A technical blind spot that almost wrecked the whole project

After he taught the intern a plan last time, he became more and more close to the operation girl, sprinkled dog food from time to time, and realized the r&d operation of our company. (Didn’t you see last time? To my surprise, a technical solution helped the intern land a business girl.

This recall to talk to you, is a recent can be said to be a little thrilling project. Since I began to learn API technical solutions on Huawei cloud website, I have become the cloud server technical expert of the company. The boss or operation and maintenance department would come to me if they want to inquire some data.

Recently, a system for an operation project is under development. The operator has planned a data BI template, listing the data dimensions that need to be monitored and analyzed. The boss simply asked me to issue a data report every week to support the data acquisition and analysis of all parties.

To develop data reports? Isn’t this forcing Li Kui to embroider? But could I easily say no? The sense of achievement and halo brought by the highlight moments in the past have not faded, can not lose! So I proposed a solution: we can put the cloud server monitoring instrument embedded in our own system, so that we can query at any time, also convenient.

The boss was very happy with this plan and agreed to join in the project schedule. The data query function went online at the same time with the system, so as to timely track the operation results. In the smile of my boss, I saw my quarterly bonus beckoning.

Just do it. We still have execution. Use 1 day time to finish the program, in the test of the time found a problem, the data can not come! Because all kinds of authentication are needed to land the cloud server through the embedded system, there are many steps to say, if you want to realize everyone can query, there is also the risk of disclosure.

What can I do? The date of system launch is approaching, so I can’t affect the progress of the project. The original chui and Niu case is going to fail?

No, check again! I contacted technical experts of Huawei Cloud and learned that I could log in to the cloud service Console page without secret through the IAM custom agent, bypassing authentication and directly logging in to the land-based cloud server for data query and acquisition.

So how do you do a no-secret login? He gave me a document that went something like this:

I. Prerequisite conditions

Step 1: Create IAM user userB under account I**mainA and grant Security Administrator and Agent Operator rights (global service-global project).

Configure the user name and password of userB in the configuration file of the enterprise system. It is recommended that the password be encrypted and stored for obtaining the authentication token and invoking other Open apis of IAM.

Note: the create IAM authorized users and relevant operating see: create IAM user (support.huaweicloud.com/usermanual-…). And create groups of users and authorization (support.huaweicloud.com/usermanual-…).

Step 2: Create the IAMAgency delegate required for the federated agent.

Select Common Account for the delegate type, and enter DomainA for the delegate account.

Note: on creating entrust relevant operation see: create trust (the client) (support.huaweicloud.com/usermanual-…).

2. Huawei Cloud Federal proxy Login

Step 1: Invoke the IAM API to obtain the STS Token

1) use IAM global domain name (iam.myhuaweicloud.com) call IAM service API (POST/v3.0 / OS – the CREDENTIAL/securitytokens) for STS token.

Fill in the “session_user” parameter to initiate a POST request.

POST iam.myhuaweicloud.com/v3.0/OS-CRE…

Sample request

{
 "auth": {
 "identity": {
 "assume_role": {
 "agency_name": "IAMAgency"."domain_name": "I**mainA"."duration-seconds": 3600,
 "session_user": {
 "name": "SessionUserName"}},"methods": [
 "assume_role"]}}}Copy the code

2) Obtain and record STS token information: credential.access, credential.secret, credential. securityToken in the request response body

In response to the sample

<br style=""> Copy the code

{ 
 "credential": {
 "access": "E6DX0TF2ZREQ4ZAVM5CS"."expires_at": "The 2020-01-08 T02:56:19. 587000 z"."secret": "w9ePum0qdfac39ErLD0UdjofYkqort6Iw2bmR6Si"."securitytoken": "gQpjbi1ub3J0aC0..."}}Copy the code

Send a POST request.

Step 2: Invoke the IAM API to obtain the LoginToken

1) use IAM global domain name (iam.myhuaweicloud.com) call IAM service API (POST/v3.0 / OS – AUTH/securitytoken/logintokens) obtain logintoken.

POST iam.myhuaweicloud.com/v3.0/OS-AUT…

Sample request

{
 "auth": {
 "securitytoken": {
 "access": "LUJHNN4WB569PGAPBDFT"."id": "gQpjbi1ub3J0a..."."secret": "7qtrm2cku0XubixiVkBOcvMfpnu7H2mLNCUsuFR8"}}}Copy the code

2) Obtain the X-subject-LoginToken information in the request response header.

Obtain the temporary access key and securityToken through the delegate and fill in the session_user.name parameter in the request body.

Return the sample

{
 "logintoken": {
 "assumed_by": {
 "user": {
 "domain": {
 "id": "0659ef9c9c80d4560f14c009acf9c4a0"."name": "I**mainB"
 },
 "id": "0659ef9d4d00d3b81f26c009fee32b57"."name": "IAMUserB"."password_expires_at": "The 2020-02-16 T02:44:57. 000000 z"}},"domain_id": "05262121fb00d5c30fbec013bc17a4a0"."expires_at": "The 2020-01-23 T03: but 728000 z"."method": "federation_proxy"."session_id": "0012c8e6adda4ce787e90585d10e3e63"."session_name": "SessionUserName"."user_id": "07826f367b80d2474ff9c013a48903ee"."user_name": "I**mainA/IAMAgency"}}Copy the code

Step 3: Set the federal proxy login address to complete the encryption-free login

The rules for building the federated proxy login address are:

Auth.huaweicloud.com/authui/fede…

Description of construction parameters:

• {target_console_URL} is the urlencode encoding result of the destination cloud service console address.
• {loginToken} is the urlencode of the Logintoken obtained in Step 2.
• {enterprise_system_loginURL} is an optional parameter. It is the urlencode encoding result of the enterprise customer’s own login system address.

According to the guidance of the document, I finally solved this problem smoothly, and the project was launched as scheduled. The operator could also query and analyze the operation data by himself through the secret login, and make timely optimization and adjustment, which saved time, trouble and safety. At the monthly meeting, I was once again recognized by my boss. At the same time, I was happy and thought to myself, “It seems that I should not relax and still need to learn more.”

It is understood that API Explorer platform has been open EI enterprise intelligence, computing, application services, network, software development platform, video and other 70+ cloud services, a total of 2000+ API online, 6000+ error code. During the trial run, many enterprises have successfully accessed the API interfaces of Huawei Cloud API Explorer.

Click to see details: Huawei Cloud new features online, experience can also get code beans

In the coming months, Huawei Cloud API Explorer platform will achieve more functions, such as support SDK sample code, CLI and other features, and open more cloud service API interfaces to connect more developers to achieve innovation and broaden the innovation boundary.

Click to follow, the first time to learn about Huawei cloud fresh technology ~