Configuring Bacularis

Configuring Bacularis#

Installation wizard#

The installation wizard is available by default when you first use Bacularis. It helps in installing and configuring Bacularis. In the wizard you can choose whether you want to enable API service for this instance and/or whether you want to enable the web interface. The important question to answer in the wizard is if you already have Bacula installed or not.

I have Bacula installed#

To use the Bacularis web interface with local API host, you have to configure at least the following functions in the wizard:

  • access to the Bacula Catalog database,

  • access to the Bacula console (bconsole).

Other features listed below can be configured but they not have to be configured to start working with Bacularis:

  • capability to configure Bacula (with Bacula JSON tools)

  • component actions (start/stop/restart)

They provide additional functions in Bacularis interface. Particularly the Bacula configuration feature may be useful in daily work with Bacula.

I don’t have Bacula installed#

After selecting this option you will be able to install Bacula. All the Bacularis functions (catalog, bconsole, Bacula configuration and actions) will be automatically configured to work with Bacularis. The complete instruction installing Bacula through Bacularis install wizard you can read in Install Bacula documentation chapter.

Bacula database access#

PostgreSQL

The supported authentication methods in pg_hba.conf configuration file are:

  • scram-sha-256

  • md5

  • trust

The suggested method is scram-sha-256, which is supported since PostgreSQL version 10. If you are not able to connect Bacularis using this method, please make sure that your password is stored in scram-sha-256 format. You can do it for example by this SQL query:

SELECT rolpassword FROM pg_authid WHERE rolname = 'YOUR_DB_USER';

If your password is in the MD5 format, please make sure that you have set in postgresql.conf file password_encryption directive set to scram-sha-256.

password_encryption = 'scram-sha-256'

After changing it there is needed to set the Bacula database user password once again.

For the rest authentication methods (md5 and trust) they work with Bacularis the same well as scram-sha-256 but they are less secure.

SUDO settings#

To complete the Bacularis wizard, in most cases you will need to add sudo security policies for bconsole and for the Bacula JSON tools. Inside the wizard you will be able to get ready sudo configuration adjusted to paths typed in the wizard fields. You can find it after clicking the Get sudo configuration links in the wizard steps. They look like this:

../_images/bacularis_configuration_sudo_settings_link.png

Please write the ready sudo configuration in the file in the following location:

/etc/sudoers.d/bacularis

Below is listed an example sudoers configuration for the Apache web server on CentOS/RHEL:

Defaults:apache !requiretty
apache ALL = (root) NOPASSWD: /usr/sbin/bconsole
apache ALL = (root) NOPASSWD: /usr/sbin/bdirjson
apache ALL = (root) NOPASSWD: /usr/sbin/bsdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bfdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bbconsjson
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-fd

Authentication#

Note

It is recommended to enable in Bacularis the encrypted HTTPS connection with TLS certificate. When the connection is unencrypted, Bacularis cannot guarantee security. The HTTP method in Bacularis should only be used for testing purposes. To see how to enable encrypted connection, please visit Enable SSL section.

Bacularis API#

Basic

Basic is the only authentication method available in the Bacularis API. It provides a simple and minimal way to access both API resources and API panel. This authentication can be configured in the initial Bacularis configuration wizard.

Bacularis Web#

All authentication methods are available to set up on the Security page of the Bacularis Web interface.

Basic

Basic is an authentication method which is natively realized by Bacularis. To make it working you can use default Bacularis user file (where users are stored) or provide your own user file. There is possible to choose hash algorithm to store password hashes: APR1-MD5, SHA-1, SHA-256, SHA-512, SSHA (salted SHA-1), BCrypt.

Local user

This is the default authentication method. This type of authentication is realized by HTML form in the Bacularis Web. It uses internal Bacularis user file. Password hashes are stored using APR1-MD5 hash algorithm.

LDAP

The Bacularis Web can connect to the LDAP server to authenticate LDAP users. This method is realized by a HTML form in the Bacularis Web.

Here is a guide about configuring the LDAP authentication:


Two-factor authentication

For the local user authentication and the LDAP authentication methods there is possible to enable two-factor authentication (2FA) to make the authentication process stronger. It uses an authenticator app (mobile or desktop) that generates 6-digit one-time codes to type in the secons step of the authentication.

To enable 2FA, please go to the user account settings page (user with gearwhell icon) in the main sidebar menu at the top. On this page please click the Security tab where is a checkbox to enable the two-factor authentication.

Please note that 2FA is not available for the Basic authentication method.

Below you can find a mini video guide about how to use 2FA in Bacularis.

Users#

Bacularis provides a multi-user interface that uses roles (RBAC - role-based access control). The roles determine resources/pages available for individual users with given roles assigned. Both the users and roles can be set on the Security page. More information about this function you can find in Access to pages chapter.

Besides of restricted pages access there is also possible to assign dedicated Bacula resources (jobs, clients, storages …etc.) to users. This way each user (or an user group) can access to restricted Bacula resources. This feature uses a Bacula Console ACL functions. To set up this type of restricted access, please visit Access to Bacula resources chapter.

Autochanger management#

The autochanger management in Bacularis provides functions such as:

  • load tape to tape drives

  • unload tape from tape drives

  • label tapes using barcodes

  • move tapes to import/export slots

  • release single import/export slot

  • release all import/export slots at once

  • update slots using barcodes

  • update slots by scanning tape labels written onto volume

Automatic autochanger configuration#

Since version 4.4.0 in Bacularis Web is available a tape storage wizard. It enables to configure the tape devices in cases:

  • when you don’t have the autochanger configured and you want to add it both to Bacula and Bacularis.

  • when you have the autochanger already configured in Bacula and you would like to use it with Bacularis (autochanger management)

  • when you would like to add a single tape drive to Bacula

The tape storage wizard is the recommended way of adding the autochanger to Bacula and to Bacularis management.

Video guide about adding autochanger management to Bacularis


Video guide about adding autochanger to Bacula and Bacularis


Video guide about adding single tape drive to Bacula

Manual autochanger configuration#

If you can’t use the tape storage wizard to add the autochanger, you can try the manual way of adding it to Bacularis management.

To use in Bacularis an autochanger already configured in Bacula, please add autochanger and tape drives on the Bacularis API panel using page named Devices. To use the autochanger management in Bacularis Web, the Autochanger name in the Storage Daemon config must be the same as autochanger name in Bacularis API, as shown on image below.

../_images/bacularis_autochanger_same_names.png

After adding autochanger and tape drives to Bacularis API, on the Bacularis web interface please go to the Storage page and select there the autochanger device. The changer and drives management is available there on the Manage autochanger tab.

Multiple API hosts#

The Bacularis Web is designed to work with API hosts. It can work with one API host and with many API hosts. There is also possible to assign more API hosts than one to users. This way one user can manage his own API hosts using the same Bacularis Web interface.

On the figure below we can see example Bacularis hosts topology with one Bacularis Web and two Bacularis API instances. One Bacularis API can be used for regular administration work with backups, restores, clients and so on. The second one can be used for managing connected tape autochanger.

../_images/bacularis_multiple_api_hosts.png

There can be many usages of multiple API hosts. You can use them for example for:

  • managing Bacula director, file daemon, storage daemon and console configuration on remote Bacula hosts,

  • working with multiple Bacula server instances,

  • managing Autochanger (slots, tapes, load, unload, move from/to import/export slots, label barcodes, update slots and others),

  • restarting remote Bacula components by Bacularis API actions (start, stop, restart),

  • managing Bacula component software (install/upgrade/remove).

More information about working with multiple API hosts you can find in the Remote host management manual.