only role, custom policy of the target role, and sub-account bound to the custom policy as instructed in Demo Code for Login-Free Implementation. Then, save the RoleArn, SecretId, and SecretKey information.
    2. Get the destination login-free address s_url as needed as instructed in Demo Code for Login-Free Implementation.
    3. Repeat the following steps every time you need to open a login-free page.
    4. Call the STS AssumeRole API with the obtained key to apply for the temporary key of the target role.
    5. Generate the login signature information with the obtained temporary key.
    5.1 Sort parameters to be signed. Sort parameters to be signed listed below in ascending alphabetical or numerical order. That is, sort the parameters by their first letters, then by their second letters if their first letters are the same, and so on. You can do this with the aid of sorting functions in programming languages, such as the ksort function in PHP.
    Parameter
    Required
    Type
    Description
    action
    Yes
    String
    Action; fixed as `roleLogin`
    timestamp
    Yes
    Int
    Current timestamp
    nonce
    Yes
    Int
    Random integer. Value range: 10000-100000000
    secretId
    Yes
    String
    Temporary AK returned by STS
    5.2 Combine the parameters. Combine the above sorted parameters into the form of "parameter name=parameter value". Example:
    action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
    5.3 Concatenate a signature string. Construct a signature string in the format of “request method + request CVM + request path + ? + request string”.
    Parameter
    Required
    Description
    Request CVM and path
    Yes
    Fixed as cloud.tencent.com/login/roleAccessCallback
    Request method
    Yes
    GET or POST
    Sample signature string
    GETcloud.tencent.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
    5.4 Generate a signature string.
    Currently, you can sign a string using HMAC-SHA1 or HMAC-SHA256. The sample code in PHP is as follows:
    $secretKey = 'Gu5***1qA';
    $srcStr = 'GETcloud.tencent.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=&timestamp=1484793352';
    $signStr = base64_encode(hash_hmac('sha1', $srcStr, $secretKey, true));
    echo $signStr;
    Sample code for PHP
    $secretId = "AKI***"; //Temporary AK returned by STS
    $secretKey = "Gu5***PLE"; //Temporary SecretKey returned by STS
    $token = "ADE***fds"; //Security Token returned by STS
    $param["nonce"] = 11886; //rand(10000,100000000);
    $param["timestamp"] = 1465185768; //time();
    $param["secretId"] = $secretId;
    $param["action"] = "roleLogin";
    ksort($param);
    $signStr = "GETcloud.tencent.com/login/roleAccessCallback?";
    foreach ( $param as $key => $value ) {
    $signStr = $signStr . $key . "=" . $value . "&";
    }
    $signStr = substr($signStr, 0, -1);
    $signature = base64_encode(hash_hmac("sha1", $signStr, $secretKey, true));
    echo $signature.PHP_EOL;
    6. Combine your login information and destination page URL into a login URL. Parameter values need to be URL-encoded.
    https://cloud.tencent.com/login/roleAccessCallback?
    algorithm=<Encryption algorithm for signing. Currently, only `sha1` and `sha256` are supported. `sha1` will be used by default if the parameter is not specified.>
    &secretId=<secretId for signing>
    &token=<Temporary key token>
    &nonce=<nonce for signing>
    &timestamp=<Timestamp for signing>
    &signature=<Signature string>
    &s_url=<Destination URL after login>
    7. Use the final URL to access the embedded CLS page of the Tencent Cloud console. The sample below is a URL to the CLS search analysis page:
    https://cloud.tencent.com/login/roleAccessCallback?nonce=52055817&s_url=https%3A%2F%2Fconsole.tencentcloud.com%2Fcls%2Fsearch%3Fregion%3Dap-guangzhou%26start_time%3D2020-05-26%25252014%25253A01%25253A18%26end_time%3D2020-05-26%25252014%25253A16%25253A18&secretId=AKID-vHJ7WPHcy_RVIOm-QTIktXOf9S9z_k_JackOp3dyQPJwmDrNLQJuiNuw9******&signature=eXeWaDn6iJlcPp1sqqGd6m9%2FQk****&timestamp=1592455018&token=5e4vuBHL7fBQPi1V9fvSINw4Vu7PSr9Ic3de78b86109c171eb4e3ea27c137c1fIWKU8JC-LO01L87sIYlfTSaHHXeHcqim7Jg9hBuN2nbdfgeBUPXhmpyAk4G6e9bHFZ-7yNRig7Y33CQHxh6jOesP4VfhRzQprWGRtC5No1ty******-aoj_WJhA55oyvqaqxw2jtTdh8nx9OjJr3tlbIa9oJe7aZYoPbdpFqrF6ZjlCPPap2yQB_SkUsWwDl_9BrK2Km3U2IocdvQ7QxrW0ts1aiBi7xtTSJRcfkBYPYEV_YoJrtkhYW3E4L47imA1bfVAjM9F5uKWzVzsDGDT0aCUU9mqdb4vjJrY8tm-wJKKEe8eiyY9EbkH3VWnFV2YocYNDJqFyjKOWR******

    How It Works

    The login-free solution is implemented based on STS.
    The login flowchart is as shown below:
    
    img
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support