Examples#
Introduction#
In all previous sections of this Users chapter you could learn how to configure restricted access for users on three levels: pages, Bacula resources and functions. In this section you can find examples of configuring users and limitted access for them that using these three levels and mixing them together.
Tape operator example#
It can happen that you would need to set up access in Bacularis for a person responsible for managing tape devices in the backup infrastructure. In this case you may not like to give this person full administrative access to all Bacula resources but only restricted access to tape device specific Bacula resources like: Volumes, Pools or Storage. Let’s see how to set up this access. To configure it, we will use manual way of setting access (without wizard). This way enables to tune access in all details to your needs.
Step 1
Create a new role for the tape operator. Let’s call it TapeOperator
role.
To do it, please go to Page: Security => Tab: Roles => Button: Create new role
.
In the role field you can select resources that in this case are just pages where
this tape operator user will have access. They can be the following:
PoolList
- that gives access to the pool list page
PoolView
- that gives access to the detailed single pool view page
StorageList
- that gives access to the storage list page
StorageView
- that gives access to the single storage view page
VolumeList
- that gives access to the volume list page
VolumeView
- that gives access to the detailed single volume view page
Step 2
Create a Console resource where you can define for which Bacula resources
the tape operator should have access. To do it, please go to
Page: Security => Tab: Console ACLs => Button: Create new console
. Type the
console name such as TapeOperatorConsole
, generate a password and select
the Bacula resources for which this user should have access. In this case
they will be the Storage
resources that are used for the tape devices
and Pool
resources with tapes. You also have to set in CatalogAcl
directive your Catalog name or just select *all*
value which means
“all Catalogs”.
In the CommandAcl
directives for the tape operator are
needed minimum the following commands:
gui
- internal command
.api
- internal command
.status
- for getting the storage status
.storage
- for listing storage resources for user
.pool
- for listing pool resources for user
delete
- for deleting volumes
show
- to get basic Storage and Pool configuration
mount
- for mounting volumes
umount
- for umounting volumes
release
- for releasing volumes
label
- for labeling volumes
update
- for updating slots in autochanger
Step 3
Create an API user account for connections with the web interface. Using this
connection the access to resources will be restricted. You can use for that
the API basic user account or the OAuth2 client account if you use OAuth2 in API.
In this example we use the API basic users. To create this account please to to
Page: Security => Tab: API basic users => Button: Add new API basic user
, type
username, password and click a checkbox with label
Create dedicated Bconsole config file
. In a Console ACL
combobox please
select the Console created in Step 2. It is the Console named
TapeOperatorConsole
. Please save this new account.
Step 4
Create a new API host connection. This connection will use the basic user credentials
that were created in Step 3. The API host connection can be created in
Page: Security => Tab: API hosts => Button: Add new API host
. You need to provide
all connection parameters to the API host. In fields API login
and API password
please type credentials defined in Step 3.
Step 5
Now you are ready to create the Bacularis web interface user for the tape operator that
he/she will use to log in to the web interface to manage tapes. This account can be
created in Page: Security => Tab: Users => Button: Add new user
. Please type
requried fields and in Roles
field please select the TapeOperator
role created
in Step 1. In field API hosts
please select the API host created in Step 4.
Step 6
If you wound not like to give this tape operator user access to configuring the storage daemon
configuration resources, a good idea might be to set for this user all Bacula component resource
access to:read-only
or no access
. In this case please go to
Page: API Panel => Page: Basic users => [Select your API user] => Button: Edit
. There is
possible to restrict to which Bacula resources user should have access if any.
That is all. Now you can do a test with the tape operator account. After sucessful log in, you should see the web interface similar to this one (example with the autochanger management function):
Regular user example#
Another type of users that you may need to give access to Bacularis are users that are not the backup administrators or operators, but they are just employees in your company or they are your company customers if you provide Bacularis interface for them. They are users that usually should have access to backups belonging to theirs computers. They should be able to log in to the web interface, and do restore only own files to theirs own computers. Let’s see how this type of users could be configued.
Step1
Create a new role for the regular users. It can be named for example BackupAndRestore
role. To do it, please go to Page: Security => Tab: Roles => Button: Create new role
.
In the role field you can select in the Resources
filed all pages where this tape
operator user will have access. They can be the following:
JobList
- that gives access to the job list page
JobView
- that gives access to the detailed single job view page
RestoreWizard
- that gives access to the restore wizard
Alternatively for regular users you can reuse pre-defined role provided with Bacularis. This is
a role named normal
and it gives access the same pages as above plus
access to few more pages.
Step 2
Create a new API basic user (or API OAuth2 account if you use OAuth2). This user will
be used to connection beetwen API host and web interface. It can be done in
Page: Security => Tab: API basic users => Button: Add new API basic user
, please type
username and password. Adding new user will be required every time when you
would like to limit specific Bacula resources for users. So one API user per one
specific resources limit.
Step 3
Create a new API host connection. This connection uses credentials defined for the API
user in Step 2. You can create the API host in
Page: Security => Tab: API hosts => Button: Add new API host
.
Step 4
Create a regular Bacularis web interface user. This type of user accounts will be used
to log in by the regular users. It can be done in Page: Security => Tab: Users => Button: Add new user
In the Roles
field you need to select the role created in Step 1. In the
API hosts
field please select the API host created in Step 3.
Step 5
Set restricted user access only for jobs that does backup from the user computers.
It can be done in Page: Security => Tab: Users => [Select user on the table] => Button: Set access
.
In the opened window, please select the API host and next please click the radio
button with label Access to selected resources only
. In the API host job list
please select only jobs that the current regular user should have access. Please
don’t forget in the job list select also at least one restore job to be able
to do restore by these users.
In that window in the Resource permissions
section you can optionally switch all
Bacula resources access for all Bacula components (Director, Storage, Client,
Bconsole) to no access
or to read-only
access. Regular users usually
should not have access to configuring Bacula.
After applying changes, you can now try to log in on this new user account. You should see the web interface similar to this one: