Configuring Baculum

Access from web browser

Baculum API

Use these parameters to access the Baculum API:

Address: http://localhost:9096

First time login: admin

First time password: admin

Baculum Web

Use these parameters to access the Baculum Web:

Address: http://localhost:9095

First time login: admin

First time password: admin

Installation wizards

The Baculum API and the Baculum Web initial wizards help installing and connecting these two components together. In the Baculum Web wizard is added connection to the first API host called Main which is default API host for the Baculum Web.

To connect the Baculum Web to API part, you need to have at least one Baculum API instance with:

  • configured access to the Bacula Catalog database,

  • configured access to the Bacula console (bconsole).

For the other API features as a capability to configure Bacula (with Bacula JSON tools) and component actions (start/stop/restart) they can be configured to provide the additional Baculum Web’s functions but it is not mandatory.

SUDO

To complete the Baculum API wizard, you may need to add sudo security policies for bconsole, Bacula JSON tools and component actions. Inside the wizard you will be able to get this sudo configuration adjusted to typed paths in wizard fields. You can find it under Get sudo configuration links on the wizard steps. Ready sudo configuration please write in a file in location:

/etc/sudoers.d/baculum-api

An example sudoers configuration for the Apache web server on CentOS/RHEL may look like this:

Defaults:apache !requiretty
apache ALL = (root) NOPASSWD: /usr/sbin/bconsole
apache ALL = (root) NOPASSWD: /usr/sbin/bdirjson
apache ALL = (root) NOPASSWD: /usr/sbin/bsdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bfdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bbconsjson
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-fd

Install using basic authentication method:

../_images/baculum_wizard_basic.png

Install using OAuth2 authorization:

../_images/baculum_wizard_oauth2.png

Authentication

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Baculum API and the Baculum Web web servers. When the connection is unencrypted, Baculum cannot guarantee security. The HTTP method in Baculum should only be used for testing purposes.

Baculum API

Basic

Basic is the only authentication method available in the Baculum API. It provides a simple and minimal way to access both API resources and API panel. This authentication can be configured on start in the initial Baculum configuration wizards.

Baculum Web

All authentication methods are available to setup on the Security page of the Baculum Web interface.

Basic

Basic is the default authentication method in the Baculum Web which is realized by web server. This authentication can be configured on start in the initial Baculum configuration wizards.

Local user

This type of authentication is realized by HTML form in the Baculum Web. Once this method is enabled, the web server basic authentication can be disabled.

LDAP

The Baculum Web can connect to the LDAP server to authenticate LDAP users. This method is realized by a HTML form in the Baculum Web. Once this method is enabled, the web server basic authentication can be disabled.

For the Baculum Apache web server configuration you can disable the basic authentication by changing the following configuration block:

# Apache 2.4
<IfModule mod_authz_core.c>
      <Directory /usr/share/baculum/htdocs>
              SetEnvIf Request_URI "^/web/redirect$" noauth=1
              <RequireAny>
                      <RequireAll>
                              <RequireAny>
                                      Require env noauth
                                      Require env REDIRECT_noauth
                              </RequireAny>
                              Require all granted
                      </RequireAll>
                      <RequireAll>
                              AuthType Basic
                              AuthName "Baculum Auth"
                              AuthUserFile /usr/share/baculum/htdocs/protected/Web/Config/baculum.users
                              Require not env noauth
                              Require not env REDIRECT_noauth
                              Require valid-user
                      </RequireAll>
              </RequireAny>
      </Directory>
</IfModule>

into the following configuration block:

# Apache 2.4
<IfModule mod_authz_core.c>
      <Directory /usr/share/baculum/htdocs>
              Require all granted
      </Directory>
</IfModule>

For the Baculum Lighttpd web server configuration the basic authentication can be disabled by removing the following configuration block:

$HTTP["url"] !~ "/web/redirect$" {
        auth.backend = "htpasswd"
        auth.backend.htpasswd.userfile = "/usr/share/baculum/htdocs/protected/Web/Config/baculum.users"
        auth.require = ( "" => (
                "method" => "basic",
                "realm" => "Baculum Auth",
                "require" => "valid-user"
                )
        )
}

Authorization

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Baculum API and the Baculum Web web servers. When the connection is unencrypted, Baculum cannot guarantee security. The HTTP method in Baculum should only be used for testing purposes.

OAuth2

General information

Baculum API

To obtain access tokens, the OAuth2 implementation in the Baculum API uses the Authorization Code Grant flow.

  • Authorization URL: /oauth/authorize

  • Access Token URL: /oauth/token

Note

The Baculum API does not use refresh tokens. After expiration token the client application has to re-authorize again.

Authorization code expire time is 7 seconds, access token expire time is 1 hour. You can change these default values in the file:

/usr/share/baculum/htdocs/protected/Common/Class/OAuth2.php

You can find there the followin constants:

  • AUTHORIZATION_ID_EXPIRES_TIME,

  • ACCESS_TOKEN_EXPIRES_TIME.

To learn the Baculum API endpoints please visit the Baculum API documentation.

