User permissions for backup jobs, retention rules

[kriebz]

I have a small PVE cluster and a PBS server. I configured a user on PBS with the "Role" DatastoreBackup. I'm getting errors in my scheduled backups on the PVE hosts, such as:
ERROR: prune 'ct/111': proxmox-backup-client failed: Error: permission check failed - missing Datastore.Modify|Datastore.Prune on /datastore/pbs-60-1
I can't seem to find a granular way to make new roles or add or remove permissions from roles. I have added "DatastorePowerUser" under the path specified to this user's permissions, but that feels like a hack? Also, my retention rules seem to not work. I have many many backups for each VM and CT instead of the 5 I asked for, and I'm wondering if this is related.

Is this a bug? I also just updated (I know I'm not great with change management ) PBS to the latest non-subscription, and I can see what's able to be updated on hosts.

 

[Chris]

I can't seem to find a granular way to make new roles or add or remove permissions from roles.

That is not possible, roles are per-defined.

prune 'ct/111'

As you can see your backup fails because the user has no rights to prune that datastore, so you must either adapt the users role to have the permissions to do so or if you do not want to give that much permissions to the user, manage the pruning of snapshots on the PBS itself rather than on the PVE host. The latter might be preferable in your case, for further details see https://pbs.proxmox.com/docs/maintenance.html#prune-jobs

I have added "DatastorePowerUser" under the path specified to this user's permissions, but that feels like a hack?

Why does this feel like a hack? See the documented permissions for that role https://pbs.proxmox.com/docs/user-management.html#access-control

I have many many backups for each VM and CT instead of the 5 I asked for, and I'm wondering if this is related.

Is this a bug?

No, your user simply has not the required permissions to prune contents.

 

[kriebz]

Thank you very much. I think I'm getting the hang of where to change what. I was hoping to have one place to do all of the setup, to make this as smooth as possible for other admins. I assumed that the default role that might be set on the PVE end would support all of the features available to be set there. I can see the value of restricting some behavior from that user, however.

The "feels like hack" was assigning a role that seems to be for a person, say, someone responsible for doing piecemeal restorals, to the PVE automatic backup user (slash API token).

 

[powersupport]

Hi,


The error means that your PBS user doesn’t have permission to delete old backups (prune), which is why the retention rules are not working. The DatastoreBackup role only allows making backups, not deleting them.


To fix this, you can give the user the DatastorePowerUser role on the datastore. This role allows backing up, deleting old backups, and more.


If you want to be more careful and only give the permissions needed, you can give the user two roles instead:

• DatastoreBackup (to allow backups)
• DatastorePrune (to allow deleting old backups)

Once the correct permissions are set, your retention rules will work properly.

 

[Johannes S]

And the defaults are a good thing since they prevent a bad actor from removing backups after taking over your PVE nodes:
https://pbs.proxmox.com/docs/storage.html#ransomware-protection-recovery