Prune jobs on PBS

May 1, 2022
60
8
13
Stockholm, Sweden
Hi

I have a user at my PBS server, that user has the rights: DatastorePowerUser (so DatastoreBackup and DatastorePrune) on it's namespace in the Datastore.
My thought is that users create a API account that only has DatastoreBackup that backup data from the customers PVE cluster and that works great.
Now, my thought is that pruning should be handled from the PBS so I login with my normal user, I choose the datastore and I try to create a Prune job and I get this error:
missing permissions 'Datastore.Modify' on '/datastore/Datastore-name/Namespace'
I would prefer if the user don't get to many rights and do we really need Datastore.Modify to create a Prune job on a PBS? Or am I doing it wrong?

I forgot this:
Code:
root@sto-pbs:~# proxmox-backup-manager version --verbose
proxmox-backup                     3.2.0        running kernel: 6.8.12-2-pve
proxmox-backup-server              3.2.7-1      running version: 3.2.7
proxmox-kernel-helper              8.1.0
proxmox-kernel-6.8                 6.8.12-2
proxmox-kernel-6.8.12-2-pve-signed 6.8.12-2
proxmox-kernel-6.8.8-2-pve-signed  6.8.8-2
proxmox-kernel-6.8.4-2-pve-signed  6.8.4-2
ifupdown2                          3.2.0-1+pmx9
libjs-extjs                        7.0.0-4
proxmox-backup-docs                3.2.7-1
proxmox-backup-client              3.2.7-1
proxmox-mail-forward               0.2.3
proxmox-mini-journalreader         1.4.0
proxmox-offline-mirror-helper      0.6.7
proxmox-widget-toolkit             4.2.3
pve-xtermjs                        5.3.0-3
smartmontools                      7.3-pve1
zfsutils-linux                     2.2.6-pve1
 
Last edited:
  • Like
Reactions: Veidit
if you give a user DatastorePrune , they can only prune their own backups. a prune job will affect the whole datastore (or namespace), so it requires more privileges.
 
How should a user manages prunes them self?
I would like them to be able to set up pruning them self and not manually do it, am I missing something?
I would prefer that the api-key only can backup (and restore) and not prune jobs and the user they have can do pruning on the PBS for their namespace.
It feels like I am missing something simple :)
 
if you want to setup datastore-wide server-side pruning, you need a highly privileged user. but that only needs to be set up once - the user can still manually prune their own groups. there is no scheduled pruning limited to a user's owned backups, that can only be done manually (via the UI/API/PVE/proxmox-backup-client)
 
OK, I understand.

I was thinking that the user could set up pruning for their namespace themselves.
Backup would be handled via the API key only so if their PVE system is breached their can't prune their backups from the PVE instance.
But the user can login with their user login to my PBS and their have a pruning job that handles their backup since they pay for the space they use.
And what I understand then is that currently that is not possible and I need to set up pruning jobs for them as admin?
 
yes. or let them prune via the client on a schedule, or write your own integration that does that ;)
 
for most setups, setting up pruning once for the whole datastore works, yes. and it's far easier to understand than mixing and matching different levels and sources of pruning. we could of course implement per-user prune jobs as well, and let those only affect owned groups of that user, but that feature doesn't exist at the moment. if you have multiple sources of pruning, the most aggressive one will win out in the long term.
 
The plan is to have this as a SaaS service where users can have their own backup and also manage their own prune jobs in PBS.
One user perhaps want just 30 days of backup, some want several years of backups. It's up to them but we do have som general recommendation.

But then I guess I need to request a feature for per-user prune jobs.

The PVE UI recommended to set pruning in PBS so I took for granted that users with the DatastorePowerUser could set up their own prune jobs.
Could you direct me to where I can do a feature request? Sorry, I am a bit new here.
 
on https://bugzilla.proxmox.com :)

I don't think this should be too hard to implement, and the use case is a valid one (although it could still be confusing if multiple such jobs covering the same user exist, or a global and a user one with conflicting settings).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!