Bareos Webui
Command ACL Requirements
The following tables show which commands are required and optional for each module of the Bareos WebUI.
Optional commands may be denied by Command ACL (Dir->Profile)
settings to limit specific functionality. If you deny a required command,
the module will not work.
Note
The commands .api, .help and use are essential commands
and should never be denied by Command ACL (Dir->Profile) settings in your
Console (Dir) or Profile (Dir) resources.
Command |
Client |
|---|---|
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
status |
optional |
use |
required |
version |
required |
.api |
required |
.clients |
required |
.help |
required |
Command |
Dashboard |
|---|---|
cancel |
optional |
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Director |
|---|---|
list |
required |
llist |
required |
status |
optional |
use |
required |
.api |
required |
.help |
required |
Command |
Fileset |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Job |
|---|---|
cancel |
optional |
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
rerun |
optional |
run |
optional |
use |
required |
.api |
required |
.defaults |
required |
.filesets |
required |
.help |
required |
.jobs |
required |
.pools |
required |
.storages |
required |
Command |
Media |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Pool |
|---|---|
list |
required |
llist |
required |
use |
required |
.api |
required |
.help |
required |
Command |
Restore |
|---|---|
list |
required |
llist |
required |
restore |
optional |
use |
required |
.api |
required |
.filesets |
required |
.help |
required |
.jobs |
required |
.bvfs_lsdirs |
required |
.bvfs_lsfiles |
required |
.bvfs_update |
required |
.bvfs_get_jobids |
required |
.bvfs_versions |
required |
.bvfs_restore |
required |
Command |
Schedule |
|---|---|
disable |
optional |
enable |
optional |
list |
required |
llist |
required |
status |
optional |
show |
optional |
use |
required |
.api |
required |
.help |
required |
.schedule |
required |
Command |
Storage |
|---|---|
export |
optional |
import |
optional |
label |
optional |
list |
required |
llist |
required |
release |
optional |
status |
optional |
update |
optional |
use |
required |
.api |
required |
.help |
required |
.pools |
optional |
A complete overview of bconsole command usage in the Bareos WebUI can be found in the Developer Guide chapter “Command usage in modules and the according ACL requirements”.
Access Control Configuration
Access Control is configured in Profile (Dir),
Console (Dir) or User (Dir) resources.
Below are some example profile resources that should serve you as guidance to configure access to certain elements of the Bareos WebUI to your needs and use cases.
Full Access
No restrictions are given by Profile (Dir),
everything is allowed. This profile is included in the Bareos WebUI package.
Profile {
Name = "webui-admin"
CommandACL = *all*
JobACL = *all*
ScheduleACL = *all*
CatalogACL = *all*
PoolACL = *all*
StorageACL = *all*
ClientACL = *all*
FilesetACL = *all*
WhereACL = *all*
}
Limited Access
Users with the following profile example have limited access to various resources but they are allowed to run, rerun and cancel the jobs backup-bareos-fd and backup-example-fd.
Note
Access to depending resources for the jobs set in the
Job ACL (Dir->Profile) needs also be given by
Client ACL (Dir->Profile),
Pool ACL (Dir->Profile),
Storage ACL (Dir->Profile) and
Fileset ACL (Dir->Profile) settings.
Users of this profile are also able to do a restore from within the Bareos WebUI by having access to the RestoreFiles job resource, the required Bvfs API commands and the restore command itself.
Profile {
Name = "webui-user"
# Multiple CommandACL directives as given below are concatenated
CommandACL = .api, .help, use, version, status, show
CommandACL = list, llist
CommandACL = run, rerun, cancel, restore
CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
ScheduleACL = WeeklyCycle
CatalogACL = MyCatalog
PoolACL = Full, Differential, Incremental
StorageACL = File
ClientACL = bareos-fd, example-fd
FilesetACL = SelfTest, example-fileset
WhereACL = *all*
}
Read-Only Access
This example profile resource denies access to most of the commands and
additionally restricts access to certain other resources like
Job (Dir), Schedule (Dir),
Pool (Dir), Storage (Dir),
Client (Dir), Fileset (Dir), etc.
