3-10 5 views
通过给阿里云创建RAM用户并授予STS权限策略,将DAS(原HDM)控制台免登录嵌套到自建的运维平台中
https://help.aliyun.com/document_detail/125772.html?spm=a2c4g.11186623.6.557.191b7ffeHVhDKE
类似效果
代码
按文档中的步骤
1. 使用AK创建临时身份并获取STS Token
2. 使用Security AK和Security Token获取SigninToken
3. 使用SigninToken获取免密URL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
#!/usr/bin/env python3 # -*- coding: utf-8 -*- # @Author : Eric Winn # @Email : eng.eric.winn@gmail.com # @Time : 2020/3/10 2:53 PM # @Version : 1.0 # @File : base # @Software : PyCharm from aliyunsdkcore import client from aliyunsdksts.request.v20150401 import AssumeRoleRequest from requests.adapters import HTTPAdapter import requests.packages.urllib3.util.ssl_ import ssl import json import logging import requests from requests import Request logger = logging.getLogger(__file__) requests.packages.urllib3.util.ssl_._DEFAULT_CIPHERS = 'ALL' if (hasattr(ssl, '_create_unverified_context')): ssl._create_default_https_context = ssl._create_unverified_context SigninHost = 'https://signin.aliyun.com' def getStsToken(accessKeyId, accessKeySecret, roleArn, sessionName): clt = client.AcsClient(accessKeyId, accessKeySecret, 'cn-hangzhou') request = AssumeRoleRequest.AssumeRoleRequest() request.set_RoleArn(roleArn) request.set_RoleSessionName(sessionName) request.set_accept_format('json') response = clt.do_action(request) return json.loads(response) def getSigninToken(stsAccessKeyId, stsAccessKeySecret, securityToken): requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ALL' response = requests.get(SigninHost + '/federation', verify=False, params={'Action': 'GetSigninToken', 'AccessKeyId': stsAccessKeyId, 'AccessKeySecret': stsAccessKeySecret, 'SecurityToken': securityToken, 'TicketType': 'mini'}) return response.json() def genSigninUrl(signinToken, loginPage, destination): req = Request('GET', SigninHost + '/federation', params={'Action': 'Login', 'LoginUrl': loginPage, 'Destination': destination, 'SigninToken': signinToken}) try: url = req.prepare().url except Exception as e: logger.error(e, exc_info=True) url = '' return url |
使用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# 因为登录页不在阿里云,这里需要指定登录Session失效后,需要调回 loginUrl = 'https://ops.itnotebooks.com/monitor/das' # 被扮演的Role的Arn roleArn = acs:ram::$accountID:role/$roleName sessionName = session_name # 登录成功后,需要跳转到哪个阿里云的页面地址 # # isShare=true 外部控制台嵌入需要。 # hideTopbar=true 隐藏DAS阿里云控制台边栏。 # hideMenu=true 隐藏DAS外部菜单。 # hideInstanceMenu=true 隐藏DAS实例详情页边栏和外部边栏。 # destination = 'https://hdm4service.console.aliyun.com/?hideTopbar=true&isShare=true&hideMenu=true&hideInstanceMenu=true#/dashboard/convoy' # 扮演角色,获取STS Token stsToken = getStsToken(ALIYUN_ACCESS_KEY_ID, ALIYUN_ACCESS_KEY_SECRET, roleArn, sessionName) # 使用STS Token换取控制台Signin Token response = getSigninToken(stsToken['Credentials']['AccessKeyId'], stsToken['Credentials']['AccessKeySecret'], stsToken['Credentials']['SecurityToken']) signinToken = response["SigninToken"] # 因为登录页不在阿里云,这里需要指定登录Session失效后,需要调回的登录页 # loginUrl signinUrl = genSigninUrl(signinToken, loginUrl, destination) |
如果想赏钱,可以用微信扫描下面的二维码,一来能刺激我写博客的欲望,二来好维护云主机的费用; 另外再次标注博客原地址 itnotebooks.com 感谢!
