Ray SDK for Java - AWS X-Ray

• Add the X-Ray SDK for Java's tracing ﬁlter to your servlet conﬁguration in a WebConfig class or web.xml ﬁle.

• Take the X-Ray SDK for Java's submodules as build dependencies in your Maven or Gradle build conﬁguration.

Prerequisites

You can also access the raw service map and trace data by using the AWS CLI to call the X-Ray API. The service map and trace data are JSON that you can query to ensure that your application is sending data, or to check speciﬁc ﬁelds as part of your test automation.

Sections

• Prerequisites (p. 5)

• Deploy to Elastic Beanstalk and generate trace data (p. 6)

• View the service map in the X-Ray console (p. 6)

• Conﬁguring Amazon SNS notiﬁcations (p. 9)

• Explore the sample application (p. 11)

• Optional: Least privilege policy (p. 13)

• Clean up (p. 15)

• Next steps (p. 15)

Prerequisites

This tutorial uses Elastic Beanstalk to create and conﬁgure the resources that run the sample application and X-Ray daemon. If you use an IAM user with limited permissions, add the Elastic Beanstalk managed user policy to grant your IAM user permission to use Elastic Beanstalk, and the AWSXrayReadOnlyAccess managed policy for permission to read the service map and traces in the X-Ray console.

Create an Elastic Beanstalk environment for the sample application. If you haven't used Elastic Beanstalk before, this will also create a service role and instance proﬁle for your application. A default VPC

must exist in the region you're going to deploy to or Elastic Beanstalk will fail to deploy the sample application.

To create an Elastic Beanstalk environment

1. Open the Elastic Beanstalk Management Console with this preconﬁgured link: https://

console.aws.amazon.com/elasticbeanstalk/#/newApplication?applicationName=scorekeep 2. Under the Platform section, set the Platform to Java and the Platform branch to Java 8

running on 64bit Amazon Linux.

Note

The current version of the Scorekeep application requires Java 8. You will receive a warning that Java 8 is a deprecated platform branch. While this is not recommended for production applications, you may run this sample application on Java 8 for non-production use, in order to learn about X-Ray.

3. Choose Create application to create an application with an environment running the Java 8 SE platform.

4. When your environment is ready, the console redirects you to the environment Dashboard.

5. Click the URL at the top of the page to open the site.

The instances in your environment need permission to send data to the AWS X-Ray service. Additionally, the sample application uses Amazon S3 and DynamoDB. Modify the default Elastic Beanstalk instance proﬁle to include permissions to use these services.

To add X-Ray, Amazon S3 and DynamoDB permissions to your Elastic Beanstalk environment

1. Open the Elastic Beanstalk instance proﬁle in the IAM console: aws-elasticbeanstalk-ec2-role.

2. Choose Attach Policies.

3. Attach AWSXrayFullAccess, AmazonS3FullAccess, and AmazonDynamoDBFullAccess to the role.

Deploy to Elastic Beanstalk and generate trace data

Note

Full access policies are not best practice for general use. For instructions on conﬁguring a policy with least privilege to reduce security risks, see Optional: Least privilege policy (p. 13).

Deploy to Elastic Beanstalk and generate trace data

Deploy the sample application to your Elastic Beanstalk environment. The sample application uses Elastic Beanstalk conﬁguration ﬁles to conﬁgure the environment for use with X-Ray and create the DynamoDB that it uses automatically.

To deploy the source code

1. Download the sample app: eb-java-scorekeep-xray-gettingstarted-v1.3.zip 2. Open the Elastic Beanstalk console.

3. Navigate to the management console for your environment.

4. Choose Upload and Deploy.

5. Upload eb-java-scorekeep-xray-gettingstarted-v1.3.zip, and then choose Deploy.

The sample application includes a front-end web app. Use the web app to generate traﬃc to the API and send trace data to X-Ray.

To generate trace data

1. In the environment Dashboard, click the URL to open the web app.

2. Choose Create to create a user and session.

3. Type a game name, set the Rules to Tic Tac Toe, and then choose Create to create a game.

4. Choose Play to start the game.

5. Choose a tile to make a move and change the game state.

Each of these steps generates HTTP requests to the API, and downstream calls to DynamoDB to read and write user, session, game, move, and state data.

View the service map in the X-Ray console

You can see the service map and traces generated by the sample application in the X-Ray console.

To use the X-Ray console

1. Open the service map page of the X-Ray console.

2. The console shows a representation of the service graph that X-Ray generates from the trace data sent by the application.

The service map shows the web app client, the API running in Elastic Beanstalk, the DynamoDB service, and each DynamoDB table that the application uses. Every request to the application, up to a conﬁgurable maximum number of requests per second, is traced as it hits the API, generates requests to downstream services, and completes.

View the service map in the X-Ray console

You can choose any node in the service graph to view traces for requests that generated traﬃc to that node. Currently, the Amazon SNS node is yellow. Drill down to ﬁnd out why.

