subject:"\[Bacula\-users\] Bacularis\: set of rights for tape operators"

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Stefan G. Weichinger


Am 13.06.24 um 14:05 schrieb Marcin Haba:

This is wrong because if multiple commands are closed in one big quotes, 
it is treated as one command that does not exist, so it causes no access 
to anything.


You need to write it as this (without quotes):

   CommandAcl = gui, .api, .status, .storage, delete, show, mount, 
umount, label, update


Or in a way as Bacularis writes mutli-value directives:

   CommandAcl = ".api"
   CommandAcl = "gui"
   CommandAcl = ".status"
   CommandAcl = ".storage"
   CommandAcl = "delete"
   CommandAcl = "show"
   CommandAcl = "mount"
   CommandAcl = "umount"
   CommandAcl = "label"
   CommandAcl = "update"

Both work in the same way.


ok, thanks. corrected that, restarted bacula-dir .. that user still sees 
both Storage-Resources. Anyway, not a problem right now.





___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Marcin Haba

On Thu, 13 Jun 2024 at 13:35, Stefan G. Weichinger  wrote:

> Am 13.06.24 um 12:44 schrieb Marcin Haba:
>
> > You don't need to restart anything. Are you sure that you set all
> > CommandAcl directive values in the Console ACL? They should be one
> > command per one CommandAcl field:
> >
> > CommandAcl = gui
> > CommandAcl = .api
> > CommandAcl = .status
> > CommandAcl = .storage
> > CommandAcl = delete
> > CommandAcl = show
> > CommandAcl = mount
> > CommandAcl = umount
> > CommandAcl = label
> > CommandAcl = update
> >
> > If storage is not listed in the storage table it can be that the
> > .storage command is missing there. Could you confirm it? Also StorageAcl
> > needs to be set to all Storage that should be available for that user.
>
> all there, looks like this on the shell:
>
> Console {
>Name = "tape-operator-ACL"
>Password = ""
>StorageAcl = "HP-Autoloader"
>CommandAcl = "gui, .api, .status, .storage, delete, show, mount,
> umount, label, update"
> }
>

Hello Stefan,

This is wrong because if multiple commands are closed in one big quotes, it
is treated as one command that does not exist, so it causes no access to
anything.

You need to write it as this (without quotes):

  CommandAcl = gui, .api, .status, .storage, delete, show, mount, umount,
label, update

Or in a way as Bacularis writes mutli-value directives:

  CommandAcl = ".api"
  CommandAcl = "gui"
  CommandAcl = ".status"
  CommandAcl = ".storage"
  CommandAcl = "delete"
  CommandAcl = "show"
  CommandAcl = "mount"
  CommandAcl = "umount"
  CommandAcl = "label"
  CommandAcl = "update"

Both work in the same way.

Best regards,
Marcin Haba (gani)

-- 

"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ

"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Stefan G. Weichinger


Am 13.06.24 um 12:44 schrieb Marcin Haba:

You don't need to restart anything. Are you sure that you set all 
CommandAcl directive values in the Console ACL? They should be one 
command per one CommandAcl field:


CommandAcl = gui
CommandAcl = .api
CommandAcl = .status
CommandAcl = .storage
CommandAcl = delete
CommandAcl = show
CommandAcl = mount
CommandAcl = umount
CommandAcl = label
CommandAcl = update

If storage is not listed in the storage table it can be that the 
.storage command is missing there. Could you confirm it? Also StorageAcl 
needs to be set to all Storage that should be available for that user.


all there, looks like this on the shell:

Console {
  Name = "tape-operator-ACL"
  Password = ""
  StorageAcl = "HP-Autoloader"
  CommandAcl = "gui, .api, .status, .storage, delete, show, mount, 
umount, label, update"

}


I want to get the information which tapes to insert into the
loader. Which ones are "overwritable" right now, what is needed for the
next jobs to be successful. I'd like not to have to process retention
times etc by myself.


