Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-29 Thread Dan Langille 
> On Jan 28, 2019, at 1:19 PM, Radosław Korzeniewski 
>  wrote:
> 
> Hello Kern,
> 
> pt., 25 sty 2019 o 16:47 Kern Sibbald  > napisał(a):
> Hello guys,
> 
> Interesting conversation.  I thought I would throw in some general comments 
> of my own.
> 
> - I really like seeing another GUI for Bacula, because it is something we 
> really need.
> 
> Thank you Kern, I really appreciate your support. You are the only one who 
> sees it as an opportunity and not a threat.

I think that's unfair.

I hope you have not taken the suggestions provided here are the result of 
viewing IBAdmin as a threat. They are not.

I hope you have not taken the suggestions for improvement as an attack on 
IBAdmin. They are not.

It is relatively straight forward, I should hope, to identify the parts of the 
database you need to read and the parts you need to update.

I recently did similar for another application:

It looks something like this:

create role freshsource_ro;
GRANT SELECT ON TABLE public.commit_log TO freshsource_ro;
GRANT SELECT ON TABLE public.commit_log_elements TO freshsource_ro;
GRANT SELECT ON TABLE public.element TO freshsource_ro;
GRANT SELECT ON TABLE public.latest_commits TO freshsource_ro;
GRANT SELECT ON TABLE public.repo TO freshsource_ro;
GRANT SELECT ON TABLE public.security_notice TO freshsource_ro;
GRANT SELECT ON TABLE public.system TO freshsource_ro;
GRANT SELECT ON TABLE public.users TO freshsource_ro;
GRANT UPDATE(cookie) ON TABLE public.users TO freshsource_ro;
GRANT UPDATE(lastlogin) ON TABLE public.users TO freshsource_ro;
GRANT SELECT ON TABLE public.watch_list TO freshsource_ro;
GRANT SELECT ON TABLE public.watch_list_element TO freshsource_ro;
GRANT SELECT ON TABLE public.watch_notice TO freshsource_ro;

Then a user is created and added to that freshsource_ro role:

create user freshsource_dev with password '[redacted]' IN ROLE freshsource_ro;

Nobody sees the application itself as threat.

These are straight forward security practices which are carried out in many 
organizations, both small and large.

Best wishes.

--
Dan Langille - BSDCan / PGCon
d...@langille.org



signature.asc
Description: Message signed with OpenPGP
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-28 Thread Josip Deanovic 
On Monday 2019-01-28 19:19:56 Radosław Korzeniewski wrote:
> Thank you Kern for your opinion. As I wrote before, IBAdmin should
> support databases split without a problem. So I prepared a patch which
> support a full databases split. The patch is available in IBAdmin/split
> branch for anyone who wants to test it.
> 
> IBAdmin was not designed as an another Bacula GUI but it was designed as
> a complete solution where Bacula is the main engine. Not all the design
> goals are reached yet and requires a lot of work. But now it can be
> used as a general purpose Bacula GUI. The project started in 2015 and
> was opened to public at Jun 29, 2017 with opensource license - AGPL-3,
> basically the same as Bacula Community. Now the IBAdmin reached the
> next big goal - advanced users and permissions management with
> multitenant support which was a great opportunity to introduce it to
> all Bacula users at bacula-users and bacula-devel mailing list. The
> introduction failed. Community rejected the project.

Respect.



Kind regards!

-- 
Josip Deanovic


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-28 Thread Radosław Korzeniewski 
Hello Kern,

pt., 25 sty 2019 o 16:47 Kern Sibbald  napisał(a):

> Hello guys,
>
> Interesting conversation.  I thought I would throw in some general
> comments of my own.
>
> - I really like seeing another GUI for Bacula, because it is something we
> really need.
>

Thank you Kern, I really appreciate your support. You are the only one who
sees it as an opportunity and not a threat.


> - The BWeb GUI created by Bacula Systems, is very essential to corporate
> users.
> - The Baculum GUI created by Bacula Community (Marcin Haba -- note he also
> works
>on the Enterprise BWeb) will be very essential to large   community
> users.
> - I don't like the idea that a GUI read/write directly into the Bacula
> catalog.  If I am not mistaken
>   both BWeb and Baculum do this, but we are developing API calls and
> trying to make sure all
>   accesses go through the Bacula core code.  However, it will take more
> time to get those
>   products switched over.
>

Thank you Kern for your opinion. As I wrote before, IBAdmin should support
databases split without a problem. So I prepared a patch which support a
full databases split. The patch is available in IBAdmin/split branch for
anyone who wants to test it.

