Bareos Webui

Command ACL Requirements

The following tables show which commands are required and optional for each module of the Bareos WebUI.

Optional commands may be denied by Command ACL (Dir->Profile) settings to limit specific functionality. If you deny a required command, the module will not work.

Note

The commands .api, .help and use are essential commands and should never be denied by Command ACL (Dir->Profile) settings in your Console (Dir) or Profile (Dir) resources.

Client Module
Command	Client
disable	optional
enable	optional
list	required
llist	required
status	optional
use	required
version	required
.api	required
.clients	required
.help	required

Dashboard Module
Command	Dashboard
cancel	optional
list	required
llist	required
use	required
.api	required
.help	required

Director Module
Command	Director
list	required
llist	required
status	optional
use	required
.api	required
.help	required

Fileset Module
Command	Fileset
list	required
llist	required
use	required
.api	required
.help	required

Job Module
Command	Job
cancel	optional
disable	optional
enable	optional
list	required
llist	required
rerun	optional
run	optional
use	required
.api	required
.defaults	required
.filesets	required
.help	required
.jobs	required
.pools	required
.storages	required

Volume/Media Module
Command	Media
list	required
llist	required
use	required
.api	required
.help	required

Pool Module
Command	Pool
list	required
llist	required
use	required
.api	required
.help	required

Restore Module
Command	Restore
list	required
llist	required
restore	optional
use	required
.api	required
.filesets	required
.help	required
.jobs	required
.bvfs_lsdirs	required
.bvfs_lsfiles	required
.bvfs_update	required
.bvfs_get_jobids	required
.bvfs_versions	required
.bvfs_restore	required

Schedule Module
Command	Schedule
disable	optional
enable	optional
list	required
llist	required
status	optional
show	optional
use	required
.api	required
.help	required
.schedule	required

Storage Module
Command	Storage
export	optional
import	optional
label	optional
list	required
llist	required
release	optional
status	optional
update	optional
use	required
.api	required
.help	required
.pools	optional

Analytics Module
Command	Analytics
list	required
llist	required
use	required
.api	required
.help	required

A complete overview of bconsole command usage in the Bareos WebUI can be found in the Developer Guide chapter “Command usage in modules and the according ACL requirements”.

Access Control Configuration

Access Control is configured in Profile (Dir), Console (Dir) or User (Dir) resources.

Below are some example profile resources that should serve you as guidance to configure access to certain elements of the Bareos WebUI to your needs and use cases.

Full Access

No restrictions are given by Profile (Dir), everything is allowed. This profile is included in the Bareos WebUI package.

Profile Resource - Administrator Access Example

Profile {
   Name = "webui-admin"
   CommandACL = *all*
   JobACL = *all*
   ScheduleACL = *all*
   CatalogACL = *all*
   PoolACL = *all*
   StorageACL = *all*
   ClientACL = *all*
   FilesetACL = *all*
   WhereACL = *all*
}

Limited Access

Users with the following profile example have limited access to various resources but they are allowed to run, rerun and cancel the jobs backup-bareos-fd and backup-example-fd.

Note

Access to depending resources for the jobs set in the Job ACL (Dir->Profile) needs also be given by Client ACL (Dir->Profile), Pool ACL (Dir->Profile), Storage ACL (Dir->Profile) and File Set ACL (Dir->Profile) settings.

Users of this profile are also able to do a restore from within the Bareos WebUI by having access to the RestoreFiles job resource, the required Bvfs API commands and the restore command itself.

Profile Resource - Limited Access Example

Profile {
   Name = "webui-user"
   # Multiple CommandACL directives as given below are concatenated
   CommandACL = .api, .help, use, version, status, show
   CommandACL = list, llist
   CommandACL = run, rerun, cancel, restore
   CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
   CommandACL = .bvfs_update, .bvfs_get_jobids, .bvfs_lsdirs, .bvfs_lsfiles
   CommandACL = .bvfs_versions, .bvfs_restore, .bvfs_cleanup
   JobACL = backup-bareos-fd, backup-example-fd, RestoreFiles
   ScheduleACL = WeeklyCycle
   CatalogACL = MyCatalog
   PoolACL = Full, Differential, Incremental
   StorageACL = File
   ClientACL = bareos-fd, example-fd
   FilesetACL = SelfTest, example-fileset
   WhereACL = *all*
}

Read-Only Access

This example profile resource denies access to most of the commands and additionally restricts access to certain other resources like Job (Dir), Schedule (Dir), Pool (Dir), Storage (Dir), Client (Dir), Fileset (Dir), etc.

Users of this profile would not be able to run or restore jobs, execute volume and autochanger related operations, enable or disable resources besides other restrictions.

Profile Resource - Read-Only Access Example 1

Profile {
  Name = "webui-user-readonly-example-1"

  # Deny general command access
  CommandACL = !.bvfs_clear_cache, !.exit, !configure, !purge, !prune, !reload
  CommandACL = !create, !update, !delete, !disable, !enable
  CommandACL = !show, !status

  # Deny job related command access
  CommandACL = !run, !rerun, !restore, !cancel

  # Deny autochanger related command access
  CommandACL = !mount, !umount, !unmount, !export, !import, !move, !release, !automount

  # Deny media/volume related command access
  CommandACL = !add, !label, !relabel, !truncate

  # Deny SQL related command access
  CommandACL = !sqlquery, !query, !.sql

  # Deny debugging related command access
  CommandACL = !setdebug, !trace

  # Deny network related command access
  CommandACL = !setbandwidth, !setip, !resolve

  # Allow non-excluded command access
  CommandACL = *all*

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Deny access to the following pool resources
  Pool ACL = !Scratch

  # Allow access to non-excluded pool resources
  Pool ACL = *all*

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

Alternatively the example above can be configured as following if you prefer a shorter version.

Profile Resource - Read-Only Access Example 2

Profile {
  Name = "webui-user-readonly-example-2"

  # Allow access to the following commands
  CommandACL = .api, .help, use, version, status
  CommandACL = list, llist
  CommandACL = .clients, .jobs, .filesets, .pools, .storages, .defaults, .schedule
  CommandACL = .bvfs_lsdirs, .bvfs_lsfiles, .bvfs_update, .bvfs_get_jobids, .bvfs_versions, .bvfs_restore

  # Allow access to the following job resources
  Job ACL = backup-bareos-fd, RestoreFiles

  # Allow access to the following schedule resources
  Schedule ACL = WeeklyCycle

  # Allow access to the following catalog resources
  Catalog ACL = MyCatalog

  # Allow access to the following  pool resources
  Pool ACL = Full, Differential, Incremental

  # Allow access to the following storage resources
  Storage ACL = File

  # Allow access to the following client resources
  Client ACL = bareos-fd

  # Allow access to the following filset resources
  FileSet ACL = SelfTest

  # Allow access to restore to any filesystem location
  Where ACL = *all*
}

For more details, please read Profile Resource.

Restore

By default when running a restore in the Bareos WebUI the most recent version of all files from the available backups will be restored. You can change this behaviour by selecting the merge strategy and specific job selections in the fields described below. The Bareos WebUI allows you to restore multiple files or specific file versions.

Available restore parameters

Client

A list of available backup clients.

Backup jobs

A list of successful backup jobs available for the selected client.

Merge all client filesets

Determines if all available backup job filesets for the selected client should be merged into one file tree. This is helpful i.e. if multiple backup jobs with different filesets are available for the selected client. When you are just interested in a specific backup job, disable merging here and make the appropriate selection of a backup job.

Merge all related jobs to last full backup of selected backup job

By default all most recent versions of a file from your incremental, differential and full backup jobs will be merged into the file tree. If this behaviour is not desirable and instead the file tree should show the contents of a particular backup job, set the value to “No” here. Select a specific backup job afterwards to browse through the according file tree which has been backed up by that job.

Restore to client

In case you do not want to restore to the original client, you can select an alternative client here.

Restore job

Sometimes dedicated restore jobs may be required, which can be selected here.

Replace files on client

Here you can change the behaviour of how and when files should be replaced on the backup client while restoring.

always

never

if file being restored is older than existing file

if file being restored is newer than existing file

Restore location on client

If you like to restore all files to the original location then enter a single / here but keep the settings of “Replace files on client” in mind.

In case you want to use another location, simply enter the path here where you want to restore to on the selected client, for example /tmp/bareos-restore/.

Restore multiple files

Restore a specific file version

Limitations

Note

Restoring NDMP backups is currently not supported by Bareos WebUI. Please use the bconsole instead.