Configuring Bacularis#

Installation wizard#

The Bacularis initial wizard helps installing and connecting API and Web components together. In the wizard you can choose if you want to enable API service for this instance and/or if you want to enable web interface.

To use the Bacularis web interface option with local API host, you need to configure in the wizard at least:

  • access to the Bacula Catalog database,

  • access to the Bacula console (bconsole).

For the other API features as a capability to configure Bacula (with Bacula JSON tools) and component actions (start/stop/restart) they can be configured to provide the additional Bacularis Web’s functions but it is not mandatory.

Bacula Catalog database access#

PostgreSQL

For PostgreSQL the supported authentication methods in pg_hba.conf are:

  • scram-sha-256

  • md5

  • trust

The suggested method is scram-sha-256, which is supported since PostgreSQL version 10. If you are not able to connect using this method, please make sure that your password is stored in scram-sha-256 format. You can do it for example by this SQL query:

SELECT rolpassword FROM pg_authid WHERE rolname = 'YOUR_DB_USER';

If your password is in the MD5 format, please make sure that you have set in postgresql.conf file password_encryption directive set to scram-sha-256.

password_encryption = 'scram-sha-256'

After changing it there is needed to set the Bacula database user password once again.

For the rest authentication methods (md5 and trust) they work with Bacularis the same well as scram-sha-256 but they are less secure.

SUDO setting#

To complete the Bacularis wizard, you may need to add sudo security policies for bconsole and Bacula JSON tools. Inside the wizard you will be able to get this sudo configuration adjusted to paths typed in the wizard fields. You can find it under Get sudo configuration links on the wizard steps. Ready sudo configuration please write in a file in location:

/etc/sudoers.d/bacularis-api

An example sudoers configuration for the Apache web server on CentOS/RHEL may look like this:

Defaults:apache !requiretty
apache ALL = (root) NOPASSWD: /usr/sbin/bconsole
apache ALL = (root) NOPASSWD: /usr/sbin/bdirjson
apache ALL = (root) NOPASSWD: /usr/sbin/bsdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bfdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bbconsjson
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-fd

Authentication#

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Bacularis Web and Bacularis API web servers. When the connection is unencrypted, Bacularis cannot guarantee security. The HTTP method in Bacularis should only be used for testing purposes. To see how to enable encrypted connection, please visit Enable SSL section.

Bacularis API#

Basic

Basic is the only authentication method available in the Bacularis API. It provides a simple and minimal way to access both API resources and API panel. This authentication can be configured on start in the initial Bacularis configuration wizard.

Bacularis Web#

All authentication methods are available to setup on the Security page of the Bacularis Web interface.

Basic

Basic is an authentication method which is natively realized by Bacularis. To make it working you can use default Bacularis users file or provide your own users file. There is possible to choose hash algorithm to store password hashes: APR1-MD5, SHA-1, SHA-256, SHA-512, SSHA (salted SHA-1), BCrypt.

Local user

It is default authentication method. This type of authentication is realized by HTML form in the Bacularis Web. It uses internal Bacularis users file. Password hashes are stored using APR1-MD5 hash algorithm.

LDAP

The Bacularis Web can connect to the LDAP server to authenticate LDAP users. This method is realized by a HTML form in the Bacularis Web.

Here is a guide about configuring the LDAP authentication:


Two-factor authentication

For the local user authentication and the LDAP authentication methods there is possible to enable two-factor authentication (2FA) to make the authentication process stronger. It uses an authenticator app (mobile or desktop) that generates 6-digit one-time codes to type in the secons step of the authentication.

Enabling 2FA is available on the user account settings page in the main sidebar menu at the top. In this page is the Security tab where you can find a checkbox to enable the two-factor authentication.

Please note that 2FA is not available for the Basic authentication method.

Below you can find mini video guide about how to use 2FA in Bacularis.

Authorization#

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Bacularis Web and Bacularis API web servers. When the connection is unencrypted, Bacularis cannot guarantee security. The HTTP method in Bacularis should only be used for testing purposes. To see how to enable encrypted connection, please visit Enable SSL section.

OAuth2#

General information#

Bacularis API

To obtain access tokens, the OAuth2 implementation in the Bacularis API uses the Authorization Code Grant flow.

  • Authorization URL: /oauth/authorize

  • Access Token URL: /oauth/token

Note

The Bacularis API does not use refresh tokens. After expiration token the client application has to re-authorize again.

Authorization code expire time is 7 seconds, access token expire time is 1 hour. You can change these default values in the file:

bacularis/protected/Common/Modules/OAuth2.php

You can find there the following constants:

  • AUTHORIZATION_ID_EXPIRES_TIME,

  • ACCESS_TOKEN_EXPIRES_TIME.

