2.3.11 IdP 的监控

简介

要确保 IdP 服务的长期稳定运行,服务监控是必不可少的。除了常规的服务器监控之外,IdP 本身也暴露了一部分内置的监控指标,可供我们采集。

status

访问状态监控页

curl http://127.0.0.1:8080/idp/profile/status

或者

curl http://127.0.0.1:8080/idp/status

可以获取到 IdP 的状态监控数据

### Operating Environment Information
operating_system: Linux
operating_system_version: 3.10.0-1062.12.1.el7.x86_64
operating_system_architecture: amd64
jdk_version: 1.8.0_242
available_cores: 4
used_memory: 258 MB
maximum_memory: 843 MB

### Identity Provider Information
idp_version: 3.4.6
start_time: 2020-03-06T19:47:07+08:00
current_time: 2020-03-06T20:06:15+08:00
uptime: 1148872 ms

service: shibboleth.LoggingService
last successful reload attempt: 2020-03-06T11:45:46Z
last reload attempt: 2020-03-06T11:45:46Z

service: shibboleth.ReloadableAccessControlService
last successful reload attempt: 2020-03-06T11:45:49Z
last reload attempt: 2020-03-06T11:45:49Z

service: shibboleth.MetadataResolverService
last successful reload attempt: 2020-03-06T11:45:48Z
last reload attempt: 2020-03-06T11:45:48Z

        metadata source: HTTPMetadata
        last refresh attempt: 2020-03-06T12:00:54Z
        last successful refresh: 2020-03-06T12:00:54Z
        last update: 2020-03-06T11:45:54Z
        root validUntil: 2020-04-03T11:31:30Z

        metadata source: HTTPMetadataShec
        last refresh attempt: 2020-03-06T12:00:55Z
        last successful refresh: 2020-03-06T12:00:55Z
        last update: 2020-03-06T11:45:54Z

service: shibboleth.RelyingPartyResolverService
last successful reload attempt: 2020-03-06T11:45:48Z
last reload attempt: 2020-03-06T11:45:48Z

service: shibboleth.NameIdentifierGenerationService
last successful reload attempt: 2020-03-06T11:45:47Z
last reload attempt: 2020-03-06T11:45:47Z

service: shibboleth.AttributeResolverService
last successful reload attempt: 2020-03-06T11:45:47Z
last reload attempt: 2020-03-06T11:45:47Z

        DataConnector staticAttributes: has never failed

        DataConnector ComputedIDConnector: has never failed

        DataConnector myLDAP: has never failed

service: shibboleth.AttributeFilterService
last successful reload attempt: 2020-03-06T11:45:47Z
last reload attempt: 2020-03-06T11:45:47Z

json status

在 IdP 3.3 之后的版本中,IdP 提供了 json 化的数据指标接口,从而更容易程序处理。

curl http://127.0.0.1:8080/idp/profile/admin/metrics

将返回 json 格式的监控数据,格式化后结构如下所示:

