On Thu, 13 Jun 2024 at 10:02, Stefan G. Weichinger <li...@xunil.at> wrote:
> Am 12.06.24 um 17:09 schrieb Marcin Haba: > > Hello Stefan, > > > > Thanks for your question. It showed me that it might be good to > > add descriptions for the resources available for each role and probably > > a new section in the documentation that describes it. > > > > For the question about setting access for the tape operator, I assume > > that you have the tape library already configured with Bacularis. > > Setting this access for that user can be done in various ways. Below I > > described the most detailed manual way (without using wizards) that > > enables to set most options and tune access exactly to what needed. > > At first: thank you for the quick and detailed reply! Going through > right now. > > > So, the steps are following: > > > > 1) I would propose to create a new role for the tape operator with the > > following resources assigned (Security -> Tab: Roles): > > > > - VolumeList - that gives access to the volume list page > > - VolumeView - that gives access to the detailed single volume view > page > > - StorageList - that gives access to the storage list page > > - StorageView - that gives access to the single storage view page > > > > 2) Then I would propose to create a console ACL (Security -> Tab: > > Console Acls) with: > > > > - StorageAcl - that has defined all storage resources for which you > > would like to give access for the tape operator > > - CommandAcl - with commands: gui, .api, .status, .storage, delete, > > show, mount, umount, label, update > > > > 3) Next I would create a new API user. Normally it can be done in > > (Security -> Tab: API basic users) but during preparing this mail I > > found a bug in this function. Because of that please apply a one line > > patch (for version 3.2.0) from attachment to file located usually here: > > > > /usr/share/bacularis/protected/API/Modules/BaculaConfig.php > > > > Once it is done, you can create in (Security -> Tab: API basic users) > > new tape operator user and assign to it the Console Acl from point 2) > Hello Stefan, Thanks for feedback from your tries. I don't see how to assign the ACL to that user, sry > In the create API basic user window there is an option with label: "Create dedicated Bconsole config file" When you check this checkbox, you will see the Console ACL and Director to select. It is exactly this option and this select to choose Console ACL. > 4) At the end I would create a new API host connection (Security -> Tab: > > API hosts) to the API host with the tape library and Bacularis API > > installed providing basic user credentials from step 3) > > > > 5) Finally I would create a new Bacularis Web user for this tape > > operator (Security -> Tab: Users) with: > > > > - tape operator role created in point 1) > > - API host created in point 4) > > > > 6) [Extra point] To avoid modifying by the tape operator anything > > related to the Bacula SD configuration, you can switch all Bacula > > resources for this user to 'read-only' or 'no access' mode. It is > > possible to do on (API Panel -> Basic users -> Edit: tape operator > > user). There you can set "read-only" or "no access" permissions for > > every Bacula resource or all at once (Resource permissions section). > > > looks promising. That user sees STorage and Volumes, although currently > it sees both "File" and "Tape" volumes ... both pools, both storages. > > That isn't a problem for me, it's just missing, maybe because I skipped > 6) and 3) isn't fully done. (patch applied, yes) > Yes, if the Console ACL will be assigned, then the user will see only storage resources allowed by the Console ACL. For volumes, it isn't part of Console ACLs, so they are listed all. > > The user is able to "Update slots", nice .. this is important if he > swaps tapes etc > > Ah, that leads me to another newbie question: > > with amanda there was a command that showed me which tapes from which > pool were to be inserted next. So amanda checked retention times etc etc > and asked for the next tapes to be overwritten. I haven't yet seen or > understood if Bacula is also able to provide me or the tape operator > with a list of tapes to be inserted (or even which ones to take out of > the library). > > So far I look for "Full" tapes and remove them etc > I am not sure if I understand this question. What type of inserting do you have on mind? Is it a list of volumes that will be used in backups or something else? hints welcome > > Thanks so far, in an hour I show the tape op around Bacularis for the > first time :-) > Good luck with it :-) Best regards, Marcin Haba (gani) -- "Greater love hath no man than this, that a man lay down his life for his friends." Jesus Christ "Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie za przyjaciół swoich." Jezus Chrystus
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