I understand. Thanks. I don't know exactly this type of function in 
Bacula, however in the status director is information about the next 
volume for scheduled backup jobs. In Bacularis it is in (Director -> 
Tab: Actions -> Button: Status director  ->  SubTab: Raw status). For 
restore the required volumes are listed in the restore wizard before 
starting the restore.


ok. I see. Thanks so far!



___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Marcin Haba

On Thu, 13 Jun 2024 at 10:46, Stefan G. Weichinger  wrote:

> Am 13.06.24 um 10:24 schrieb Marcin Haba:
> > On Thu, 13 Jun 2024 at 10:02, Stefan G. Weichinger  > > wrote:
> > I don't see how to assign the ACL to that user, sry
> >
> >
> >   In the create API basic user window there is an option with label:
> >
> > "Create dedicated Bconsole config file"
> >
> > When you check this checkbox, you will see the Console ACL and Director
> > to select. It is exactly this option and this select to choose Console
> ACL.
>
> found, ok. Did so but now the user sees NO Storage in "Storage" although
> I chose the autoloader in the ACL etc
>
> Do I have to restart things after that patch or so?
>

Hello Stefan,

You don't need to restart anything. Are you sure that you set all
CommandAcl directive values in the Console ACL? They should be one command
per one CommandAcl field:

CommandAcl = gui
CommandAcl = .api
CommandAcl = .status
CommandAcl = .storage
CommandAcl = delete
CommandAcl = show
CommandAcl = mount
CommandAcl = umount
CommandAcl = label
CommandAcl = update

If storage is not listed in the storage table it can be that the .storage
command is missing there. Could you confirm it? Also StorageAcl needs to be
set to all Storage that should be available for that user.


> > I am not sure if I understand this question. What type of inserting do
> > you have on mind? Is it a list of volumes that will be used in backups
> > or something else?
>
> I would I want to get the information which tapes to insert into the
> loader. Which ones are "overwritable" right now, what is needed for the
> next jobs to be successful. I'd like not to have to process retention
> times etc by myself.
>
>
I understand. Thanks. I don't know exactly this type of function in Bacula,
however in the status director is information about the next volume for
scheduled backup jobs. In Bacularis it is in (Director -> Tab: Actions ->
Button: Status director  ->  SubTab: Raw status). For restore the required
volumes are listed in the restore wizard before starting the restore.

Best regards,
Marcin Haba (gani)
-- 

"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ

"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Stefan G. Weichinger


Am 13.06.24 um 10:24 schrieb Marcin Haba:
On Thu, 13 Jun 2024 at 10:02, Stefan G. Weichinger > wrote:

I don't see how to assign the ACL to that user, sry


  In the create API basic user window there is an option with label:

"Create dedicated Bconsole config file"

When you check this checkbox, you will see the Console ACL and Director 
to select. It is exactly this option and this select to choose Console ACL.


found, ok. Did so but now the user sees NO Storage in "Storage" although 
I chose the autoloader in the ACL etc


Do I have to restart things after that patch or so?

Yes, if the Console ACL will be assigned, then the user will see only 
storage resources allowed by the Console ACL. For volumes, it isn't part 
of Console ACLs, so they are listed all.


ok
our file-based volumes will be deleted soon anyway. And that guy is 
intelligent, he's able to filter information :-)



The user is able to "Update slots", nice .. this is important if he
swaps tapes etc

Ah, that leads me to another newbie question:

with amanda there was a command that showed me which tapes from which
pool were to be inserted next. So amanda checked retention times etc
etc
and asked for the next tapes to be overwritten. I haven't yet seen or
understood if Bacula is also able to provide me or the tape operator
with a list of tapes to be inserted (or even which ones to take out of
the library).

So far I look for "Full" tapes and remove them etc


I am not sure if I understand this question. What type of inserting do 
you have on mind? Is it a list of volumes that will be used in backups 
or something else?


I would I want to get the information which tapes to insert into the 
loader. Which ones are "overwritable" right now, what is needed for the 
next jobs to be successful. I'd like not to have to process retention 
times etc by myself.