IBAdmin was not designed as an another Bacula GUI but it was designed as a
complete solution where Bacula is the main engine. Not all the design goals
are reached yet and requires a lot of work. But now it can be used as a
general purpose Bacula GUI. The project started in 2015 and was opened to
public at Jun 29, 2017 with opensource license - AGPL-3, basically the same
as Bacula Community. Now the IBAdmin reached the next big goal - advanced
users and permissions management with multitenant support which was a great
opportunity to introduce it to all Bacula users at bacula-users and
bacula-devel mailing list. The introduction failed. Community rejected the
project.


> - GUI programs designed and coded by Bacula Systems and/or Bacula
> Community will remain
>   compatible with the Bacula Catalog -- this is a given.  However
> non-Bacula GUI until we finish
>   the APIs and those programs use them, 3-rd party GUIs are almost certain
> to have problems
>   with Bacula catalog changes (the exception is IBAdmin, because Radek
> works directly with both
>   Bacula Enterprise and Bacula Community so he knows what is changing
> before the release).
>

Thank you Kern.


> - Around April of 2019 (or whenever I finish the work) there will be a
> major Bacula Community
>   Catalog change -- anyone who reads the catalog directly will very likely
> need to adapt their
>   SQL.
> - For Bacula itself (enterprise or community), I am not in favor of
> storing Bacula configuration files in the catalog,
>   because   doing so makes it more difficult to change the configuration
> files, and requires the SD and FD and
>   any tool to know how to access the database.  Even more importantly, in
> a disaster recovery situation,
>   you may not be able to reconstruct the same catalog database, while
> restoring ASCII configuration
>   files is relatively simple.
>

Every solution has pros and cons. I'm very happy when I can discuss what is
a best solution in certain requirements and assumptions. The main
requirements for IBAdmin in this area are: encrypted passwords storage and
a single Catalog and Configuration replication. To meet the requirements we
decided to store configuration data in a database where as a bonus we've
got a transaction configuration change, so the application error does not
invalidate the current configuration. We see it as a real value. DR in
IBAdmin will be based on replication. Someone in other projects can have a
different assumptions or requirements and I respect it.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-26 Thread Dmitri Maziuk via Bacula-users 
On Sat, 26 Jan 2019 14:27:10 +0100
Kern Sibbald  wrote:

> On 1/25/19 7:06 PM, Josip Deanovic wrote:

> > API would be really cool thing to have.
> 
> Yes, I will check if we have some documentation on it.

FWIW I don't think a) having strictly read-only access to the catalog is
a bad thing and b) you can stop someone with a little knowledge of psql
from getting in. I would start with a read-only role created by install
script (easy in postgres 9+) and detailed documentation of the database
schema.

It's placing your own objects in the catalog schema that I have a
serious problem with.

APIs are work and IME everyone wants something just different enough
that you have to add more API calls, and more, until you end up looking
like matlab.

-- 
Dmitri Maziuk 


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-26 Thread Heitor Faria 
Hello Kern, All,

>> API would be really cool thing to have.
> 
> Yes, I will check if we have some documentation on it.

Let me diverge the thread a little.
Now it was mentioned, I think it would be really good too have an API command 
that allows exporting terminated Copy Jobs metadata from one Dir+Catalog to a 
remote Dir+Catalog. Or something similar.
Or the hard way: a Destination Catalog Copy Jobs directive.
This is a common request from our customers and prospects depending on the 
proposed architectures.

Regards,
-- 
MSc Heitor Faria 
CEO Bacula LATAM 
mobile1: + 1 909 655-8971 
mobile2: + 55 61 98268-4220 

Brasilia - Miami - New York 

www.bacula.com.br


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-26 Thread Kern Sibbald 




On 1/25/19 7:06 PM, Josip Deanovic wrote:

On Friday 2019-01-25 16:47:55 Kern Sibbald wrote:

Hello guys,

Interesting conversation.  I thought I would throw in some general
comments of my own.

[...]

API would be really cool thing to have.


Yes, I will check if we have some documentation on it.



Don't forget to support some statistical and health information
that could be used by different graphing and monitoring systems.


This (statistics info) exists in the Enterprise version, and will also 
be back ported to the

community version at future time (hopefully by mid-year).

Regards,
Kern




___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-25 Thread Josip Deanovic 
On Friday 2019-01-25 16:47:55 Kern Sibbald wrote:
> Hello guys,
> 
> Interesting conversation.  I thought I would throw in some general
> comments of my own.