Users of this profile would not be able to run or restore jobs, execute volume and autochanger related operations, enable or disable resources besides other restrictions.
Profile {
Name = "webui-user-readonly-example-1"
# Deny general command access
CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
CommandACL = !create, !update, !delete, !disable, !enable
CommandACL = !show, !status
# Deny job related command access
CommandACL = !run, !rerun, !restore, !cancel
# Deny autochanger related command access
CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount
# Deny media/volume related command access
CommandACL = !add, !label, !relabel, !truncate
# Deny SQL related command access
CommandACL = !sqlquery, !query, !.sql
# Deny debugging related command access
CommandACL = !setdebug, !trace
# Deny network related command access
CommandACL = !setbandwidth, !setip, !resolve
# Allow non-excluded command access
CommandACL = *all*
# Allow access to the following job resources
Job ACL = backup-bareos-fd, RestoreFiles
# Allow access to the following schedule resources
Schedule ACL = WeeklyCycle
# Allow access to the following catalog resources
Catalog ACL = MyCatalog
# Deny access to the following pool resources
Pool ACL = !Scratch
# Allow access to non-excluded pool resources
Pool ACL = *all*
# Allow access to the following storage resources
Storage ACL = File
# Allow access to the following client resources
Client ACL = bareos-fd
# Allow access to the following filset resources
FileSet ACL = SelfTest
# Allow access to restore to any filesystem location
Where ACL = *all*
}
Alternatively the example above can be configured as following if you prefer a shorter version.
Profile {
Name = "webui-user-readonly-example-2"
# Allow access to the following commands
CommandACL = .api, .help, use, version, status
CommandACL = list, llist
CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore
# Allow access to the following job resources
Job ACL = backup-bareos-fd, RestoreFiles
# Allow access to the following schedule resources
Schedule ACL = WeeklyCycle
# Allow access to the following catalog resources
Catalog ACL = MyCatalog
# Allow access to the following pool resources
Pool ACL = Full, Differential, Incremental
# Allow access to the following storage resources
Storage ACL = File
# Allow access to the following client resources
Client ACL = bareos-fd
# Allow access to the following filset resources
FileSet ACL = SelfTest
# Allow access to restore to any filesystem location
Where ACL = *all*
}
For more details, please read Profile Resource.
Restore
By default when running a restore in the Bareos WebUI the most recent version of all files from the available backups will be restored. You can change this behaviour by selecting the merge strategy and specific job selections in the fields described below. The Bareos WebUI allows you to restore multiple files or specific file versions.
Available restore parameters
Client
A list of available backup clients.
Backup jobs
A list of successful backup jobs available for the selected client.
Merge all client filesets
Determines if all available backup job filesets for the selected client should be merged into one file tree. This is helpful i.e. if multiple backup jobs with different filesets are available for the selected client. When you are just interested in a specific backup job, disable merging here and make the appropriate selection of a backup job.
Merge all related jobs to last full backup of selected backup job
By default all most recent versions of a file from your incremental, differential and full backup jobs will be merged into the file tree. If this behaviour is not desirable and instead the file tree should show the contents of a particular backup job, set the value to “No” here. Select a specific backup job afterwards to browse through the according file tree which has been backed up by that job.
Restore to client
In case you do not want to restore to the original client, you can select an alternative client here.
Restore job
Sometimes dedicated restore jobs may be required, which can be selected here.
Replace files on client
Here you can change the behaviour of how and when files should be replaced on the backup client while restoring.
always
never
if file being restored is older than existing file
if file being restored is newer than existing file
Restore location on client
If you like to restore all files to the original location then enter a single
/here but keep the settings of “Replace files on client” in mind.In case you want to use another location, simply enter the path here where you want to restore to on the selected client, for example
/tmp/bareos-restore/.
Restore multiple files
Restore a specific file version