___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Marcin Haba

On Thu, 13 Jun 2024 at 10:02, Stefan G. Weichinger  wrote:

> Am 12.06.24 um 17:09 schrieb Marcin Haba:
> > Hello Stefan,
> >
> > Thanks for your question. It showed me that it might be good to
> > add descriptions for the resources available for each role and probably
> > a new section in the documentation that describes it.
> >
> > For the question about setting access for the tape operator, I assume
> > that you have the tape library already configured with Bacularis.
> > Setting this access for that user can be done in various ways. Below I
> > described the most detailed manual way (without using wizards) that
> > enables to set most options and tune access exactly to what needed.
>
> At first: thank you for the quick and detailed reply! Going through
> right now.
>
> > So, the steps are following:
> >
> > 1) I would propose to create a new role for the tape operator with the
> > following resources assigned (Security -> Tab: Roles):
> >
> >   - VolumeList - that gives access to the volume list page
> >   - VolumeView - that gives access to the detailed single volume view
> page
> >   - StorageList - that gives access to the storage list page
> >   - StorageView - that gives access to the single storage view page
> >
> > 2) Then I would propose to create a console ACL (Security -> Tab:
> > Console Acls) with:
> >
> >   - StorageAcl - that has defined all storage resources for which you
> > would like to give access for the tape operator
> >   - CommandAcl - with commands: gui, .api, .status, .storage, delete,
> > show, mount, umount, label, update
> >
> > 3) Next I would create a new API user. Normally it can be done in
> > (Security -> Tab: API basic users) but during preparing this mail I
> > found a bug in this function. Because of that please apply a one line
> > patch (for version 3.2.0) from attachment to file located usually here:
> >
> > /usr/share/bacularis/protected/API/Modules/BaculaConfig.php
> >
> > Once it is done, you can create in (Security -> Tab: API basic users)
> > new tape operator user and assign to it the Console Acl from point 2)
>

Hello Stefan,

Thanks for feedback from your tries.

I don't see how to assign the ACL to that user, sry
>

 In the create API basic user window there is an option with label:

"Create dedicated Bconsole config file"

When you check this checkbox, you will see the Console ACL and Director to
select. It is exactly this option and this select to choose Console ACL.

> 4) At the end I would create a new API host connection (Security -> Tab:
> > API hosts) to the API host with the tape library and Bacularis API
> > installed providing basic user credentials from step 3)
> >
> > 5) Finally I would create a new Bacularis Web user for this tape
> > operator (Security -> Tab: Users) with:
> >
> >   - tape operator role created in point 1)
> >   - API host created in point 4)
> >
> > 6) [Extra point] To avoid modifying by the tape operator anything
> > related to the Bacula SD configuration, you can switch all Bacula
> > resources for this user to 'read-only' or 'no access' mode. It is
> > possible to do on (API Panel -> Basic users -> Edit: tape operator
> > user). There you can set "read-only" or "no access" permissions for
> > every Bacula resource or all at once (Resource permissions section).
>
>
> looks promising. That user sees STorage and Volumes, although currently
> it sees both "File" and "Tape" volumes ... both pools, both storages.
>
> That isn't a problem for me, it's just missing, maybe because I skipped
> 6) and 3) isn't fully done. (patch applied, yes)
>

Yes, if the Console ACL will be assigned, then the user will see only
storage resources allowed by the Console ACL. For volumes, it isn't part of
Console ACLs, so they are listed all.


>
> The user is able to "Update slots", nice .. this is important if he
> swaps tapes etc
>
> Ah, that leads me to another newbie question:
>
> with amanda there was a command that showed me which tapes from which
> pool were to be inserted next. So amanda checked retention times etc etc
> and asked for the next tapes to be overwritten. I haven't yet seen or
> understood if Bacula is also able to provide me or the tape operator
> with a list of tapes to be inserted (or even which ones to take out of
> the library).
>
> So far I look for "Full" tapes and remove them etc
>

I am not sure if I understand this question. What type of inserting do you
have on mind? Is it a list of volumes that will be used in backups or
something else?

hints welcome
>
> Thanks so far, in an hour I show the tape op around Bacularis for the
> first time :-)
>

Good luck with it :-)

Best regards,
Marcin Haba (gani)


-- 

"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ

"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-13 Thread Stefan G. Weichinger


Am 12.06.24 um 17:09 schrieb Marcin Haba:

Hello Stefan,

Thanks for your question. It showed me that it might be good to 
add descriptions for the resources available for each role and probably 
a new section in the documentation that describes it.