[...]

API would be really cool thing to have.

Don't forget to support some statistical and health information
that could be used by different graphing and monitoring systems.


Regards

-- 
Josip Deanovic


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-25 Thread Josip Deanovic 
On Friday 2019-01-25 11:16:26 Radosław Korzeniewski wrote:
> > It's best practices, not an opinion.
> 
> Sorry no - swearing is not a best practice, it is an opinion.

Obviously I was referring to everything else but the swearing. :-)

> I do not understand why you complain about additional objects in Bacula
> database and rw access in IBAdmin when almost all others GUI for Bacula
> does the same for a very long time!
> Its insane! If you complain that IBAdmin is doing this wrong you have to
> complain for other GUI too!

You are right.
And I would if a thread such as this one got under my radar and I had
some time to jump in.

> > I hope that you can now better understand why would experienced
> > sysadmin or system architect say that it is inflexible
> 
> I disagree. The IBAdmin is extremely flexible (thanks to Django Web
> framework) in this area and adding support for database separation is
> relatively easy.

You are again looking at the matter from a developer perspective.
It is flexible for you to make further changes and add additional
features in the future.

It is not flexible for an admin to better protect its data with the
software at hand and its current feature set.

> > (to say the least) for a
> > third party software to use Backup system's database in order to write
> > its own data.
> > 
> > For sysadmins separation is not an option, it is a requirement for a
> > well design software. Otherwise it just doesn't fit
> 
> Almost all other Bacula GUI do that way and no one complain!

I would if I got a chance at the right time and the right thread.

Radosław, don't get me wrong, I respect your effort and work and the
work of whoever worked on that software and it is not my intention to
minimize the credits you deserve.

I am just trying to show how the other side (admins) would see certain
problems they would immediately observe.

I also had some plans for Baculum but unfortunately it wasn't useful
for me because it is not flexible enough.

I wanted to write about that to the authors but had no time to do it
and that was few years back so I would need to test it again.


-- 
Josip Deanovic


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-25 Thread Kern Sibbald 

  
  
Hello guys,

Interesting conversation.  I thought I would throw in some general
comments of my own.

- I really like seeing another GUI for Bacula, because it is
something we really need.
- The BWeb GUI created by Bacula Systems, is very essential to
corporate users.
- The Baculum GUI created by Bacula Community (Marcin Haba -- note
he also works
   on the Enterprise BWeb) will be very essential to large  
community users.
- I don't like the idea that a GUI read/write directly into the
Bacula catalog.  If I am not mistaken
  both BWeb and Baculum do this, but we are developing API calls and
trying to make sure all
  accesses go through the Bacula core code.  However, it will take
more time to get those 
  products switched over.
- GUI programs designed and coded by Bacula Systems and/or Bacula
Community will remain
  compatible with the Bacula Catalog -- this is a given.  However
non-Bacula GUI until we finish
  the APIs and those programs use them, 3-rd party GUIs are almost
certain to have problems
  with Bacula catalog changes (the exception is IBAdmin, because
Radek works directly with both
  Bacula Enterprise and Bacula Community so he knows what is
changing before the release).
- Around April of 2019 (or whenever I finish the work) there will be
a major Bacula Community
  Catalog change -- anyone who reads the catalog directly will very
likely need to adapt their
  SQL.
- For Bacula itself (enterprise or community), I am not in favor of
storing Bacula configuration files in the catalog,
  because   doing so makes it more difficult to change the
configuration files, and requires the SD and FD and
  any tool to know how to access the database.  Even more
importantly, in a disaster recovery situation,
  you may not be able to reconstruct the same catalog database,
while restoring ASCII configuration
  files is relatively simple.

Best regards,
Kern

On 1/25/19 11:16 AM, Radosław
  Korzeniewski wrote:


  
  
Hello,


  pt., 25 sty 2019 o
10:40 Josip Deanovic 
napisał(a):
  
  On Friday 2019-01-25
08:56:18 Radosław Korzeniewski wrote:
> > Having the pieces fall in the same database that
holds
> > my super-important backup catalog is just... like
I said: !@#$ck no.
> 
> Sure its your opinion.

It's best practices, not an opinion.
  
  
  
  Sorry no - swearing is not a best practice, it is an
opinion.
   
  

Would you hire a sysadmin/sysarch who see things any
different?
I wouldn't.
And I wouldn't give him administrative access because such
guy
would be dangerous to your data and your business.

