Needed permissions for PVE to use a PBS datastore?

[EllerholdAG]

Hello lovely people,

Ive installed a PBS instance in our test setup and set it up.

Next was adding PBS to PVE as a new datastore. I didnt want to use the root / administrator user for this so Ive added a new user named "pve". Ive read the manual (https://pbs.proxmox.com/docs/pve-integration.html ?) but I cant find which role(s) this user needs to have for PVE to work properly.

I gave the user "DatastoreBackup" and everything worked... until today when it complained that it cant prune the backups according to my retention schedule. So I guess "DatastorePowerUser" would be better instead of "DatabaseBackup"? Are there any more permissions / role PVE needs to backup successfully to a PBS datastore?

And... can you add this to the documentation please? Thanks!

 

[l.leahu-vladucu]

Hello EllerholdAG! The permissions are explained in the User Management / Access Control chapter of the PBS manual. In your case, if you need the user to prune backups, it needs the Datastore.Prune privilege, which is covered by the DatastorePowerUser role, like you said. Whether you need more permissions depends on your use case. From what you described until now, these permissions should probably be enough.

And... can you add this to the documentation please? Thanks!

What would you like to have in addition to the existing documentation?

 

[EllerholdAG]

Thanks for this link, that does explain more of the roles and permissions. This is the same link that opens when clicking "Help" in the add permissions tab!

But I only found https://pbs.proxmox.com/docs/pve-integration.html where the whole PVE integration is explained, and there is no mention which roles are needed for this integration. I'd add a section there saying "If you just want Backups, use DatastoreBackup, if you want PVE to prune too use DatastorePowerUser" (or something like that).

 

[l.leahu-vladucu]

Glad I could help The thing is, the documentation is not meant to be a step-by-step guide on how to achieve certain tasks, but is rather meant to provide an overview over different tasks you need to do as an administrator. The reason for this is that certain tasks are complex, and creating a step-by-step guide that covers everyone's use case would make the documentation very hard to read. It's easier to read when having chapters about different subjects, so each user can read the parts they are interested in.

What we could do, though, would be to shortly remind the user about setting the required permissions and link to the documentation page I gave you, similar to what you proposed. I will send a patch adding this additional sentence

 

[EllerholdAG]

Wouldnt a step-by-step guide for the most common use cases be good though? Something like

• Install PBS on bare metal or as a VM
• Configure your datastores in PBS
• (optional) Create a namespace
• Create a user for PVE with this roles
• Go into PVE and add a datastore, select PBS put in these data
• Go into an VM or CT or the whole and add a backup plan with your new datastore (PBS)

Thats something I missed as well, because at first I had no idea to connect PVE to PBS. Thats why I googled and found the page "PVE integration".

You're right, that there are more bells and whistles everywhere, but simple links to the documentation "look here for more information" on each step would go a long way.

What I mean: if you provide a simple guide, that works on a basic level - a lot of people would do just that and be happy. Otherwise they'll google it anyway and go to other sites that provide such guide - but that may be outdated, insecure or otherwise not preferable from proxmox view of things.

Additionally: even as a "good" administrator, you want to have a starting point that works. And then you can go back and second-guess every step youve done (e. g. "Wouldnt a namespace be really good though? Is an NFS datastore a good idea or should I do something else?").

Give people a jumping board to start and branch out later. (Sorry if this translation is bad )