For the question about setting access for the tape operator, I assume 
that you have the tape library already configured with Bacularis. 
Setting this access for that user can be done in various ways. Below I 
described the most detailed manual way (without using wizards) that 
enables to set most options and tune access exactly to what needed.


At first: thank you for the quick and detailed reply! Going through 
right now.



So, the steps are following:

1) I would propose to create a new role for the tape operator with the 
following resources assigned (Security -> Tab: Roles):


  - VolumeList - that gives access to the volume list page
  - VolumeView - that gives access to the detailed single volume view page
  - StorageList - that gives access to the storage list page
  - StorageView - that gives access to the single storage view page

2) Then I would propose to create a console ACL (Security -> Tab: 
Console Acls) with:


  - StorageAcl - that has defined all storage resources for which you 
would like to give access for the tape operator
  - CommandAcl - with commands: gui, .api, .status, .storage, delete, 
show, mount, umount, label, update


3) Next I would create a new API user. Normally it can be done in 
(Security -> Tab: API basic users) but during preparing this mail I 
found a bug in this function. Because of that please apply a one line 
patch (for version 3.2.0) from attachment to file located usually here:


/usr/share/bacularis/protected/API/Modules/BaculaConfig.php

Once it is done, you can create in (Security -> Tab: API basic users) 
new tape operator user and assign to it the Console Acl from point 2)


I don't see how to assign the ACL to that user, sry


4) At the end I would create a new API host connection (Security -> Tab: 
API hosts) to the API host with the tape library and Bacularis API 
installed providing basic user credentials from step 3)


5) Finally I would create a new Bacularis Web user for this tape 
operator (Security -> Tab: Users) with:


  - tape operator role created in point 1)
  - API host created in point 4)

6) [Extra point] To avoid modifying by the tape operator anything 
related to the Bacula SD configuration, you can switch all Bacula 
resources for this user to 'read-only' or 'no access' mode. It is 
possible to do on (API Panel -> Basic users -> Edit: tape operator 
user). There you can set "read-only" or "no access" permissions for 
every Bacula resource or all at once (Resource permissions section).



looks promising. That user sees STorage and Volumes, although currently 
it sees both "File" and "Tape" volumes ... both pools, both storages.


That isn't a problem for me, it's just missing, maybe because I skipped 
6) and 3) isn't fully done. (patch applied, yes)


The user is able to "Update slots", nice .. this is important if he 
swaps tapes etc


Ah, that leads me to another newbie question:

with amanda there was a command that showed me which tapes from which 
pool were to be inserted next. So amanda checked retention times etc etc 
and asked for the next tapes to be overwritten. I haven't yet seen or 
understood if Bacula is also able to provide me or the tape operator 
with a list of tapes to be inserted (or even which ones to take out of 
the library).


So far I look for "Full" tapes and remove them etc

hints welcome

Thanks so far, in an hour I show the tape op around Bacularis for the 
first time :-)




___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

2024-06-12 Thread Marcin Haba

Hello Stefan,

Thanks for your question. It showed me that it might be good to
add descriptions for the resources available for each role and probably a
new section in the documentation that describes it.

For the question about setting access for the tape operator, I assume that
you have the tape library already configured with Bacularis. Setting this
access for that user can be done in various ways. Below I described the
most detailed manual way (without using wizards) that enables to set most
options and tune access exactly to what needed.

