Examples#

Introduction#

In all previous sections of this Users chapter you could learn how to configure restricted access for users on three levels: pages, Bacula resources and functions. In this section you can find examples of configuring users and limitted access for them that using these three levels and mixing them together.

Tape operator example#

It can happen that you would need to set up access in Bacularis for a person responsible for managing tape devices in the backup infrastructure. In this case you may not like to give this person full administrative access to all Bacula resources but only restricted access to tape device specific Bacula resources like: Volumes, Pools or Storage. Let’s see how to set up this access. To configure it, we will use manual way of setting access (without wizard). This way enables to tune access in all details to your needs.

Step 1

Create a new role for the tape operator. Let’s call it TapeOperator role. To do it, please go to Page: Security => Tab: Roles => Button: Create new role. In the role field you can select resources that in this case are just pages where this tape operator user will have access. They can be the following:

  • PoolList - that gives access to the pool list page

  • PoolView - that gives access to the detailed single pool view page

  • StorageList - that gives access to the storage list page

  • StorageView - that gives access to the single storage view page

  • VolumeList - that gives access to the volume list page

  • VolumeView - that gives access to the detailed single volume view page

Step 2

Create a Console resource where you can define for which Bacula resources the tape operator should have access. To do it, please go to Page: Security => Tab: Console ACLs => Button: Create new console. Type the console name such as TapeOperatorConsole, generate a password and select the Bacula resources for which this user should have access. In this case they will be the Storage resources that are used for the tape devices and Pool resources with tapes. You also have to set in CatalogAcl directive your Catalog name or just select *all* value which means “all Catalogs”.

In the CommandAcl directives for the tape operator are needed minimum the following commands:

  • gui - internal command

  • .api - internal command

  • .status - for getting the storage status

  • .storage - for listing storage resources for user

  • .pool - for listing pool resources for user

  • delete - for deleting volumes

  • show - to get basic Storage and Pool configuration

  • mount - for mounting volumes

  • umount - for umounting volumes

  • release - for releasing volumes

  • label - for labeling volumes

  • update - for updating slots in autochanger

../_images/bacularis_tape_operator_console_settings.png

Step 3

Create an API user account for connections with the web interface. Using this connection the access to resources will be restricted. You can use for that the API basic user account or the OAuth2 client account if you use OAuth2 in API. In this example we use the API basic users. To create this account please to to Page: Security => Tab: API basic users => Button: Add new API basic user, type username, password and click a checkbox with label Create dedicated Bconsole config file. In a Console ACL combobox please select the Console created in Step 2. It is the Console named TapeOperatorConsole. Please save this new account.

Step 4

Create a new API host connection. This connection will use the basic user credentials that were created in Step 3. The API host connection can be created in Page: Security => Tab: API hosts => Button: Add new API host. You need to provide all connection parameters to the API host. In fields API login and API password please type credentials defined in Step 3.

Step 5

Now you are ready to create the Bacularis web interface user for the tape operator that he/she will use to log in to the web interface to manage tapes. This account can be created in Page: Security => Tab: Users => Button: Add new user. Please type requried fields and in Roles field please select the TapeOperator role created in Step 1. In field API hosts please select the API host created in Step 4.

Step 6

If you wound not like to give this tape operator user access to configuring the storage daemon configuration resources, a good idea might be to set for this user all Bacula component resource access to:read-only or no access. In this case please go to Page: API Panel => Page: Basic users => [Select your API user] => Button: Edit. There is possible to restrict to which Bacula resources user should have access if any.

That is all. Now you can do a test with the tape operator account. After sucessful log in, you should see the web interface similar to this one (example with the autochanger management function):

../_images/bacularis_tape_operator_web_interface.png

Regular user example#

Another type of users that you may need to give access to Bacularis are users that are not the backup administrators or operators, but they are just employees in your company or they are your company customers if you provide Bacularis interface for them. They are users that usually should have access to backups belonging to theirs computers. They should be able to log in to the web interface, and do restore only own files to theirs own computers. Let’s see how this type of users could be configued.

Step1

Create a new role for the regular users. It can be named for example BackupAndRestore role. To do it, please go to Page: Security => Tab: Roles => Button: Create new role. In the role field you can select in the Resources filed all pages where this tape operator user will have access. They can be the following:

  • JobList - that gives access to the job list page

  • JobView - that gives access to the detailed single job view page

  • RestoreWizard - that gives access to the restore wizard

Alternatively for regular users you can reuse pre-defined role provided with Bacularis. This is a role named normal and it gives access the same pages as above plus access to few more pages.

Step 2

Create a new API basic user (or API OAuth2 account if you use OAuth2). This user will be used to connection beetwen API host and web interface. It can be done in Page: Security => Tab: API basic users => Button: Add new API basic user, please type username and password. Adding new user will be required every time when you would like to limit specific Bacula resources for users. So one API user per one specific resources limit.

Step 3

Create a new API host connection. This connection uses credentials defined for the API user in Step 2. You can create the API host in Page: Security => Tab: API hosts => Button: Add new API host.

Step 4

Create a regular Bacularis web interface user. This type of user accounts will be used to log in by the regular users. It can be done in Page: Security => Tab: Users => Button: Add new user In the Roles field you need to select the role created in Step 1. In the API hosts field please select the API host created in Step 3.

Step 5

Set restricted user access only for jobs that does backup from the user computers. It can be done in Page: Security => Tab: Users => [Select user on the table] => Button: Set access. In the opened window, please select the API host and next please click the radio button with label Access to selected resources only. In the API host job list please select only jobs that the current regular user should have access. Please don’t forget in the job list select also at least one restore job to be able to do restore by these users.

In that window in the Resource permissions section you can optionally switch all Bacula resources access for all Bacula components (Director, Storage, Client, Bconsole) to no access or to read-only access. Regular users usually should not have access to configuring Bacula.

After applying changes, you can now try to log in on this new user account. You should see the web interface similar to this one:

../_images/bacularis_regular_user_web_interface.png