Warning: This document is for the development version of Bareos Documentation.

Bareos Webui

Command ACL Requirements

The following tables show which commands are required and optional for each module of the Bareos WebUI.

Optional commands may be denied by Command ACL (Dir->Profile) settings to limit specific functionality. If you deny a required command, the module will not work.

Note

The commands .api, .help and use are essential commands and should never be denied by Command ACL (Dir->Profile) settings in your Console (Dir) or Profile (Dir) resources.

Client Module
Command Client
disable optional
enable optional
list required
llist required
status optional
use required
version required
.api required
.clients required
.help required
Dashboard Module
Command Dashboard
cancel optional
list required
llist required
use required
.api required
.help required
Director Module
Command Director
list required
llist required
status optional
use required
.api required
.help required
Fileset Module
Command Fileset
list required
llist required
use required
.api required
.help required
Job Module
Command Job
cancel optional
disable optional
enable optional
list required
llist required
rerun optional
run optional
use required
.api required
.defaults required
.filesets required
.help required
.jobs required
.pools required
.storages required
Volume/Media Module
Command Media
list required
llist required
use required
.api required
.help required
Pool Module
Command Pool
list required
llist required
use required
.api required
.help required
Restore Module
Command Restore
list required
llist required
restore optional
use required
.api required
.filesets required
.help required
.jobs required
.bvfs_lsdirs required
.bvfs_lsfiles required
.bvfs_update required
.bvfs_get_jobids required
.bvfs_versions required
.bvfs_restore required
Schedule Module
Command Schedule
disable optional
enable optional
list required
llist required
status optional
show optional
use required
.api required
.help required
.schedule required
Storage Module
Command Storage
export optional
import optional
label optional
list required
llist required
release optional
status optional
update optional
use required
.api required
.help required
.pools optional

A complete overview of bconsole command usage in the Bareos WebUI can be found in the Developer Guide chapter “Command usage in modules and the according ACL requirements”.

Access Control Configuration

Access Control is configured in Profile (Dir), Console (Dir) or User (Dir) resources.

Below are some example profile resources that should serve you as guidance to configure access to certain elements of the Bareos WebUI to your needs and use cases.

Full Access

No restrictions are given by Profile (Dir), everything is allowed. This profile is included in the Bareos WebUI package.

Profile Resource - Administrator Access Example
Profile {
   Name = "webui-admin"
   CommandACL = *all*
   JobACL = *all*
   ScheduleACL = *all*
   CatalogACL = *all*
   PoolACL = *all*
   StorageACL = *all*
   ClientACL = *all*
   FilesetACL = *all*
   WhereACL = *all*
}

Limited Access

Users with the following profile example have limited access to various resources but they are allowed to run, rerun and cancel the jobs backup-bareos-fd and backup-example-fd.

Note

Access to depending resources for the jobs set in the Job ACL (Dir->Profile) needs also be given by Client ACL (Dir->Profile), Pool ACL (Dir->Profile), Storage ACL (Dir->Profile) and Fileset ACL (Dir->Profile) settings.

Users of this profile are also able to do a restore from within the Bareos WebUI by having access to the RestoreFiles job resource, the required Bvfs API commands and the restore command itself.

Profile Resource - Limited Access Example
Profile {
   Name = "webui-user"
   # Multiple CommandACL directives as given below are concatenated
   CommandACL = .api, .help, use, version, status, show
   CommandACL = list, llist
   CommandACL = run, rerun, cancel, restore
   CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
   CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
   CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
   JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
   ScheduleACL = WeeklyCycle
   CatalogACL = MyCatalog
   PoolACL = Full, Differential, Incremental
   StorageACL = File
   ClientACL = bareos-fd, example-fd
   FilesetACL = SelfTest, example-fileset
   WhereACL = *all*
}

Read-Only Access

This example profile resource denies access to most of the commands and additionally restricts access to certain other resources like Job (Dir), Schedule (Dir), Pool (Dir), Storage (Dir), Client (Dir), Fileset (Dir), etc.

Users of this profile would not be able to run or restore jobs, execute volume and autochanger related operations, enable or disable resources besides other restrictions.

Profile Resource - Read-Only Access Example 1
Profile {
  Name = "webui-user-readonly-example-1"

  # Deny general command access
  CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
  CommandACL = !create, !update, !delete, !disable, !enable
  CommandACL = !show, !status

  # Deny job related command access
  CommandACL = !run, !rerun, !restore, !cancel

  # Deny autochanger related command access
  CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount

  # Deny media/volume related command access
  CommandACL = !add, !label, !relabel, !truncate

  # Deny SQL related command access
  CommandACL = !sqlquery, !query, !.sql

  # Deny debugging related command access
  CommandACL = !setdebug, !trace

  # Deny network related command access
  CommandACL = !setbandwidth, !setip, !resolve

  # Allow non-excluded command access
  CommandACL = *all*

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Deny access to the following pool resources
  Pool ACL = !Scratch

  # Allow access to non-excluded pool resources
  Pool ACL = *all*

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

Alternatively the example above can be configured as following if you prefer a shorter version.

Profile Resource - Read-Only Access Example 2
Profile {
  Name = "webui-user-readonly-example-2"

  # Allow access to the following commands
  CommandACL = .api, .help, use, version, status
  CommandACL = list, llist
  CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
  CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Allow access to the following  pool resources
  Pool ACL = Full, Differential, Incremental

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

For more details, please read Profile Resource.

Restore

By default when running a restore in the Bareos WebUI the most recent version of all files from the available backups will be restored. You can change this behaviour by selecting the merge strategy and specific job selections in the fields described below. The Bareos WebUI allows you to restore multiple files or specific file versions.

Available restore parameters

../_images/bareos-webui-restore-0.png

Client

A list of available backup clients.

Backup jobs

A list of successful backup jobs available for the selected client.

Merge all client filesets

Determines if all available backup job filesets for the selected client should be merged into one file tree. This is helpful i.e. if multiple backup jobs with different filesets are available for the selected client. When you are just interested in a specific backup job, disable merging here and make the appropriate selection of a backup job.

Merge all related jobs to last full backup of selected backup job

By default all most recent versions of a file from your incremental, differential and full backup jobs will be merged into the file tree. If this behaviour is not desirable and instead the file tree should show the contents of a particular backup job, set the value to “No” here. Select a specific backup job afterwards to browse through the according file tree which has been backed up by that job.

Restore to client

In case you do not want to restore to the original client, you can select an alternative client here.

Restore job

Sometimes dedicated restore jobs may be required, which can be selected here.

Replace files on client

Here you can change the behaviour of how and when files should be replaced on the backup client while restoring.

  • always
  • never
  • if file being restored is older than existing file
  • if file being restored is newer than existing file

Restore location on client

If you like to restore all files to the original location then enter a single / here but keep the settings of “Replace files on client” in mind.

In case you want to use another location, simply enter the path here where you want to restore to on the selected client, for example /tmp/bareos-restore/.

Restore multiple files

../_images/bareos-webui-restore-1.png

Restore a specific file version

../_images/bareos-webui-restore-2.png