Configuring Bacularis#
Installation wizard#
The Bacularis initial wizard helps installing and connecting API and Web components together. In the wizard you can choose if you want to enable API service for this instance and/or if you want to enable web interface.
To use the Bacularis web interface option with local API host, you need to configure in the wizard at least:
access to the Bacula Catalog database,
access to the Bacula console (
bconsole
).
For the other API features as a capability to configure Bacula (with Bacula JSON tools) and component actions (start/stop/restart) they can be configured to provide the additional Bacularis Web’s functions but it is not mandatory.
Bacula Catalog database access#
PostgreSQL
For PostgreSQL the supported authentication methods in pg_hba.conf
are:
scram-sha-256
md5
trust
The suggested method is scram-sha-256
, which is supported since PostgreSQL
version 10
. If you are not able to connect using this method, please make
sure that your password is stored in scram-sha-256
format. You can do it
for example by this SQL query:
SELECT rolpassword FROM pg_authid WHERE rolname = 'YOUR_DB_USER';
If your password is in the MD5
format, please make sure that you have set
in postgresql.conf
file password_encryption
directive set to
scram-sha-256
.
password_encryption = 'scram-sha-256'
After changing it there is needed to set the Bacula database user password once again.
For the rest authentication methods (md5
and trust
) they work with
Bacularis the same well as scram-sha-256
but they are less secure.
SUDO setting#
To complete the Bacularis wizard, you may need to add sudo
security
policies for bconsole
and Bacula JSON tools. Inside the wizard you will be
able to get this sudo configuration adjusted to paths typed in the wizard
fields. You can find it under Get sudo configuration links on the wizard
steps. Ready sudo
configuration please write in a file in location:
/etc/sudoers.d/bacularis-api
An example sudoers
configuration for the Apache web server on CentOS/RHEL
may look like this:
Defaults:apache !requiretty
apache ALL = (root) NOPASSWD: /usr/sbin/bconsole
apache ALL = (root) NOPASSWD: /usr/sbin/bdirjson
apache ALL = (root) NOPASSWD: /usr/sbin/bsdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bfdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bbconsjson
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-fd
Authentication#
Note
It is recommended to enable encrypted HTTPS connection with TLS certificates in the Bacularis Web and Bacularis API web servers. When the connection is unencrypted, Bacularis cannot guarantee security. The HTTP method in Bacularis should only be used for testing purposes. To see how to enable encrypted connection, please visit Enable SSL section.
Bacularis API#
Basic
Basic is the only authentication method available in the Bacularis API. It provides a simple and minimal way to access both API resources and API panel. This authentication can be configured on start in the initial Bacularis configuration wizard.
Bacularis Web#
All authentication methods are available to setup on the Security page of the Bacularis Web interface.
Basic
Basic is an authentication method which is natively realized by Bacularis. To make it working you can use default Bacularis users file or provide your own users file. There is possible to choose hash algorithm to store password hashes: APR1-MD5, SHA-1, SHA-256, SHA-512, SSHA (salted SHA-1), BCrypt.
Local user
It is default authentication method. This type of authentication is realized by HTML form in the Bacularis Web. It uses internal Bacularis users file. Password hashes are stored using APR1-MD5 hash algorithm.
LDAP
The Bacularis Web can connect to the LDAP server to authenticate LDAP users. This method is realized by a HTML form in the Bacularis Web.
Here is a guide about configuring the LDAP authentication:
Two-factor authentication
For the local user authentication and the LDAP authentication methods there is possible to enable two-factor authentication (2FA) to make the authentication process stronger. It uses an authenticator app (mobile or desktop) that generates 6-digit one-time codes to type in the secons step of the authentication.
Enabling 2FA is available on the user account settings page in the main sidebar menu at the top. In this page is the Security tab where you can find a checkbox to enable the two-factor authentication.
Please note that 2FA is not available for the Basic authentication method.
Below you can find mini video guide about how to use 2FA in Bacularis.
Users#
The Bacularis Web provides a multi-user interface that uses roles (RBAC - role-based access control) to determine available the Bacularis Web pages for individual users. Both users and roles can be set on the Bacularis Web Security page. More information about this function you can find in Access to pages chapter.
Besides of restricted pages access there is also possible to assign dedicated Bacula resources (jobs, clients, storages …etc.) to users. This way each user (or an user group) can access to restricted Bacula resources. This feature uses a Bacula Console ACL functions. To setup this type of restricted access, please visit Access to Bacula resources chapter.
Autochanger management#
The autochanger management in Bacularis provides functions like:
load tape to tape drives
unload tape from tape drives
label tapes using barcodes
move tapes to import/export slots
release single import/export slot
release all import/export slots at once
update slots using barcodes
update slots by scanning tape labels written onto volume
Automatic autochanger configuration#
Since version 4.4.0
in Bacularis Web is available a tape storage wizard.
It enables to configure the tape devices in cases:
when you don’t have the autochanger configured and you want to add it both to Bacula and Bacularis.
when you have the autochanger already configured in Bacula and you would like to use it with Bacularis (autochanger management)
when you would like to add a single tape drive to Bacula
The tape storage wizard is the recommended way of adding the autochanger to Bacula and to Bacularis management.
Video guide about adding autochanger management to Bacularis
Video guide about adding autochanger to Bacula and Bacularis
Video guide about adding single tape drive to Bacula
Manual autochanger configuration#
If you can’t use the tape storage wizard to add the autochanger, you can try the manual way of adding it to Bacularis management.
To use in Bacularis an autochanger configured in Bacula, please add autochanger
device and tape drives on the Bacularis API panel using page named Devices
.
For using the autochanger management in Bacularis Web, Autochanger name in the
Storage Daemon config must be the same as autochanger name in Bacularis API, as
shown on image below.
After adding autochanger and tape drives to Bacularis API, on the Bacularis Web
side please go to page Storage
and select there the autochanger device.
Changer and drives management is available there on tab called Manage
autochanger
.
Multiple API hosts#
The Bacularis Web is designed to work with API hosts. It can work with one API host and with many API hosts. There is also possible to assign more API hosts than one to users. This way one user can manage his own API hosts using the same Bacularis Web interface.
On the figure below we can see example Bacularis hosts topology with one Bacularis Web and two Bacularis API instances. One Bacularis API can be used for regular administration work with backups, restores, clients and so on. The second one can be used for managing connected tape autochanger.
There can be many usages of multiple API hosts. You can use them for example for:
managing Bacula director, file daemon, storage daemon and console configuration on remote Bacula hosts,
working with multiple Bacula server instances,
managing Autochanger (slots, tapes, load, unload, move from/to import/export slots, label barcodes, update slots and others),
restarting remote Bacula components by Bacularis API actions (start, stop, restart),
managing Bacula component software (install/upgrade/remove).
More information about working with multiple API hosts you can find in the Remote host management manual.