Permission read-only access to backups (PBS)?

G

guerby

Member
Proxmox Subscriber
Nov 22, 2020
77
11
13
50
Hi,

I want to give read only access to backups (mainly for "file restore") to one of our users so I added Datastore.Audit on the PBS storage for this user but it was not enough: empty backup list for the user.

I had to add Datastore.AllocateSpace which is a write permission (allows the user to create a backup) in order for my user to see the backup list and use file restore.

Did I miss a permission that allows a user to use backups in a read-only fashion?
 
guerby said:
I want to give read only access to backups (mainly for "file restore") to one of our users so I added Datastore.Audit on the PBS storage for this user but it was not enough: empty backup list for the user.
Click to expand...
Datastore.Audit is enough. Just tested that here an it works as expected.

guerby said:
I had to add Datastore.AllocateSpace which is a write permission (allows the user to create a backup) in order for my user to see the backup list and use file restore.

Did I miss a permission that allows a user to use backups in a read-only fashion?
Click to expand...
Just use role DatastoreReader (Audit+Verify+Read)
 
dietmar said:
Datastore.Audit is enough. Just tested that here an it works as expected.


Just use role DatastoreReader (Audit+Verify+Read)
Click to expand...

Hmm may be this is due to PVE/PBS versions:

On PVE 6.4-9 I have /etc/pve/user.cfg with:

Code: 
user:mytestuser1@pve:1:0::::::
role:PVEDatastoreAuditor:Datastore.Audit:
acl:1:/storage/backup1:mytestuser1@pve:PVEDatastoreAuditor,PVEVMUser:
acl:1:/vms/195:mytestuser1@pve:PVEVMUser:

And in datacenter/node1/195/Backup when logged as mytestuser1 I see "Backup" button as active but it gives an error "Permission check failed (/storage/backup1, Datastore.AllocateSpace) (403)" when clicked (seems ok), all other buttons restore/file restore/etc.. are grey, and there is no list of backups shown at all.

backup1 is running PBS 1.1-13

Then when I add Datastore.AllocateSpace to my defined PVEDatastoreAuditor role the user sees the list of backups, can click on one and do a file restore (but "Backup" works).
 
I talked about the PBS user (the user on PBS server side) ...
Both users (PVE and PBS) needs to be able to read the backup...
 
guerby said:
Then when I add Datastore.AllocateSpace to my defined PVEDatastoreAuditor role the user sees the list of backups, can click on one and do a file restore (but "Backup" works).
Click to expand...
You currently need that to see the backups. PVE only list backups if you have permissions to make backups.

But you can restrict access with the configured PBS user (on the PBS side).
 
  • Like
Reactions: guerby
There is only the root@pam user on our PBS server, our PVE cluster has access to it via PVE root@pam datacenter / storage / add PBS where we provided once the root@pam credentials of our PBS server.

The nightly backups are scheduled by PVE root@pam user via datacenter / backup / add job.

If understand correctly your comments it is not currently possible in this situation to give read only access to those root@pam PVE/PBS nightly backups to a PVE user.

PVE only list backups if you have permissions to make backups.
Click to expand...

Do you know if there's a reason for PVE to not show the list of backups to a user with datastore.auditor permission on the PBS? Or is it just an oversight?

It's not a big deal for us to give the right to our user to launch a backup (given that PBS is really efficient at it), but we'd like to understand if we did something wrong in our PVE to PBS setup.

Our goal is to always have backups so enforce this as root PVE administrators with the global nightly backup job covering all VM and an additional goal is for our user with rights to a particular VM to be able to "self help" with PVE File Restore in case they did something wrong without having to ask root PVE administrators for restoring the file they want.

Thanks again for your help.
 
guerby said:
There is only the root@pam user on our PBS server,
Click to expand...
But you can create many ...

guerby said:
Do you know if there's a reason for PVE to not show the list of backups to a user with datastore.auditor permission on the PBS? Or is it just an oversight?
Click to expand...
AFAIK this is a security feature (but I am not sure if it is really helpful)
 
Hello , sorry to bother you i have recieved DatastoreReader and Audit and cant see tape backup i can see the jobs on dashboard but not on the tape backup section can you please help
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back