To ﬁnd the cause of the error

1. Choose the node named Amazon SNS. The node details panel is displayed.

2. Choose View traces to access the Trace overview screen.

3. Choose the trace from the Trace list. This trace doesn't have a method or URL because it was recorded during startup instead of in response to an incoming request.

View the service map in the X-Ray console

4. Choose the error status icon within the Amazon SNS segment at the bottom of the page, to open the Exceptions page for the SNS subsegment.

5. The X-Ray SDK automatically captures exceptions thrown by instrumented AWS SDK clients and records the stack trace.

Conﬁguring Amazon SNS notiﬁcations

The cause indicates that the email address provided in a call to createSubscription made in the WebConfig class was invalid. Let's ﬁx that.

Conﬁguring Amazon SNS notiﬁcations

Scorekeep uses Amazon SNS to send notiﬁcations when users complete a game. When the application starts up, it tries to create a subscription for an email address deﬁned in an environment variable.

That call is currently failing, causing the Amazon SNS node in your service map to be red. Conﬁgure a notiﬁcation email in an environment variable to enable notiﬁcations and make the service map green.

To conﬁgure Amazon SNS notiﬁcations for scorekeep

1. Open the Elastic Beanstalk console.

2. Navigate to the management console for your environment.

3. Choose Conﬁguration.

4. Choose Software Conﬁguration.

5. Under Environment Properties, replace the default value with your email address.

Conﬁguring Amazon SNS notiﬁcations

Note

The default value uses an AWS CloudFormation function to retrieve a parameter stored in a conﬁguration ﬁle (a dummy value in this case).

6. Choose Apply.

When the update completes, Scorekeep restarts and creates a subscription to the SNS topic. Check your email and conﬁrm the subscription to see updates when you complete a game.

Explore the sample application

The sample application is an HTTP web API in Java that is conﬁgured to use the X-Ray SDK for Java.

When you deploy the application to Elastic Beanstalk, it creates the DynamoDB tables, compiles the API with Gradle, and conﬁgures the nginx proxy server to serve the web app statically at the root path. At the same time, Elastic Beanstalk routes requests to paths starting with /api to the API.

To instrument incoming HTTP requests, the application adds the TracingFilter provided by the SDK.

Example src/main/java/scorekeep/WebConﬁg.java - servlet ﬁlter

import javax.servlet.Filter;

import com.amazonaws.xray.javax.servlet.AWSXRayServletFilter;

...

@Configuration

public class WebConfig { @Bean

public Filter TracingFilter() {

return new AWSXRayServletFilter("Scorekeep");

}...

This ﬁlter sends trace data about all incoming requests that the application serves, including request URL, method, response status, start time, and end time.

The application also makes downstream calls to DynamoDB using the AWS SDK for Java. To instrument these calls, the application simply takes the AWS SDK-related submodules as dependencies, and the X-Ray SDK for Java automatically instruments all AWS SDK clients.

The application uses a Buildfile ﬁle to build the source code on-instance with Gradle and a

Procfile ﬁle to run the executable JAR that Gradle generates. Buildfile and Procfile support is a feature of the Elastic Beanstalk Java SE platform.

Example Buildﬁle

build: gradle build

Example Procﬁle

web: java -Dserver.port=5000 -jar build/libs/scorekeep-api-1.0.0.jar

The build.gradle ﬁle downloads the SDK submodules from Maven during compilation by declaring them as dependencies.

Example build.gradle -- dependencies

...dependencies {

compile("org.springframework.boot:spring-boot-starter-web") testCompile('org.springframework.boot:spring-boot-starter-test') compile('com.amazonaws:aws-java-sdk-dynamodb')

compile("com.amazonaws:aws-xray-recorder-sdk-core") compile("com.amazonaws:aws-xray-recorder-sdk-aws-sdk")

compile("com.amazonaws:aws-xray-recorder-sdk-aws-sdk-instrumentor") ...

}

Explore the sample application

dependencyManagement { imports {

mavenBom("com.amazonaws:aws-java-sdk-bom:1.11.67")

mavenBom("com.amazonaws:aws-xray-recorder-sdk-bom:2.11.0") }

}

The core, AWS SDK, and AWS SDK Instrumentor submodules are all that's required to automatically instrument any downstream calls made with the AWS SDK.

To run the X-Ray daemon, the application uses another feature of Elastic Beanstalk, conﬁguration ﬁles.

The conﬁguration ﬁle tells Elastic Beanstalk to run the daemon and send its log on demand.

Example .ebextensions/xray.conﬁg

The X-Ray SDK for Java provides a class named AWSXRay that provides the global recorder, a

TracingHandler that you can use to instrument your code. You can conﬁgure the global recorder to customize the AWSXRayServletFilter that creates segments for incoming HTTP calls. The sample includes a static block in the WebConfig class that conﬁgures the global recorder with plugins and sampling rules.