> I understand all your fears about object name collision
and in my
> opinion the risk is extremely low. I am trying to
understand all other
> complains, but with the sentence: "(...) like I said:
!@#$ck no." is
> extremely hard.

The risk of object collision might be extremely low but the
fact that
the a third-party tool needs write access to your backup
database
is not something that can overlooked by someone who is
responsible
for the data and system integrity.


Sysadmins are doing tons of actions and steps in system
design in order
to prevent extremely unlikely cases.

E.g. creating a dedicated backup network with separated
VLANs for every
logical group of servers and making sure that servers from
different
logical units cannot reach each other.

Making sure that only servers that absolutely MUST have
access specific
server and port can actually access it although it already
requires auth.

Making sure that all communication is encrypted although it
is extremely
unlikely that in a dedicated backup network some server from
a different
logical group could ever get a chance to sniff packages.

Additionally, sometimes servers use additional kernel based
mechanisms
to ensure privileges and prevent breaches.

Different intrusion detection system and advanced firewalls
employing
complex analytic modules might

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-25 Thread Radosław Korzeniewski 
Hello,

pt., 25 sty 2019 o 10:40 Josip Deanovic 
napisał(a):

> On Friday 2019-01-25 08:56:18 Radosław Korzeniewski wrote:
> > > Having the pieces fall in the same database that holds
> > > my super-important backup catalog is just... like I said: !@#$ck no.
> >
> > Sure its your opinion.
>
> It's best practices, not an opinion.
>

Sorry no - swearing is not a best practice, it is an opinion.


>
> Would you hire a sysadmin/sysarch who see things any different?
> I wouldn't.
> And I wouldn't give him administrative access because such guy
> would be dangerous to your data and your business.
>
> > I understand all your fears about object name collision and in my
> > opinion the risk is extremely low. I am trying to understand all other
> > complains, but with the sentence: "(...) like I said: !@#$ck no." is
> > extremely hard.
>
> The risk of object collision might be extremely low but the fact that
> the a third-party tool needs write access to your backup database
> is not something that can overlooked by someone who is responsible
> for the data and system integrity.
>
>
> Sysadmins are doing tons of actions and steps in system design in order
> to prevent extremely unlikely cases.
>
> E.g. creating a dedicated backup network with separated VLANs for every
> logical group of servers and making sure that servers from different
> logical units cannot reach each other.
>
> Making sure that only servers that absolutely MUST have access specific
> server and port can actually access it although it already requires auth.
>
> Making sure that all communication is encrypted although it is extremely
> unlikely that in a dedicated backup network some server from a different
> logical group could ever get a chance to sniff packages.
>
> Additionally, sometimes servers use additional kernel based mechanisms
> to ensure privileges and prevent breaches.
>
> Different intrusion detection system and advanced firewalls employing
> complex analytic modules might be used to rise awareness in time.
>
> Monitoring, graphing, regular checks of hardware and service health...
>
>
I do not understand why you complain about additional objects in Bacula
database and rw access in IBAdmin when almost all others GUI for Bacula
does the same for a very long time!
Its insane! If you complain that IBAdmin is doing this wrong you have to
complain for other GUI too!


> I hope that you can now better understand why would experienced sysadmin
> or system architect say that it is inflexible


I disagree. The IBAdmin is extremely flexible (thanks to Django Web
framework) in this area and adding support for database separation is
relatively easy.


> (to say the least) for a
> third party software to use Backup system's database in order to write
> its own data.
>
> For sysadmins separation is not an option, it is a requirement for a
> well design software. Otherwise it just doesn't fit
>

Almost all other Bacula GUI do that way and no one complain!

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-25 Thread Josip Deanovic 
On Friday 2019-01-25 08:56:18 Radosław Korzeniewski wrote:
> > Having the pieces fall in the same database that holds
> > my super-important backup catalog is just... like I said: !@#$ck no.
> 
> Sure its your opinion.

It's best practices, not an opinion.

Would you hire a sysadmin/sysarch who see things any different?
I wouldn't.
And I wouldn't give him administrative access because such guy
would be dangerous to your data and your business.

> I understand all your fears about object name collision and in my
> opinion the risk is extremely low. I am trying to understand all other
> complains, but with the sentence: "(...) like I said: !@#$ck no." is
> extremely hard.

The risk of object collision might be extremely low but the fact that
the a third-party tool needs write access to your backup database
is not something that can overlooked by someone who is responsible
for the data and system integrity.


Sysadmins are doing tons of actions and steps in system design in order
to prevent extremely unlikely cases.

