account for PBS cluster join

T

tcabernoch

Active Member
Apr 27, 2024
174
30
28
Portland, OR
Got any advice on creating and configuring an account to join PBS to the PVE cluster?
I was using root@pam. We change root regularly, so that's gonna break.

I've made an API key account previously, so I've used these features before.
The /docs/user-management.html is pretty long, I scanned through it.
There's a bunch of different roles possible. Then maybe you need to grant the account access to something.

Is there a KB on this? Maybe a perfect forum post with all the answers?
 
In general I would recommend setting up a separate user with minimal permissions and using a token for that user.
You probably only need the Datastore.Backup or Datastore.Admin roles for that user/token on the datastore that should be used for backups.

Keep in mind that tokens and users have separate permissions, so if you give the user a certain role, you also have to give that role to the token as well. The token's permissions are limited by those of the corresponding user.
 
Well, thank you. Those are the things I needed to know. I was hoping to do less thinking, but I'll go puzzle through it. In particular, I hadn't planned on this token complexity. I'm not sure if that's the same thing as the API key stuff I've already explored.

- edit ... That's an information-dense post! I'm still digesting all of it.
 
Last edited:
You might also want to have a look at the ransomware protection section: https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery

So using a PBS user on your PVE with limited privileges that isn't allowed to delete/prune backups and is only able to do backups and restores. So a mad admin or compromized PVE host can't wipe all backups + all the guests at the same time. Pruning could then be done by the PBS itself.
 
Last edited:
  • Like
Reactions: tcabernoch
Ok, now I'm starting to feel dumb. I created an account on the PBS server. I gave it datastore permissions.
I've joined PBS to the PVE cluster with the new account and password. Looks good, backups work.

I could use that account and create an API key for it, but where would that be used in the process of joining the PVE cluster?
I don't see any other options when I go Datacenter > Storage > Add > Proxmox Backup Server
It just wants a login@domain and a password.

Am I actually done here? Was the API key suggestion for if I want to use the account elsewhere?

... edit ... Nope, I also had to go onto PBS and change the owner of each backup. This was the error.
ERROR: Backup of VM 303 failed - VM 303 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (backup_acct@pbs != root@pam)
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back