Sync and permissions

Oct 30, 2024
4
0
1
Hello everyone,

I have a question regarding the permissions of API tokens used in sync jobs between PBS servers.
Until now, I was adding my remote server and running my sync jobs with a token derived from the root@pam user (so bad !).
So I tried to do things more cleanly by defining a pbs-site1@pbs user on the PBS server at site 2, and then deriving a pbs-site1@pbs!synchro token from it.
There is no problem adding the PBS server from site 2 on the PBS server at site 1.

Where things get complicated is when I want to create the sync job (push) from site 1 to site 2.
I thought that a token’s permissions were unrelated to the permissions of the user used to create it.
So, on site 2, I added a permission on /my-datastore/my-namespace with the DatastoreAdmin role on the my-namespace namespace.
However, it was impossible to create the sync job because the datastore did not appear.
To make it work, I had to add the same permission to the pbs-site1@pbs user, in the same place.

My question is: what did I miss?

Both sites use PBS 4.2.2
 
Hi,

This is expected, because an API token is inherently tied to the user that is selected, and therefore a token can never have more privileges than its parent user.

The solution you found, adding the permission to the pbs-site1@pbs user as well as the token, is a valid way to configure this.
 
  • Like
Reactions: Johannes S