Hello Stefan,
Thanks for your question. It showed me that it might be good to
add descriptions for the resources available for each role and probably a
new section in the documentation that describes it.
For the question about setting access for the tape operator, I assume that
you have the tape library already configured with Bacularis. Setting this
access for that user can be done in various ways. Below I described the
most detailed manual way (without using wizards) that enables to set most
options and tune access exactly to what needed.
So, the steps are following:
1) I would propose to create a new role for the tape operator with the
following resources assigned (Security -> Tab: Roles):
- VolumeList - that gives access to the volume list page
- VolumeView - that gives access to the detailed single volume view page
- StorageList - that gives access to the storage list page
- StorageView - that gives access to the single storage view page
2) Then I would propose to create a console ACL (Security -> Tab: Console
Acls) with:
- StorageAcl - that has defined all storage resources for which you would
like to give access for the tape operator
- CommandAcl - with commands: gui, .api, .status, .storage, delete, show,
mount, umount, label, update
3) Next I would create a new API user. Normally it can be done in (Security
-> Tab: API basic users) but during preparing this mail I found a bug in
this function. Because of that please apply a one line patch (for version
3.2.0) from attachment to file located usually here:
/usr/share/bacularis/protected/API/Modules/BaculaConfig.php
Once it is done, you can create in (Security -> Tab: API basic users) new
tape operator user and assign to it the Console Acl from point 2)
4) At the end I would create a new API host connection (Security -> Tab:
API hosts) to the API host with the tape library and Bacularis API
installed providing basic user credentials from step 3)
5) Finally I would create a new Bacularis Web user for this tape operator
(Security -> Tab: Users) with:
- tape operator role created in point 1)
- API host created in point 4)
6) [Extra point] To avoid modifying by the tape operator anything related
to the Bacula SD configuration, you can switch all Bacula resources for
this user to 'read-only' or 'no access' mode. It is possible to do on (API
Panel -> Basic users -> Edit: tape operator user). There you can set
"read-only" or "no access" permissions for every Bacula resource or all at
once (Resource permissions section).
That is all. You can adapt this instruction to your needs, of course,
specially this Console Acl and the permissions parts. I think it can be
also useful watching this video guide:
Bacularis - configure custom interface for selected users:
https://www.youtube.com/watch?v=9HbEh1P4b6w
Please let us know if you were able to set this account up.
Good luck!
Best regards,
Marcin Haba (gani)
On Wed, 12 Jun 2024 at 14:23, Stefan G. Weichinger <li...@xunil.at> wrote:
>
> Could someone point me at a HOWTO or doc or point out a meaningful list
> of roles/permissions to assign to a bacularis user who should be able to:
>
> - list volumes
> - manage the autochanger
>
> maybe later
>
> - label volumes
>
> ?
>
> I don't want to give that employee full access, but I am a bit
> overwhelmed by the many possible "Resources" available in the
> Security-Roles-Tab.
>
> thanks
>
>
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
--
"Greater love hath no man than this, that a man lay down his life for
his friends." Jesus Christ
"Większej miłości nikt nie ma nad tę, jak gdy kto życie swoje kładzie
za przyjaciół swoich." Jezus Chrystus
diff --git a/API/Modules/BaculaConfig.php b/API/Modules/BaculaConfig.php
index 7beee98..3cb2594 100644
--- a/API/Modules/BaculaConfig.php
+++ b/API/Modules/BaculaConfig.php
@@ -74,7 +74,7 @@ class BaculaConfig extends ConfigFileModule
* @param bool $mode set config mode (simulate, save...)
* @return array validation result, validation output and write to config result
*/
- public function setConfig($component_type, array $config, $file = null, $mode = null)
+ public function setConfig($component_type, array $config, $file = null, $mode = BaculaSetting::MODE_SAVE)
{
$result = ['is_valid' => false, 'save_result' => false, 'output' => null, 'config' => []];
$config_content = $this->prepareConfig($config, self::CONFIG_FILE_FORMAT);
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