To learn the Bacularis API endpoints please visit the Bacularis API documentation.

Bacularis Web

OAuth2 callback URL (the redirect URI parameter) in the Bacularis Web for bacularis host is following:

https://bacularis:9097/web/redirect

Enabling OAuth2#

Default the Bacularis API uses the basic authentication. Enabling OAuth2 authorization gives additional features like:

  • access to Bacularis API by secure tokens,

  • OAuth2 scopes to limit access to API endpoint by endpoint types (/jobs/, /clients/… and so on).

Enable OAuth2 in API

To enable OAuth2 please switch the Bacularis API into the OAuth2 mode. You can do it in a Bacularis API panel as shown on the following image:

../_images/bacularis_enable_oauth2.png

Create admin OAuth2 client params

You need to create the admin OAuth2 client account which will be used by the Bacularis Web to connect to the Bacularis API. You can create it in a Bacularis API admin panel as shown on the following images:

../_images/bacularis_api_oauth2_1.png

../_images/bacularis_api_oauth2_2.png

Connect Bacularis Web using OAuth2 method

Now you can connect the Bacularis Web to the Bacularis API with using an OAuth2 authorization method in the Bacularis Web.

First please go in the Bacularis Web to the Security page on the tab API hosts and there please edit existing API host.

../_images/bacularis_web_oauth2_1.png

Please switch the method to OAuth2 and copy OAuth2 client account parameters (Client ID, Client secret…) from API panel to this form.

../_images/bacularis_web_oauth2_2.png

Users#

The Bacularis Web provides a multi-user interface that uses roles (RBAC - role-based access control) to determine available the Bacularis Web pages for individual users. Both users and roles can be set on the Bacularis Web Security page. More information about this function you can find in Access to pages chapter.

Besides of restricted pages access there is also possible to assign dedicated Bacula resources (jobs, clients, storages …etc.) to users. This way each user (or an user group) can access to restricted Bacula resources. This feature uses a Bacula Console ACL functions. To setup this type of restricted access, please visit Access to Bacula resources chapter.

Autochanger management#

The autochanger management in Bacularis provides functions like:

  • load tape to tape drives

  • unload tape from tape drives

  • label tapes using barcodes

  • move tapes to import/export slots

  • release single import/export slot

  • release all import/export slots at once

  • update slots using barcodes

  • update slots by scanning tape labels written onto volume

Automatic autochanger configuration#

Since version 4.4.0 in Bacularis Web is available a tape storage wizard. It enables to configure the tape devices in cases:

  • when you don’t have the autochanger configured and you want to add it both to Bacula and Bacularis.

  • when you have the autochanger already configured in Bacula and you would like to use it with Bacularis (autochanger management)

  • when you would like to add a single tape drive to Bacula

The tape storage wizard is the recommended way of adding the autochanger to Bacula and to Bacularis management.

Video guide about adding autochanger management to Bacularis


Video guide about adding autochanger to Bacula and Bacularis


Video guide about adding single tape drive to Bacula

Manual autochanger configuration#

If you can’t use the tape storage wizard to add the autochanger, you can try the manual way of adding it to Bacularis management.

To use in Bacularis an autochanger configured in Bacula, please add autochanger device and tape drives on the Bacularis API panel using page named Devices. For using the autochanger management in Bacularis Web, Autochanger name in the Storage Daemon config must be the same as autochanger name in Bacularis API, as shown on image below.

../_images/bacularis_autochanger_same_names.png

After adding autochanger and tape drives to Bacularis API, on the Bacularis Web side please go to page Storage and select there the autochanger device. Changer and drives management is available there on tab called Manage autochanger.

Multiple API hosts#

The Bacularis Web is designed to work with API hosts. It can work with one API host and with many API hosts. There is also possible to assign more API hosts than one to users. This way one user can manage his own API hosts using the same Bacularis Web interface.

On the figure below we can see example Bacularis hosts topology with one Bacularis Web and two Bacularis API instances. One Bacularis API can be used for regular administration work with backups, restores, clients and so on. The second one can be used for managing connected tape autochanger.

../_images/bacularis_multiple_api_hosts.png

There can be many usages of multiple API hosts. You can use them for example for:

  • managing Bacula director, file daemon, storage daemon and console configuration on remote Bacula hosts,

  • working with multiple Bacula server instances,

  • managing Autochanger (slots, tapes, load, unload, move from/to import/export slots, label barcodes, update slots and others),

  • restarting remote Bacula components by Bacularis API actions (start, stop, restart),

  • managing Bacula component software (install/upgrade/remove).

More information about working with multiple API hosts you can find in the Remote host management manual.