Baculum Web

OAuth2 callback URL (the redirect URI parameter) in the Baculum Web for baculumgui host is following:

https://baculumgui:9095/web/redirect

Enabling OAuth2

Default the Baculum API use the basic authentication. Enabling OAuth2 authorization gives additional features like:

  • access to Baculum API by secure tokens,

  • capability to assign dedicated Bconsole configuration files to OAuth2 accounts,

  • OAuth2 scopes to limit access to API endpoint by endpoint types (/jobs/, /clients/… and so on).

Warning

In the Baculum API the basic authentication works both for API resources and for API panel. The OAuth2 authorization cannot work when the basic authentication for API resources is enabled. In this case the authentication only must be enabled for API panel, but not for API resources.

Before you start using OAuth2 in the Baculum API, first you must disable the web server basic authentication for the Baculum API resources but keep the authentication for the Baculum API panel as described below.

Apache web server

Please change in the Baculum Web configuration of the Apache web server the Directory directive into the Location directive which indicates on the /panel path.

In sample of the Baculum API web server configuration below please follow on instruction in comments:

#
# NOTE: When you use OAuth2 then change this Directory section
# From: <Directory /usr/share/baculum/htdocs>
#            ...section body...
#       </Directory>
# To:   <Location /panel>
#            ...section body...
#       </Location>
#
<Directory /usr/share/baculum/htdocs>
#<Location /panel>
        AuthType Basic
        AuthName "Baculum Auth"
        AuthUserFile /usr/share/baculum/htdocs/protected/API/Config/baculum.users
        Require valid-user
#</Location>
</Directory>

Lighttpd web server

In sample of the Baculum API web server configuration please uncomment the two commented lines.

#
# Uncomment this line and closing braces below when you use OAuth2
#
#$HTTP["url"] =~ "^/panel.*$" {
        auth.backend = "htpasswd"
        auth.backend.htpasswd.userfile = "/usr/share/baculum/htdocs/protected/API/Config/baculum.users"
        auth.require = ( "/" => (
                "method" => "basic",
                "realm" => "Baculum Auth",
                "require" => "valid-user"
                )
        )
#}

Enable OAuth2 in API

Once the basic authentication is changed in the web server configuration, now please switch the Baculum API into the OAuth2 mode. You can do it in a Baculum API configuration wizard as shown on the following image:

../_images/baculum_enable_oauth2.png

Create admin OAuth2 client params

You need to create the admin OAuth2 client account which will be used by the Baculum Web to connect to the Baculum API. You can create it in a Baculum API admin panel as shown on the following images:

../_images/baculum_api_oauth2_1.png ../_images/baculum_api_oauth2_2.png

Connect Baculum Web using OAuth2 method

Now you can connect the Baculum Web to the Baculum API with using an OAuth2 authorization method in the Baculum Web configuration wizard.

../_images/baculum_web_oauth2.png

OAuth2 video guide (Baculum version 9.6.7)

Users

The Baculum Web provides a multi-user interface that uses roles (RBAC - role-based access control) to determine available the Baculum Web pages for individual users. Both users and roles can be set on the Baculum Web Security page. More information about this function you can find in Access to pages chapter.

Besides of restricted pages access there is also possible to assign dedicated Bacula resources (jobs, clients, storages …etc.) to users. This way each user (or an user group) can access to restricted Bacula resources. This feature uses a Bacula Console ACL functions. To setup this type of restricted access, please follow the instructions in the video below. For more information, please visit Access to Bacula resources chapter.

Note

The example configuration shown in the video uses OAuth2. Before implementing it, please make sure, you have the OAuth2 authorization configured in Baculum API and Baculum Web. See the OAuth2 chapter.

Autochanger management

From Baculum version 11.0.2.1 there has been introduced support for the autochanger management. It provides functions like:

  • load tape to tape drives

  • unload tape from tape drives

  • label tapes using barcodes

  • move tapes to import/export slots

  • release single import/export slot

  • release all import/export slots at once

  • update slots using barcodes

  • update slots by scanning tape labels written onto volume

To use it, please add autochanger device and tape drives to the Baculum API using page named Devices. For using the autochanger management in Baculum Web, Autochanger name in the Storage Daemon config must be the same as autochanger name in Baculum API, as shown on image below.

../_images/baculum_autochanger_same_names.png

After adding autochanger and tape drives to Baculum API, on the Baculum Web side please go to page Storage and select there the autochanger device. Changer and drives management is available there on tab called Manage autochanger.

Autochanger configuration video guide

Multiple API hosts

The Baculum Web is designed to work with API hosts. It can work with one API host and with many API hosts. From version 11.0.2.2 there is also possible to assign more API hosts than one to users. This way one user can manage his own API hosts using the same Baculum Web interface.

On the figure below we can see example Baculum hosts topology with one Baculum Web and two Baculum API instances. One Baculum API can be used for regular administration work with backups, restores, clients and so on. The second one can be used for managing connected tape autochanger.

../_images/baculum_multiple_api_hosts.png

There can be many usages of multiple API hosts. You can use them for example for:

  • managing Bacula director, file daemon, storage daemon and console configuration on remote Bacula hosts,

  • working with multiple Bacula server instances,

  • managing Autochanger (slots, tapes, load, unload, move from/to import/export slots, label barcodes, update slots and others),

  • restarting remote Bacula components by Baculum API actions (start, stop, restart).

More information about working with multiple API hosts you can find in the Remote host management manual.

Multiple API hosts video guide