account for PBS cluster join

tcabernoch

tcabernoch

Active Member
Proxmox Subscriber
Apr 27, 2024
428
150
43
Portland, OR
www.gnetsys.net
Got any advice on creating and configuring an account to join PBS to the PVE cluster?
I was using root@pam. We change root regularly, so that's gonna break.

I've made an API key account previously, so I've used these features before.
The /docs/user-management.html is pretty long, I scanned through it.
There's a bunch of different roles possible. Then maybe you need to grant the account access to something.

Is there a KB on this? Maybe a perfect forum post with all the answers?
 
In general I would recommend setting up a separate user with minimal permissions and using a token for that user.
You probably only need the Datastore.Backup or Datastore.Admin roles for that user/token on the datastore that should be used for backups.

Keep in mind that tokens and users have separate permissions, so if you give the user a certain role, you also have to give that role to the token as well. The token's permissions are limited by those of the corresponding user.
 
Well, thank you. Those are the things I needed to know. I was hoping to do less thinking, but I'll go puzzle through it. In particular, I hadn't planned on this token complexity. I'm not sure if that's the same thing as the API key stuff I've already explored.

- edit ... That's an information-dense post! I'm still digesting all of it.
 
Last edited:
You might also want to have a look at the ransomware protection section: https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery

So using a PBS user on your PVE with limited privileges that isn't allowed to delete/prune backups and is only able to do backups and restores. So a mad admin or compromized PVE host can't wipe all backups + all the guests at the same time. Pruning could then be done by the PBS itself.
 
Last edited:
  • Like
Reactions: tcabernoch
Ok, now I'm starting to feel dumb. I created an account on the PBS server. I gave it datastore permissions.
I've joined PBS to the PVE cluster with the new account and password. Looks good, backups work.

I could use that account and create an API key for it, but where would that be used in the process of joining the PVE cluster?
I don't see any other options when I go Datacenter > Storage > Add > Proxmox Backup Server
It just wants a login@domain and a password.

Am I actually done here? Was the API key suggestion for if I want to use the account elsewhere?

... edit ... Nope, I also had to go onto PBS and change the owner of each backup. This was the error.
ERROR: Backup of VM 303 failed - VM 303 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (backup_acct@pbs != root@pam)
 
Last edited:
You must log in or register to reply here.
Top Bottom