AWSXRayRecorderBuilder builder = AWSXRayRecorderBuilder.standard().withPlugin(new EC2Plugin()).withPlugin(new ElasticBeanstalkPlugin());

URL ruleFile = WebConfig.class.getResource("/sampling-rules.json");

builder.withSamplingStrategy(new LocalizedSamplingStrategy(ruleFile));

AWSXRay.setGlobalRecorder(builder.build());

}}

This example uses the builder to load sampling rules from a ﬁle named sampling-rules.json.

Sampling rules determine the rate at which the SDK records segments for incoming requests.

Example src/main/java/resources/sampling-rules.json

{

Optional: Least privilege policy

"version": 1, "rules": [ {

"description": "Resource creation.", "service_name": "*",

"description": "Session polling.", "service_name": "*",

"http_method": "GET",

"url_path": "/api/session/*", "fixed_target": 0,

"rate": 0.05 },

{

"description": "Game polling.", "service_name": "*",

"description": "State polling.", "service_name": "*",

"http_method": "GET",

"url_path": "/api/state/*/*/*", "fixed_target": 0,

The sampling rules ﬁle deﬁnes four custom sampling rules and the default rule. For each incoming request, the SDK evaluates the custom rules in the order in which they are deﬁned. The SDK applies the ﬁrst rule that matches the request's method, path, and service name. For Scorekeep, the ﬁrst rule catches all POST requests (resource creation calls) by applying a ﬁxed target of one request per second and a rate of 1.0, or 100 percent of requests after the ﬁxed target is satisﬁed.

The other three custom rules apply a ﬁve percent rate with no ﬁxed target to session, game, and state reads (GET requests). This minimizes the number of traces for periodic calls that the front end makes automatically every few seconds to ensure the content is up to date. For all other requests, the ﬁle deﬁnes a default rate of one request per second and a rate of 10 percent.

The sample application also shows how to use advanced features such as manual SDK client

instrumentation, creating additional subsegments, and outgoing HTTP calls. For more information, see AWS X-Ray sample application (p. 134).

Optional: Least privilege policy

You have just deployed this tutorial using the AmazonS3FullAccess and AmazonDynamoDBFullAccess security policies. Using a full access policy isn't the best practice in the long term. To improve the security

Optional: Least privilege policy

of what you deployed, follow these steps to update your permissions. To learn more about security best practices in IAM policies, see Identity and access management for AWS X-Ray.

To update your policies, ﬁrst you identify the ARNs of your Amazon S3 and DynamoDB resources. Then you use the ARNs in two custom IAM policies. Finally, you apply those policies to your instance proﬁle.

To identify your Amazon S3 resource

1. Open the Resources page of the AWS Conﬁg console.

2. Under Resource type, ﬁlter by Amazon S3 Bucket to ﬁnd the ARN of the Amazon S3 bucket that your application uses.

3. Choose the Resource identiﬁer that's attached to elasticbeanstalk.

4. Record its full Amazon resource name.

5. Insert the ARN into the following IAM policy.

Example

{ "Version": "2012-10-17", "Statement": [

"Resource": "arn:aws:s3:::elasticbeanstalk-region-0987654321"

} ] }

To identify your DynamoDB resource

1. Open the Resources page of the AWS Conﬁg console.

2. Under Resource type, ﬁlter by AWS DynamoDB Table to ﬁnd the ARN of the DynamoDB tables that your application uses.

3. Choose the Resource identiﬁer that's attached to one of the scorekeep tables.

4. Record its full Amazon resource name.

5. Insert the ARN into the following IAM policy.

Example

{ "Version": "2012-10-17", "Statement": [

"Resource": "arn:aws:dynamodb:region:1234567890:table/scorekeep-*"

}

Clean up

] }

The tables that the application creates follow a consistent naming convention. You can use the format of scorekeep-* to indicate all tables following that convention.

To change your IAM policy

1. Open the Elastic Beanstalk instance proﬁle in the IAM console: aws-elasticbeanstalk-ec2-role.

2. Remove the AmazonS3FullAccess and AmazonDynamoDBFullAccess policies from the role.

3. Choose Attach policies, and then Create policy.

4. Choose the JSON and paste in one of the policies created previously.

5. Choose Review policy.

6. For Name, assign a name.

7. Choose Create policy.

8. Assign the newly created policy to the aws-elasticbeanstalk-ec2-role.

9. Repeat for the second policy created previously.

Clean up

Terminate your Elastic Beanstalk environment to shut down the Amazon EC2 instances, DynamoDB tables, and other resources.

To terminate your Elastic Beanstalk environment

1. Open the Elastic Beanstalk console.

2. Navigate to the management console for your environment.

3. Choose Actions.

4. Choose Terminate Environment.

5. Choose Terminate.

Trace data is automatically deleted from X-Ray after 30 days.

Next steps

Learn more about X-Ray in the next chapter, AWS X-Ray concepts (p. 16).

To instrument your own app, learn more about the X-Ray SDK for Java or one of the other X-Ray SDKs:

• X-Ray SDK for Java – AWS X-Ray SDK for Java (p. 228)

在文檔中 AWS X-Ray (頁 12-23)