E.g. creating a dedicated backup network with separated VLANs for every
logical group of servers and making sure that servers from different
logical units cannot reach each other.

Making sure that only servers that absolutely MUST have access specific
server and port can actually access it although it already requires auth.

Making sure that all communication is encrypted although it is extremely
unlikely that in a dedicated backup network some server from a different
logical group could ever get a chance to sniff packages.

Additionally, sometimes servers use additional kernel based mechanisms
to ensure privileges and prevent breaches.

Different intrusion detection system and advanced firewalls employing
complex analytic modules might be used to rise awareness in time.

Monitoring, graphing, regular checks of hardware and service health...


I hope that you can now better understand why would experienced sysadmin
or system architect say that it is inflexible (to say the least) for a
third party software to use Backup system's database in order to write
its own data.

For sysadmins separation is not an option, it is a requirement for a
well design software. Otherwise it just doesn't fit.


Regards!

-- 
Josip Deanovic


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-24 Thread Radosław Korzeniewski 
Hello,

czw., 24 sty 2019 o 23:50 Dimitri Maziuk via Bacula-users <
bacula-users@lists.sourceforge.net> napisał(a):

> On 1/24/19 4:15 PM, mark.berg...@uphs.upenn.edu wrote:
>
> > Putting it very bluntly, the data in Bacula's database is the only
> > important component. Your tool -- and every other GUI front-end -- is a
> > convenience, not a necessary part of the backup infrastructure, and your
> > tool (and every other GUI front-end to Bacula) is much, much less mature
> > and less trusted.
>
> Even if it is, unless it comes with bacula from bacula,


Well, in my opinion the only GUI which comes from Bacula is BWeb
Enterprise, YMMV.


> there is no
> guarantee that the next version of the core software will not add more
> database objects with a name clash.


Well, I cannot give you a guarantee but as a core Bacula developer I can
assure you it is not a problem you can experience anytime soon.
IBAdmin is using a very different database objects naming scheme then
Bacula so the risk of object name clash is extremely low.


> Or change the schema in a way that
> breaks your tool.


IBAdmin detects Bacula Catalog change and promptly inform you about it,
just take a look:
https://github.com/inteos/IBAdmin/wiki/Wrong-catalog-version


> Having the pieces fall in the same database that holds
> my super-important backup catalog is just... like I said: !@#$ck no.
>

Sure its your opinion.

I understand all your fears about object name collision and in my opinion
the risk is extremely low. I am trying to understand all other complains,
but with the sentence: "(...) like I said: !@#$ck no." is extremely hard.

IBAdmin is designed as a simple to use but powerful tool. It is dedicated
to less experienced Bacula admins who wants to use Bacula as fast as
possible. It has a lot of unique features which are not available in any
other GUI like a different types of Backup clients available: Standalone,
Cluster node, Cluster service and Alias, a number of different backup job
types available like Files backup, Catalog backup, Proxmox backup, VMware
Guest VM backup, etc., transactional and instant configuration change, AES
encrypted passwords, build in statistics daemon, Background tasks (for long
running operations) and many other.

As I said, from technical point of view you can move IBAdmin objects to
separate database. Just define an additional database in configuration file
and develop a Django database access router for this (something like:
https://docs.djangoproject.com/pl/1.11/topics/db/multi-db/). If someone
wants to do it, no problem. The code is available in AGPLv3 license.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-24 Thread Radosław Korzeniewski 
Hello,

czw., 24 sty 2019 o 23:15  napisał(a):

> In the message dated: Thu, 24 Jan 2019 19:47:49 +0100,
> The pithy ruminations from =?UTF-8?Q?Rados=C5=82aw_Korzeniewski?= on
> [[External] Re: [Bacula-users] [Bacula-devel] IBAdmin] were:
> => Hello Dan,
> =>
> => czw., 24 sty 2019 o 14:28 Dan Langille  napisał(a):
> =>
> => > On Jan 24, 2019, at 5:30 AM, Radosław Korzeniewski <
> => > rados...@korzeniewski.net> wrote:
> => >
> => > Hello Dan,
> => >
> => > śr., 23 sty 2019 o 23:59 Dan Langille  napisał(a):
> => >
>
> =>
> => From technical point of view it is possible to redesign IBAdmin to
> => use multiple databases, but it requires some development which (in my
> => opinion) has no real value. If you think this kind of separation has any
> => real value other then "do separation - it is good" I'll be happy if you
> => will share it with me.
>
> I completely agree with Dan. I wouldn't even consider testing IBAdmin (or
> any other Bacula tool) that requires write access to the Bacula database.
>
>
OK, no problem. I do not force anyone to test it or to use it. It is your
free will.

