tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Log Service
    Documentation
    Download PDF

    Embedding CLS Console

    Last updated: 2024-01-20 17:09:26
    Download PDF

      Use Cases

      CLS allows you to embed the CLS console into an external system, so that you can conduct log search and analysis without logging in to the Tencent Cloud console. This feature offers the following benefits:
      Quickly integrate CLS search and analysis capabilities into an external service system (e.g., for business maintenance or operation).
      Easily share your log data with others without needing to manage additional Tencent Cloud sub-accounts.

      Demo Code for Login-Free Implementation

      Directions

      1. On the CAM page, create a CAM role, set the role entity to Tencent Cloud Account, and select Allow the current role to access console. Then, configure the target access permission for the CAM role, for example, the read-only policy permission QcloudCLSReadOnlyAccess, name it CLSReadOnly, and copy its RoleArn information.
      2. On the Policies page, create a custom policy and select Create by Policy Generator. Then, select the JSON tag and enter the following information in Policy Content. Note that you need to replace ${YOUR_UIN} with the account UIN (the resource content is the RoleArn of the created role; modify the policy name in case of any inconsistency). Click Next and set Policy Name to PlayClsPolicy.
       {
           "version": "2.0",
           "statement": [
               {
                   "effect": "allow",
                   "action":[
                       "sts:AssumeRole"
                   ],
                   "resource": [
                       "qcs::cam::uin/${YOUR_UIN}:roleName/CLSReadOnly"
                   ]
               }
           ]
       }
      3. On the Create User page, select Custom Creation and set Type to Access Resources and Receive Messages, Username to PlayClsUser, Access Method to Programming access, and User permissions to PlayClsPolicy created in the previous step. After submitting the user creation operation, copy the generated SecretId and SecretKey.
      4. Clone the demo codecls-iframe-demo for login-free implementation. As instructed in the ReadMe content of the demo project, create the .env file in the root directory and enter the required parameters RoleArn, SecretId, and SecretKey.
      Note:
      Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
      Check the effect after running the project as instructed in the ReadMe document of the demo program for login-free implementation.
      Note:
      This example does not include the authentication logic of external systems. After deployment, all users (even if they have not logged in to Tencent cloud) can view the data under their accounts with the role permissions configured in the example. To ensure data privacy and security, add the authentication logic of external systems or restrict their access to the private network only to ensure that only authorized users can view the page.
      5. Concatenate the destination login-free address s_url of CLS (optional). If you enter the obtained address in the configuration file of the login-free project, access to the login-free service will be automatically redirected to this address. The basic address of the CLS search and analysis page:
      https://console.tencentcloud.com/cls/search?region=<region>&topic_id=<topic_id>
      Parameters in the CLS search and analysis page URL:
      Parameter
      Required
      Type
      Description
      region
      Yes
      String
      Region abbreviation, e.g., ap-shanghai for Shanghai region. For other available region abbreviations, see Available Regions
      topic_id
      No
      String
      Log topic ID
      logset_name
      No
      String
      Logset name
      topic_name
      No
      String
      Log topic name
      time
      No
      String
      Time range for log search. Format example:2021-07-15T10:00:00.000,2021-07-15T12:30:00.000
      queryBase64
      No
      String
      Search and analysis statement, which is base64Url-encoded
      hideWidget
      No
      Boolean
      Indicates whether to hide agent/documentation button in the bottom-right corner. `true`: Yes; `false`: No (default)
      hideTopNav
      No
      Boolean
      Indicates whether to hide the top navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
      hideLeftNav
      No
      Boolean
      Indicates whether to hide the left navigation bar in the Tencent Cloud console. `true`: Yes; `false`: No (default)
      hideTopicSelect
      No
      Boolean
      Indicates whether to hide the log topic selection controls (including the region, logset, and log topic controls). `true`: Yes; `false`: No (default)
      hideHeader
      No
      Boolean
      Indicates whether to hide the log topic selection control and the row where the control resides. `true`: Yes; `false`: No (default). This parameter is valid only when `hideTopicSelect` is `true`.
      hideTopTips
      No
      Boolean
      Indicates whether to hide the announcements on the top of the page. `true`: Yes; `false`: No (default)
      hideConfigMenu
      No
      Boolean
      Indicates whether to hide the log topic configuration management menu. `true`: Yes; `false`: No (default)
      hideLogDownload
      No
      Boolean
      Indicates whether to hide the raw log download button. `true`: Yes; `false`: No (default)
      Note:
      You can specify the log topic to search using URL parameters in either the following modes:
      topic_id: use the log topic ID to specify the log topic to search.
      logset_name+topic_name: use the logset name and log topic name to specify the log topic to search. Note that if the logset or log topic name changes, the URL adopting this mode will become invalid.
      If `topic_id`, `logset_name`, and `topic_name` exist at the same time, `topic_id` prevails.
      Relationship between hidden parameters and page modules:
      
      

