Second PBS - how to grant access to single VM

[daros]

Hi,

We have an proxmox cluster with 2 PBS servers.
A customer would like to store there own VM's as an fail safe, so that created an own PBS.

I can make an secure port forwaring that they can create an own sync but i would only that they can access there own VM's.
Can someone point me in the right direction how to setup the access rights that they can only see and sync the vm's i would like them to see and sync?

Thank you.

 

[fabian]

1. the trust boundary in PBS is the datastore - so if you absolutely want nothing shared even by accident, setup a separate datastore!
2. for syncing there are two users involved:
- the remote user (part of the configured remote) determines which namespaces and groups of the remote end (that is pulled from) are visible in the first place
- the local user (part of the sync job) determines which namespaces and groups are writable locally, and who can read the groups after the sync

so if you want to have your customer's PBS only sync one specific VM, you need to
- make sure that backup group has the customer user as owner
- make sure that the customer user only has access to backup groups it owns (by only giving them DatastoreBackup or DatastorePowerUser roles on the namespaces/datastore)
- tell them to setup a remote using that user
- let them configure the sync job however they want - they should only be able to access their own backup groups via that user/remote.

you can test the settings first by setting up such a remote yourself, and pulling into a new, empty namespace.