But I do not understand why you complain about IBAdmin but do not complain
about any other Bacula GUI tools which require this kind of access too.


> Your tool -- and every other GUI front-end -- is a
> convenience, not a necessary part of the backup infrastructure, and your
> tool (and every other GUI front-end to Bacula) is much, much less mature
> and less trusted.
>

Yes it is true. We started IBAdmin in 2015 and it is a youngest kid in the
town.


> I would not give a front-end tool unrestricted access to the database
> for the same reason why every user on the system does not have root
> privileges.
>

So, you do not need a GUI then.


> Users who value the convenience of the install over the security of
> their data probably don't represent the typical bacula administrator.
> Their suggestions for the design of your product may not apply to
> the users you want to attract.
>

To learn Bacula you have to spend years of your life, so the learning curve
is extremely hard. Even if you use currently available GUI you have to
exactly know what to put in configuration forms as all these forms maps 1:1
to standard configuration files and resources.
With IBAdmin all you have to know is an overall architecture which you can
learn in a one hour. Then you can start using it like a pro. :) Sure this
means you can change your Bacula configuration in a way permitted by an
application and not all configuration tweaks are available. From our
experience it covers 90% of use cases.

So if you are a Bacula's geek who craft your configuration by hand and you
are a proud of it then IBAdmin is not suited for you. If you are a total
Bacula's newbie you should give it a try.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-24 Thread Dimitri Maziuk via Bacula-users 
On 1/24/19 4:15 PM, mark.berg...@uphs.upenn.edu wrote:

> Putting it very bluntly, the data in Bacula's database is the only
> important component. Your tool -- and every other GUI front-end -- is a
> convenience, not a necessary part of the backup infrastructure, and your
> tool (and every other GUI front-end to Bacula) is much, much less mature
> and less trusted.

Even if it is, unless it comes with bacula from bacula, there is no
guarantee that the next version of the core software will not add more
database objects with a name clash. Or change the schema in a way that
breaks your tool. Having the pieces fall in the same database that holds
my super-important backup catalog is just... like I said: !@#$ck no.

-- 
Dimitri Maziuk
Programmer/sysadmin
BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu



signature.asc
Description: OpenPGP digital signature
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] [External] Re: [Bacula-devel] IBAdmin

2019-01-24 Thread mark . bergman 
In the message dated: Thu, 24 Jan 2019 19:47:49 +0100,
The pithy ruminations from =?UTF-8?Q?Rados=C5=82aw_Korzeniewski?= on 
[[External] Re: [Bacula-users] [Bacula-devel] IBAdmin] were:
=> Hello Dan,
=> 
=> czw., 24 sty 2019 o 14:28 Dan Langille  napisał(a):
=> 
=> > On Jan 24, 2019, at 5:30 AM, Radosław Korzeniewski <
=> > rados...@korzeniewski.net> wrote:
=> >
=> > Hello Dan,
=> >
=> > śr., 23 sty 2019 o 23:59 Dan Langille  napisał(a):
=> >

=> 
=> From technical point of view it is possible to redesign IBAdmin to
=> use multiple databases, but it requires some development which (in my
=> opinion) has no real value. If you think this kind of separation has any
=> real value other then "do separation - it is good" I'll be happy if you
=> will share it with me.

I completely agree with Dan. I wouldn't even consider testing IBAdmin (or
any other Bacula tool) that requires write access to the Bacula database.


Putting it very bluntly, the data in Bacula's database is the only
important component. Your tool -- and every other GUI front-end -- is a
convenience, not a necessary part of the backup infrastructure, and your
tool (and every other GUI front-end to Bacula) is much, much less mature
and less trusted.

I would not give a front-end tool unrestricted access to the database
for the same reason why every user on the system does not have root
privileges.

Users who value the convenience of the install over the security of
their data probably don't represent the typical bacula administrator.
Their suggestions for the design of your product may not apply to
the users you want to attract.

Mark

=> 
=> best regards -- Radosław Korzeniewski rados...@korzeniewski.net
=> 
=> 

-- 
Mark Bergman   voice: 215-746-4061  
 
mark.berg...@uphs.upenn.edu  fax: 215-614-0266
http://www.med.upenn.edu/cbica/
IT Technical Director, Center for Biomedical Image Computing and Analytics
Department of Radiology University of Pennsylvania


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users