Baculum - Bacula web interface Table of content: 1. Customized and restricted consoles 2. Baculum users configuration file 3. FAQ ================================================================================ === 1. Customized and restricted consoles === Baculum supports customized and restricted consoles for each logged in user. Before using customized and restricted consoles please check location for bconsole configuration files for each user. For do it, there is need to run on Baculum webGUI configuration wizard and there is need to go to "Console" wizard step (fourth step). In "Console" wizard step there is field defined as: Bconsole custom config file path: __________________ In this field there is required to define location for restricted consoles. In defined path exists one keyword {user}. It will be replaced into current logged in username. For example, if there is logged user named "john", keyword {user} will be replaced into "john". Example: "Bconsole custom config file path" is defined as: /usr/local/bacula/etc/bconsole-{user}.conf After login user "john" to Baculum webGUI, for each bconsole request will be used file: /usr/local/bacula/etc/bconsole-john.conf It makes available to define some specific console access (or restricted access) for each Baculum user. For user named "willy" in above configured path according bconsole configuration file will be: /usr/local/bacula/etc/bconsole-willy.conf etc... NOTE! In configuration wizard step "Console" there is also field: "Bconsole admin config file path:": ___________________ Config file defined in this field will be used by administrator only. For this reason the best practice is to define here console configuration file that gives full access for administrator. Administrator user and password will be defined in next configuration wizard step named "Authorization" (fifth step). Baculum users are defined on web server level as described in instruction in attached to Baculum INSTALL file. Example: For creating users "john" and "willy" as Baculum HTTP Basic authorization users there is need to create this users for example by: # htpasswd /some/location/htpasswd/file john # htpasswd /some/location/htpasswd/file willy For case using other HTTP Basic authorization backends (for example LDAP) there is need to define these users in this specific service. Example of content custom consoles configuration file is below: Console { Name = "BaculaRestrictedUser" Password = "XXXXXXXXX" CommandACL = show,.client,.jobs,.fileset,.pool,.storage,.jobs,.bvfs_update, .bvfs_lsdirs,.bvfs_lsfiles,.bvfs_versions,.bvfs_get_jobids,.bvfs_restore,restore CatalogACL = *all* ClientACL = user-fd JobACL = somejob1,userjob PoolACL = Full-Pool StorageACL = VTL FileSetACL = somejob1-fileset,userjobFileSet3 WhereACL = *all* } After defining these ACL there is also need to define the console access to Director service in Bacula Director configuration file as Console{} resource. NOTE! Please note that in above example in CommandACL are shown the most essential commands necessary for proper working of Baculum webGUI and possibility do to restore action (all .bvfs_* command and "restore" command) Below are the same necessary commands broke one per line: show .client .jobs .fileset .pool .storage .jobs .bvfs_update .bvfs_lsdirs .bvfs_lsfiles .bvfs_versions .bvfs_get_jobids .bvfs_restore restore Catalog Database restriction Because Baculum in few parts of interface uses data from Bacula Catalog Database, for each user who IS NOT administrator there has been disabled EVERY write to Bacula Catalog database by Baculum webGUI. Modification Bacula Catalog Database tables is possible ONLY for Baculum administrator. Additionally because of Console ACL functionality does not support restriction on media/volumes level, access to media/volumes has been disabled for all users except administrator. Configuration wizard restriction For security reason there has been disabled access to Configuration Wizard function for all users except administrator. ================================================================================ === 2. Baculum users configuration file === There is possible to manage Baculum administrator login and password directly in configuration wizard step titled "Step 5 - authorization params to Baculum". It means that Baculum administrator may change admin auth params by configuration wizard. ---------------- NOTE --------------- In older Baculum versions (before 7.0.5) in Step 5 configuration wizard there were need to input admin auth params the same as in pre-defined file by "htpasswd" program. In version 7.0.5 has been introduced partial support for possibility changing username and password from Baculum interface working on Lighttpd web server. From version 7.2.0 this limitation has been abolished. As long as Web Server uses HTTP Basic auth file located in: ./protected/Data/baculum.users and Web Server is capable to write (write permission) to this passwords file as long is possible to change username and password from Baculum interface level. ------------ NOTE END ------------- ================================================================================ === 3. FAQ === a) Why Jobs list and/or Media list windows do not show any content? In case when in Bacula Catalog database exist a lot of finished Jobs or Media records, for example more than 2000, and window with Jobs or Media list do not show any content, then please consider increase "memory_limit" option in php.ini PHP configuration file to higher value than 256M. There is also possible to set limit window list elements on webGUI in window tools option (on window bottom bar), without changing "memory_limit" value. b) Just after finish initial wizard there is not possible to login to Baculum From Baculum 7.2.0 has been changed format storing passwords. Passwords stored by Baculum for HTTP Basic authentication are encrypted by MD5. It is default alghoritm used by "htpasswd" program. Plain text passwords for HTTP Basic auth are not longer supported by Baculum. From this reason good to check if used web server for Baculum is set to using MD5 type passwords in HTTP Basic authentication.