{
    "version": "3.0.0",
    "gauges": {
        "cores.available": {
            "value": 4
        },
        "host.name": {
            "value": "idp"
        },
        "java.class.path": {
            "value": "/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar"
        },
        "java.home": {
            "value": "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre"
        },
        "java.vendor": {
            "value": "Oracle Corporation"
        },
        "java.vendor.url": {
            "value": "http://java.oracle.com/"
        },
        "java.version": {
            "value": "1.8.0_242"
        },
        "memory.free.bytes": {
            "value": 163839568
        },
        "memory.free.megs": {
            "value": 156
        },
        "memory.usage": {
            "value": 0.6362058486316756
        },
        "memory.used.bytes": {
            "value": 286523824
        },
        "memory.used.megs": {
            "value": 273
        },
        "net.shibboleth.idp.accesscontrol.reload.attempt": {
            "value": "2020-03-06T11:45:49.134Z"
        },
        "net.shibboleth.idp.accesscontrol.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.accesscontrol.reload.success": {
            "value": "2020-03-06T11:45:49.134Z"
        },
        "net.shibboleth.idp.attribute.filter.reload.attempt": {
            "value": "2020-03-06T11:45:47.443Z"
        },
        "net.shibboleth.idp.attribute.filter.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.attribute.filter.reload.success": {
            "value": "2020-03-06T11:45:47.443Z"
        },
        "net.shibboleth.idp.attribute.resolver.failure": {
            "value": {}
        },
        "net.shibboleth.idp.attribute.resolver.reload.attempt": {
            "value": "2020-03-06T11:45:47.517Z"
        },
        "net.shibboleth.idp.attribute.resolver.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.attribute.resolver.reload.success": {
            "value": "2020-03-06T11:45:47.517Z"
        },
        "net.shibboleth.idp.logging.reload.attempt": {
            "value": "2020-03-06T11:45:46.715Z"
        },
        "net.shibboleth.idp.logging.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.logging.reload.success": {
            "value": "2020-03-06T11:45:46.715Z"
        },
        "net.shibboleth.idp.metadata.refresh": {
            "value": {
                "HTTPMetadata": "2020-03-06T12:00:54.318Z",
                "HTTPMetadataShec": "2020-03-06T12:00:55.260Z"
            }
        },
        "net.shibboleth.idp.metadata.reload.attempt": {
            "value": "2020-03-06T11:45:48.248Z"
        },
        "net.shibboleth.idp.metadata.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.metadata.reload.success": {
            "value": "2020-03-06T11:45:48.248Z"
        },
        "net.shibboleth.idp.metadata.rootValidUntil": {
            "value": {
                "HTTPMetadata": "2020-04-03T11:31:30.000Z"
            }
        },
        "net.shibboleth.idp.metadata.successfulRefresh": {
            "value": {
                "HTTPMetadata": "2020-03-06T12:00:54.318Z",
                "HTTPMetadataShec": "2020-03-06T12:00:55.260Z"
            }
        },
        "net.shibboleth.idp.metadata.update": {
            "value": {
                "HTTPMetadata": "2020-03-06T11:45:54.028Z",
                "HTTPMetadataShec": "2020-03-06T11:45:54.093Z"
            }
        },
        "net.shibboleth.idp.nameid.reload.attempt": {
            "value": "2020-03-06T11:45:47.986Z"
        },
        "net.shibboleth.idp.nameid.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.nameid.reload.success": {
            "value": "2020-03-06T11:45:47.986Z"
        },
        "net.shibboleth.idp.relyingparty.reload.attempt": {
            "value": "2020-03-06T11:45:48.035Z"
        },
        "net.shibboleth.idp.relyingparty.reload.error": {
            "value": null
        },
        "net.shibboleth.idp.relyingparty.reload.success": {
            "value": "2020-03-06T11:45:48.035Z"
        },
        "net.shibboleth.idp.starttime": {
            "value": "2020-03-06T11:45:45.798Z"
        },
        "net.shibboleth.idp.uptime": {
            "value": 1318624
        },
        "net.shibboleth.idp.version": {
            "value": "3.4.6"
        },
        "org.opensaml.version": {
            "value": "3.4.5"
        },
        "os.arch": {
            "value": "amd64"
        },
        "os.name": {
            "value": "Linux"
        },
        "os.version": {
            "value": "3.10.0-1062.12.1.el7.x86_64"
        }
    },
    "counters": {
        "net.shibboleth.idp.authn.ldap.successes": {
            "count": 37
        }
    },
    "histograms": {},
    "meters": {},
    "timers": {}
}

访问控制

默认情况下,idp 的状态监控接口仅允许本地访问,如果需要被其他地方访问的话,则需要增加 acl 设置。修改 conf/access-control.xml 配置文件,增加允许的 ip 地址

        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
        </entry>

results matching ""

    No results matching ""