      Self-Development for Login-Free Implementation

      Directions

      Note:
      Note: Code leakage may lead to the leakage of SecretId and SecretKey, thereby affecting your account security. We recommend that you use a key in a more secure manner as instructed in the TencentCloud API key security solution and use a sub-account key with the least privilege.
      1. Configure the CLS read-only role, custom policy of the target role, and sub-account bound to the custom policy as instructed in Demo Code for Login-Free Implementation. Then, save the RoleArn, SecretId, and SecretKey information.
      2. Get the destination login-free address s_url as needed as instructed in Demo Code for Login-Free Implementation.
      3. Repeat the following steps every time you need to open a login-free page.
      4. Call the STS AssumeRole API with the obtained key to apply for the temporary key of the target role.
      5. Generate the login signature information with the obtained temporary key.
      5.1 Sort parameters to be signed. Sort parameters to be signed listed below in ascending alphabetical or numerical order. That is, sort the parameters by their first letters, then by their second letters if their first letters are the same, and so on. You can do this with the aid of sorting functions in programming languages, such as the ksort function in PHP.
      Parameter
      Required
      Type
      Description
      action
      Yes
      String
      Action; fixed as `roleLogin`
      timestamp
      Yes
      Int
      Current timestamp
      nonce
      Yes
      Int
      Random integer. Value range: 10000-100000000
      secretId
      Yes
      String
      Temporary AK returned by STS
      5.2 Combine the parameters. Combine the above sorted parameters into the form of "parameter name=parameter value". Example:
      action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
      5.3 Concatenate a signature string. Construct a signature string in the format of “request method + request CVM + request path + ? + request string”.
      Parameter
      Required
      Description
      Request CVM and path
      Yes
      Fixed as cloud.tencent.com/login/roleAccessCallback
      Request method
      Yes
      GET or POST
      Sample signature string
      GETcloud.tencent.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=AKI***PLE&timestamp=1484793352
      5.4 Generate a signature string.
      Currently, you can sign a string using HMAC-SHA1 or HMAC-SHA256. The sample code in PHP is as follows:
      $secretKey = 'Gu5***1qA';
      $srcStr    = 'GETcloud.tencent.com/login/roleAccessCallback?action=roleLogin&nonce=67439&secretId=&timestamp=1484793352';
      $signStr   = base64_encode(hash_hmac('sha1', $srcStr, $secretKey, true));
      echo $signStr;
      Sample code for PHP
      $secretId  = "AKI***";            //Temporary AK returned by STS
      $secretKey = "Gu5***PLE";         //Temporary SecretKey returned by STS
      $token     = "ADE***fds";         //Security Token returned by STS
      $param["nonce"]     = 11886;      //rand(10000,100000000);
      $param["timestamp"] = 1465185768; //time();
      $param["secretId"]  = $secretId;
      $param["action"]    = "roleLogin";
      ksort($param);
      $signStr = "GETcloud.tencent.com/login/roleAccessCallback?";
      foreach ( $param as $key => $value ) {
          $signStr = $signStr . $key . "=" . $value . "&";
      }
      $signStr   = substr($signStr, 0, -1);
      $signature = base64_encode(hash_hmac("sha1", $signStr, $secretKey, true));
      echo $signature.PHP_EOL;
      6. Combine your login information and destination page URL into a login URL. Parameter values need to be URL-encoded.
      https://cloud.tencent.com/login/roleAccessCallback?
      algorithm=<Encryption algorithm for signing. Currently, only `sha1` and `sha256` are supported. `sha1` will be used by default if the parameter is not specified.>
      &secretId=<secretId for signing>
      &token=<Temporary key token>
      &nonce=<nonce for signing>
      &timestamp=<Timestamp for signing>
      &signature=<Signature string>
      &s_url=<Destination URL after login>
      7. Use the final URL to access the embedded CLS page of the Tencent Cloud console. The sample below is a URL to the CLS search analysis page:
      https://cloud.tencent.com/login/roleAccessCallback?nonce=52055817&s_url=https%3A%2F%2Fconsole.tencentcloud.com%2Fcls%2Fsearch%3Fregion%3Dap-guangzhou%26start_time%3D2020-05-26%25252014%25253A01%25253A18%26end_time%3D2020-05-26%25252014%25253A16%25253A18&secretId=AKID-vHJ7WPHcy_RVIOm-QTIktXOf9S9z_k_JackOp3dyQPJwmDrNLQJuiNuw9******&signature=eXeWaDn6iJlcPp1sqqGd6m9%2FQk****&timestamp=1592455018&token=5e4vuBHL7fBQPi1V9fvSINw4Vu7PSr9Ic3de78b86109c171eb4e3ea27c137c1fIWKU8JC-LO01L87sIYlfTSaHHXeHcqim7Jg9hBuN2nbdfgeBUPXhmpyAk4G6e9bHFZ-7yNRig7Y33CQHxh6jOesP4VfhRzQprWGRtC5No1ty******-aoj_WJhA55oyvqaqxw2jtTdh8nx9OjJr3tlbIa9oJe7aZYoPbdpFqrF6ZjlCPPap2yQB_SkUsWwDl_9BrK2Km3U2IocdvQ7QxrW0ts1aiBi7xtTSJRcfkBYPYEV_YoJrtkhYW3E4L47imA1bfVAjM9F5uKWzVzsDGDT0aCUU9mqdb4vjJrY8tm-wJKKEe8eiyY9EbkH3VWnFV2YocYNDJqFyjKOWR******

      How It Works

      The login-free solution is implemented based on STS.
      The login flowchart is as shown below:
      
      img
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy