[New User] Namespace and Permission Level for Each Proxmox VE Host in a Cluster?

[SInisterPisces]

Hello,

I'm running a small home office Proxmox VE cluster:

• Node 1
• Node 2
• Q-Device

I've also got a bare metal Proxmox Backup Server ... booting. I'm still working on setup. I'm working through the excellent documentation now, and have some questions about best practices for clusters.

I think I have a pretty good idea of what level of granularity would be good for namespaces and permissions, but I want to make sure I'm not overcomplicating things.

A couple of questions:
Is it best practice to use namespaces for each Proxmox VE node?

The demos I've looked at have been for a single PVE node backing up to a PBS server. Reading the docs, I see this in the section on Namespaces:

A datastore can host many backups, as long as the underlying storage is large enough and provides the performance required for a user's use case. However, without any hierarchy or separation, it's easy to run into naming conflicts, especially when using the same datastore for multiple Proxmox VE instances or multiple users.

So, I've created a datastore for my PVE cluster, clusterStore. I think, from reading the above, that best practice is to create a namespace for each of Node 1 and Node 2, just to avoid any potential problems later?

Are there potential negative consequences to doing that?

What permissions do I need to give a PBS account belonging to a Node so it can function properly?
That is, when I add a PBS storage to Proxmox VE and tell it to go back up to that using user BackupBob on the PBS server, what are the minimum level of permissions BackupBob needs to have in PBS?

DatastoreBackup seems like it would be enough, but does the Proxmox VE node expect to have DatastorePowerUser permissions? I suspect it might be the latter, as I can set retention policies for a backup to PBS on the Proxmox VE node itself. Unless the PVE node syncs those retention policies to the PBS server, the PVE node would need to have permission to actually do the pruning of things not to be retained.

 

[SInisterPisces]

Me again. I wanted to update this thread for anyone who finds this later and is in a similar state of n00b.


Reviewing the excellent manual under Backup Storage --> Ransomware Protection and Recovery --> Restrictive user & Access Management, there's this, which answers my question quite neatly:

Proxmox Backup Server offers a comprehensive and fine-grained user and access management system. The Datastore.Backup privilege, for example, allows only to create, but not to delete or alter existing backups.

The best way to leverage this access control system is to:

• Use separate API tokens for each host or Proxmox VE Cluster that should be able to back data up to a Proxmox Backup Server.
• Configure only minimal permissions for such API tokens. They should only have a single permission that grants the DataStore access role on a very narrow ACL path that is restricted to a specific namespace on a specific datastore, for example /datastore/tank/pve-abc-cluster.

Tip
One best practice to protect against ransomware is not to grant delete permissions, but to perform backup pruning directly on Proxmox Backup Server using prune jobs.
Please note that the same also applies for sync jobs. By limiting a sync user's or an access token's right to only write backups, not delete them, compromised clients cannot delete existing backups.

 

[Dunuin]

The demos I've looked at have been for a single PVE node backing up to a PBS server. Reading the docs, I see this in the section on Namespaces:

That section is about backing up multiple clusters to a single PBS. Backup groups get mixed up if you got multiple VMs with the same VMID and will result in pruning of stuff you don't want to prune. With a single cluster this isn't a problem as then you can't use a VMID twice.

DatastoreBackup seems like it would be enough, but does the Proxmox VE node expect to have DatastorePowerUser permissions? I suspect it might be the latter, as I can set retention policies for a backup to PBS on the Proxmox VE node itself. Unless the PVE node syncs those retention policies to the PBS server, the PVE node would need to have permission to actually do the pruning of things not to be retained.

For protection against ransomware and human error you might want to add the PBs storage to your PVEs using a PBS user that is only allowed to create and restore backups. But not to delete or prune them. That way a compromized PVE or stupid PVE admin isn't able to wipe the VM storages as well as all the backups of them.
Pruning can be done by the PBS setting up a backup retention there.

 

[SInisterPisces]

That section is about backing up multiple clusters to a single PBS. Backup groups get mixed up if you got multiple VMs with the same VMID and will result in pruning of stuff you don't want to prune. With a single cluster this isn't a problem as then you can't use a VMID twice.

Sounds like I'm good with just the root namespace. Thanks for helping me avoid extra trouble.
It has been 0 days since I tried to overcomplicate something in my home network.

For protection against ransomware and human error you might want to add the PBs storage to your PVEs using a PBS user that is only allowed to create and restore backups. But not to delete or prune them. That way a compromized PVE or stupid PVE admin isn't able to wipe the VM storages as well as all the backups of them.
Pruning can be done by the PBS setting up a backup retention there.

Excellent. I'll study the manual on this, too. The PBS manual is excellent at describing what things do, but I needed someone who knew what they were doing to tell me what I should actually be doing. Thanks!