So, the steps are following:

1) I would propose to create a new role for the tape operator with the
following resources assigned (Security -> Tab: Roles):

 - VolumeList - that gives access to the volume list page
 - VolumeView - that gives access to the detailed single volume view page
 - StorageList - that gives access to the storage list page
 - StorageView - that gives access to the single storage view page

2) Then I would propose to create a console ACL (Security -> Tab: Console
Acls) with:

 - StorageAcl - that has defined all storage resources for which you would
like to give access for the tape operator
 - CommandAcl - with commands: gui, .api, .status, .storage, delete, show,
mount, umount, label, update

3) Next I would create a new API user. Normally it can be done in (Security
-> Tab: API basic users) but during preparing this mail I found a bug in
this function. Because of that please apply a one line patch (for version
3.2.0) from attachment to file located usually here:

/usr/share/bacularis/protected/API/Modules/BaculaConfig.php

Once it is done, you can create in (Security -> Tab: API basic users) new
tape operator user and assign to it the Console Acl from point 2)

4) At the end I would create a new API host connection (Security -> Tab:
API hosts) to the API host with the tape library and Bacularis API
installed providing basic user credentials from step 3)

5) Finally I would create a new Bacularis Web user for this tape operator
(Security -> Tab: Users) with:

 - tape operator role created in point 1)
 - API host created in point 4)

6) [Extra point] To avoid modifying by the tape operator anything related
to the Bacula SD configuration, you can switch all Bacula resources for
this user to 'read-only' or 'no access' mode. It is possible to do on (API
Panel -> Basic users -> Edit: tape operator user). There you can set
"read-only" or "no access" permissions for every Bacula resource or all at
once (Resource permissions section).

That is all. You can adapt this instruction to your needs, of course,
specially this Console Acl and the permissions parts. I think it can be
also useful watching this video guide:

Bacularis - configure custom interface for selected users:
https://www.youtube.com/watch?v=9HbEh1P4b6w

Please let us know if you were able to set this account up.

Good luck!

Best regards,
Marcin Haba (gani)

On Wed, 12 Jun 2024 at 14:23, Stefan G. Weichinger  wrote:

>
> Could someone point me at a HOWTO or doc or point out a meaningful list
> of roles/permissions to assign to a bacularis user who should be able to:
>
> - list volumes
> - manage the autochanger
>
> maybe later
>
> - label volumes
>
> ?
>
> I don't want to give that employee full access, but I am a bit
> overwhelmed by the many possible "Resources" available in the
> Security-Roles-Tab.
>
> thanks
>
>
> ___
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>


-- 

"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ

"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
diff --git a/API/Modules/BaculaConfig.php b/API/Modules/BaculaConfig.php
index 7beee98..3cb2594 100644
--- a/API/Modules/BaculaConfig.php
+++ b/API/Modules/BaculaConfig.php
@@ -74,7 +74,7 @@ class BaculaConfig extends ConfigFileModule
 	 * @param bool $mode set config mode (simulate, save...)
 	 * @return array validation result, validation output and write to config result
 	 */
-	public function setConfig($component_type, array $config, $file = null, $mode = null)
+	public function setConfig($component_type, array $config, $file = null, $mode = BaculaSetting::MODE_SAVE)
 	{
 		$result = ['is_valid' => false, 'save_result' => false, 'output' => null, 'config' => []];
 		$config_content = $this->prepareConfig($config, self::CONFIG_FILE_FORMAT);
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

[Bacula-users] Bacularis: set of rights for tape operators

2024-06-12 Thread Stefan G. Weichinger




Could someone point me at a HOWTO or doc or point out a meaningful list 
of roles/permissions to assign to a bacularis user who should be able to:


- list volumes
- manage the autochanger

maybe later

- label volumes

?

I don't want to give that employee full access, but I am a bit 
overwhelmed by the many possible "Resources" available in the 
Security-Roles-Tab.


thanks


___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

Re: [Bacula-users] Bacularis: set of rights for tape operators

[Bacula-users] Bacularis: set of rights for tape operators

9 matches

Site Navigation

Mail list logo

Footer information