Galvanometer
The AMPS Galvanometer provides an extensive set of visualizations of the state of the instance. Galvanometer also provides the ability to query the instance and display the results.
Using TLS/SSL with Galvanometer
When the Admin interface is configured to use TLS/SSL, Galvanometer will also use TLS/SSL with the certificate and key file specified.
For the replication graph to be correctly displayed, the instances that replicate to each other must either all use TLS/SSL for the Admin interface or none of the instances can use TLS/SSL for the Admin interface.
If some of the instances in the replication graph use TLS/SSL for the Admin interface and some do not, the information shown in the replication graph will be incomplete.
Authorization and Entitlement in Galvanometer
In order to enable Galvanometer to provide credentials to the AMPS instance (in case it is required to access AMPS monitoring information), the special WWWAuthenticate option is supported. This option specifies how credentials will be provided to AMPS.
The option can have the following values:
Negotiate (Kerberos)
NTLM
Basic realm="<SECURITY_DOMAIN>" (Basic Auth)
When using Negotiate or NTLM, Galvanometer will automatically supply corresponding authorization tokens to AMPS. If Basic Auth is used for authorization, the Login/Password dialog will require a user to enter credentials.
Using Anonymous Paths
The AnonymousPaths option allows Galvanometer to bypass authentication and/or entitlement for Admin paths that match a regular expression. For resources that match the AnonymousPaths option, the Admin interface does not require authentication and does not check entitlements.
The most common use of AnonymousPaths is to allow Galvanometer to correctly display the replication graph when the instance is configured to use Negotiate or NTLM for authorization. Galvanometer determines the replication graph by polling the instances that participate in replication. Since most browsers disallow sending cross-domain authorization tokens, it is necessary to provide access to replication paths without requiring authorization for Galvanometer to be able to display the replication graph. For installations that use Negotiate or NTLM, Galvanometer may not be allowed to construct a replication graph if this option is not set.
AnonymousPaths can also be used to provide access to a specific resource, without allowing access to any other information in the Admin interface. For example, an instance might specify ^/amps$ for unauthenticated users to be able to verify that the instance is running and processing Admin requests, but without allowing those users to obtain any other data about the instance.
The following example shows how to add an AnonymousPaths directive that allows any connection to access replication information about the instance.
The AnonymousPaths option is disabled by default.
Make Replication Page Work with NTLM / Negotiate Authentication
When using Negotiate or NTLM for authorization and/or entitlement, it prevents Galvanometer from correctly displaying replication graphs by forbidding access to destination instances of AMPS since most browsers disallow sending cross-domain authorization tokens that are required in order to authorize AJAX data requests from a browser.
Enabling Queries and Subscriptions in Galvanometer
Much of the functionality available in Galvanometer uses the basic monitoring interface.
Galvanometer submits queries and subscriptions to AMPS using the websocket protocol. To use these functions in Galvanometer, you must provide the name of a Transport of type websocket for Galvanometer to use.
For example, the following directive specifies that Galvanometer will use the Transport with the Name of websocket-any to submit commands to AMPS.
The configuration block above requires that the AMPSConfig file contains a Transport with the Name of websocket-any of Type websocket.
When this configuration item is specified, Galvanometer will enable the query and subscription capabilities, and submit commands to AMPS over the specified Transport.
For example, the websocket-any transport referenced in the snippet above might be defined as follows:
Notice that Galvanometer connects as a client using this Transport. There is no special transport or protocol for Galvanometer, and the security configured for the instance (or the Transport) applies to Galvanometer.
If the Transport is configured to use TLS/SSL, it must use certificates signed by a certificate authority (CA) known to the browser that will be used to access AMPS. For security reasons, browsers disallow self-signed certificates by default. This means that, although a client application may be able to connect, a browser will not allow a websocket connection to a transport that uses a self-signed certificate.
Queries and Subscriptions with Basic Auth in Galvanometer
When Basic Auth is used for authorization and entitlement, an additional option TrustedAdmin allows Galvanometer to use a valid session cookie created after successful authorization to the Admin API for queries and subscriptions. This option forces AMPS to reuse credentials supplied by Galvanometer for websocket connections created by Galvanometer.
TrustedAdmin is only supported by the websocket-based protocols and is disabled by default.
Disabling Galvanometer
Galvanometer is enabled in the monitoring interface by default. To disable Galvanometer, add the following directive to the Admin configuration block:
Disabling Galvanometer with this configuration item has no effect on the basic monitoring interface.
Last updated