Warning: This document is for the development version of Bareos Documentation. The main version is bareos-23.

Bareos Webui

Command ACL Requirements

The following tables show which commands are required and optional for each module of the Bareos WebUI.

Optional commands may be denied by Command ACL (Dir->Profile) settings to limit specific functionality. If you deny a required command, the module will not work.

Note

The commands .api, .help and use are essential commands and should never be denied by Command ACL (Dir->Profile) settings in your Console (Dir) or Profile (Dir) resources.

Client Module

Command

Client

disable

optional

enable

optional

list

required

llist

required

status

optional

use

required

version

required

.api

required

.clients

required

.help

required

Dashboard Module

Command

Dashboard

cancel

optional

list

required

llist

required

use

required

.api

required

.help

required

Director Module

Command

Director

list

required

llist

required

status

optional

use

required

.api

required

.help

required

Fileset Module

Command

Fileset

list

required

llist

required

use

required

.api

required

.help

required

Job Module

Command

Job

cancel

optional

disable

optional

enable

optional

list

required

llist

required

rerun

optional

run

optional

use

required

.api

required

.defaults

required

.filesets

required

.help

required

.jobs

required

.pools

required

.storages

required

Volume/Media Module

Command

Media

list

required

llist

required

use

required

.api

required

.help

required

Pool Module

Command

Pool

list

required

llist

required

use

required

.api

required

.help

required

Restore Module

Command

Restore

list

required

llist

required

restore

optional

use

required

.api

required

.filesets

required

.help

required

.jobs

required

.bvfs_lsdirs

required

.bvfs_lsfiles

required

.bvfs_update

required

.bvfs_get_jobids

required

.bvfs_versions

required

.bvfs_restore

required

Schedule Module

Command

Schedule

disable

optional

enable

optional

list

required

llist

required

status

optional

show

optional

use

required

.api

required

.help

required

.schedule

required

Storage Module

Command

Storage

export

optional

import

optional

label

optional

list

required

llist

required

release

optional

status

optional

update

optional

use

required

.api

required

.help

required

.pools

optional

Analytics Module

Command

Analytics

list

required

llist

required

use

required

.api

required

.help

required

A complete overview of bconsole command usage in the Bareos WebUI can be found in the Developer Guide chapter “Command usage in modules and the according ACL requirements”.

Access Control Configuration

Access Control is configured in Profile (Dir), Console (Dir) or User (Dir) resources.

Below are some example profile resources that should serve you as guidance to configure access to certain elements of the Bareos WebUI to your needs and use cases.

Full Access

No restrictions are given by Profile (Dir), everything is allowed. This profile is included in the Bareos WebUI package.

Profile Resource - Administrator Access Example
Profile {
   Name = "webui-admin"
   CommandACL = *all*
   JobACL = *all*
   ScheduleACL = *all*
   CatalogACL = *all*
   PoolACL = *all*
   StorageACL = *all*
   ClientACL = *all*
   FilesetACL = *all*
   WhereACL = *all*
}

Limited Access

Users with the following profile example have limited access to various resources but they are allowed to run, rerun and cancel the jobs backup-bareos-fd and backup-example-fd.

Note

Access to depending resources for the jobs set in the Job ACL (Dir->Profile) needs also be given by Client ACL (Dir->Profile), Pool ACL (Dir->Profile), Storage ACL (Dir->Profile) and File Set ACL (Dir->Profile) settings.

Users of this profile are also able to do a restore from within the Bareos WebUI by having access to the RestoreFiles job resource, the required Bvfs API commands and the restore command itself.

Profile Resource - Limited Access Example
Profile {
   Name = "webui-user"
   # Multiple CommandACL directives as given below are concatenated
   CommandACL = .api, .help, use, version, status, show
   CommandACL = list, llist
   CommandACL = run, rerun, cancel, restore
   CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
   CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
   CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
   JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
   ScheduleACL = WeeklyCycle
   CatalogACL = MyCatalog
   PoolACL = Full, Differential, Incremental
   StorageACL = File
   ClientACL = bareos-fd, example-fd
   FilesetACL = SelfTest, example-fileset
   WhereACL = *all*
}

Read-Only Access

This example profile resource denies access to most of the commands and additionally restricts access to certain other resources like Job (Dir), Schedule (Dir), Pool (Dir), Storage (Dir), Client (Dir), Fileset (Dir), etc.

Users of this profile would not be able to run or restore jobs, execute volume and autochanger related operations, enable or disable resources besides other restrictions.

Profile Resource - Read-Only Access Example 1
Profile {
  Name = "webui-user-readonly-example-1"

  # Deny general command access
  CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
  CommandACL = !create, !update, !delete, !disable, !enable
  CommandACL = !show, !status

  # Deny job related command access
  CommandACL = !run, !rerun, !restore, !cancel

  # Deny autochanger related command access
  CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount

  # Deny media/volume related command access
  CommandACL = !add, !label, !relabel, !truncate

  # Deny SQL related command access
  CommandACL = !sqlquery, !query, !.sql

  # Deny debugging related command access
  CommandACL = !setdebug, !trace

  # Deny network related command access
  CommandACL = !setbandwidth, !setip, !resolve

  # Allow non-excluded command access
  CommandACL = *all*

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Deny access to the following pool resources
  Pool ACL = !Scratch

  # Allow access to non-excluded pool resources
  Pool ACL = *all*

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

Alternatively the example above can be configured as following if you prefer a shorter version.

Profile Resource - Read-Only Access Example 2
Profile {
  Name = "webui-user-readonly-example-2"

  # Allow access to the following commands
  CommandACL = .api, .help, use, version, status
  CommandACL = list, llist
  CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
  CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Allow access to the following  pool resources
  Pool ACL = Full, Differential, Incremental

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

For more details, please read Profile Resource.

Restore

By default when running a restore in the Bareos WebUI the most recent version of all files from the available backups will be restored. You can change this behaviour by selecting the merge strategy and specific job selections in the fields described below. The Bareos WebUI allows you to restore multiple files or specific file versions.

Available restore parameters

../_images/bareos-webui-restore-0.png

Client

A list of available backup clients.

Backup jobs

A list of successful backup jobs available for the selected client.

Merge all client filesets

Determines if all available backup job filesets for the selected client should be merged into one file tree. This is helpful i.e. if multiple backup jobs with different filesets are available for the selected client. When you are just interested in a specific backup job, disable merging here and make the appropriate selection of a backup job.

Merge all related jobs to last full backup of selected backup job

By default all most recent versions of a file from your incremental, differential and full backup jobs will be merged into the file tree. If this behaviour is not desirable and instead the file tree should show the contents of a particular backup job, set the value to “No” here. Select a specific backup job afterwards to browse through the according file tree which has been backed up by that job.

Restore to client

In case you do not want to restore to the original client, you can select an alternative client here.

Restore job

Sometimes dedicated restore jobs may be required, which can be selected here.

Replace files on client

Here you can change the behaviour of how and when files should be replaced on the backup client while restoring.

  • always

  • never

  • if file being restored is older than existing file

  • if file being restored is newer than existing file

Restore location on client

If you like to restore all files to the original location then enter a single / here but keep the settings of “Replace files on client” in mind.

In case you want to use another location, simply enter the path here where you want to restore to on the selected client, for example /tmp/bareos-restore/.

Restore multiple files

../_images/bareos-webui-restore-1.png

Restore a specific file version

../_images/bareos-webui-restore-2.png

Limitations

Note

Restoring NDMP backups is currently not supported by Bareos WebUI. Please use the bconsole instead.