Hello,
is it possible to prevent a service account that mounts a PBS datastore to a host from toggling the protection flag on its own backups?
The service account has the DatastoreBackup role/privilege tied to the host-specific namespace on a PBS instance.
The expected/desired outcome:
is that no process or person (even the master admin) on the PVE could tamper with backups once they are created.
This is generally true, excepting the protection flag.
Having the means to control the protection flag from the PBS side only would bring PBS even closer to the goal of backup immutability.
The server side (the PBS system) should be the sole governor of backup protection.
The current undesired behavior:
While PBS datastore is mounted with a service account featuring the DatastoreBackup role -> Admin on the PVE can toggle protection flag freely.
is it possible to prevent a service account that mounts a PBS datastore to a host from toggling the protection flag on its own backups?
The service account has the DatastoreBackup role/privilege tied to the host-specific namespace on a PBS instance.
The expected/desired outcome:
is that no process or person (even the master admin) on the PVE could tamper with backups once they are created.
This is generally true, excepting the protection flag.
Having the means to control the protection flag from the PBS side only would bring PBS even closer to the goal of backup immutability.
The server side (the PBS system) should be the sole governor of backup protection.
The current undesired behavior:
While PBS datastore is mounted with a service account featuring the DatastoreBackup role -> Admin on the PVE can toggle protection flag freely.
Last edited:
