Configuring Baculum

Access from web browser

Baculum API

Use these parameters to access the Baculum API:

Address: http://localhost:9096

First time login: admin

First time password: admin

Baculum Web

Use these parameters to access the Baculum Web:

Address: http://localhost:9095

First time login: admin

First time password: admin

Installation wizards

The Baculum API and the Baculum Web initial wizards help installing and connecting these two components together. In the Baculum Web wizard is added connection to the first API host called Main which is default API host for the Baculum Web.

To connect the Baculum Web to API part, you need to have at least one Baculum API instance with:

  • configured access to the Bacula Catalog database,

  • configured access to the Bacula console (bconsole).

For the other API features as a capability to configure Bacula (with Bacula JSON tools) and component actions (start/stop/restart) they can be configured to provide the additional Baculum Web’s functions but it is not mandatory.

SUDO

To complete Baculum API wizard, you may need to add sudo security policies for bconsole, Bacula JSON tools and component actions. Inside the wizard you will be able to get this sudo configuration adjusted to typed paths in wizard fields. You can find it under Get sudo configuration links on the wizard steps. Ready sudo configuration please write in a file in location:

/etc/sudoers.d/baculum-api

An example sudoers configuration for the Apache web server on CentOS/RHEL may look like this:

Defaults:apache !requiretty
apache ALL = (root) NOPASSWD: /usr/sbin/bconsole
apache ALL = (root) NOPASSWD: /usr/sbin/bdirjson
apache ALL = (root) NOPASSWD: /usr/sbin/bsdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bfdjson
apache ALL = (root) NOPASSWD: /usr/sbin/bbconsjson
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-dir
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-sd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl start bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl stop bacula-fd
apache ALL = (root) NOPASSWD: /usr/bin/systemctl restart bacula-fd

Install using basic authentication method:

../_images/baculum_wizard_basic.png

Install using OAuth2 authorization:

../_images/baculum_wizard_oauth2.png

Authentication

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Baculum API and the Baculum Web web servers. When the connection is unencrypted, Baculum cannot guarantee security. The HTTP method in Baculum should only be used for testing purposes.

Baculum API

Basic

Basic is the only authentication method available in the Baculum API. It provides a simple and minimal way to access both API resources and API panel. This authentication can be configured on start in the initial Baculum configuration wizards.

Baculum Web

All authentication methods are available to setup on the Security page of the Baculum Web interface.

Basic

Basic is the default authentication method in the Baculum Web which is realized by web server. This authentication can be configured on start in the initial Baculum configuration wizards.

Local user

This type of authentication is realized by HTML form in the Baculum Web. Once this method is enabled, the web server basic authentication can be disabled.

LDAP

The Baculum Web can connect to the LDAP server to authenticate LDAP users. This method is realized by a HTML form in the Baculum Web. Once this method is enabled, the web server basic authentication can be disabled.

Authorization

Note

It is recommended to enable encrypted HTTPS connection with TLS certificates in the Baculum API and the Baculum Web web servers. When the connection is unencrypted, Baculum cannot guarantee security. The HTTP method in Baculum should only be used for testing purposes.

OAuth2

General information

Baculum API

To obtain access tokens, the OAuth2 implementation in the Baculum API uses the Authorization Code Grant flow.

  • Authorization URL: /oauth/authorize

  • Access Token URL: /oauth/token

Note

The Baculum API does not use refresh tokens. After expiration token the client application has to re-authorize again.

Authorization code expire time is 7 seconds, access token expire time is 60 seconds. You can change these default values in the file:

/usr/share/baculum/htdocs/protected/Common/Class/OAuth2.php

You can find there the followin constants:

  • AUTHORIZATION_ID_EXPIRES_TIME,

  • ACCESS_TOKEN_EXPIRES_TIME.

To learn the Baculum API endpoints please visit the Baculum API documentation.

Baculum Web

OAuth2 callback URL (the redirect URI parameter) in the Baculum Web for baculumgui host is following:

https://baculumgui:9095/web/redirect

Enabling OAuth2

To access the Baculum API, default is using basic authentication. Enabling OAuth2 authorization gives additional features like:

  • capability to assign dedicated Bconsole configuration files to OAuth2 accounts,

  • capability to restrict Bacula resources per Baculum Web user,

  • access to Baculum API by secure tokens,

  • OAuth2 scopes to limit access to API endpoint by endpoint types (/jobs/, /clients/… and so on).

Warning

In the Baculum API the basic authentication works both for API resources and for API panel. The OAuth2 authorization cannot work when the basic authentication for API resources is enabled. In this case the authentication only must be enabled for API panel, but not for API resources.

Before you start using OAuth2 in the Baculum API, first you must disable the web server basic authentication for the Baculum API resources but keep the authentication for the Baculum API panel as described below.

Apache web server

Please change in the Baculum Web configuration of the Apache web server the Directory directive into the Location directive which indicates on the /panel path.

In sample of the Baculum API web server configuration below please follow on instruction in comments:

#
# NOTE: When you use OAuth2 then change this Directory section
# From: <Directory /usr/share/baculum/htdocs>
#            ...section body...
#       </Directory>
# To:   <Location /panel>
#            ...section body...
#       </Location>
#
<Directory /usr/share/baculum/htdocs>
#<Location /panel>
        AuthType Basic
        AuthName "Baculum Auth"
        AuthUserFile /usr/share/baculum/htdocs/protected/API/Config/baculum.users
        Require valid-user
#</Location>
</Directory>

Lighttpd web server

In sample of the Baculum API web server configuration please uncomment the two commented lines.

#
# Uncomment this line and closing braces below when you use OAuth2
#
#$HTTP["url"] =~ "^/panel.*$" {
        auth.backend = "htpasswd"
        auth.backend.htpasswd.userfile = "/usr/share/baculum/htdocs/protected/API/Config/baculum.users"
        auth.require = ( "/" => (
                "method" => "basic",
                "realm" => "Baculum Auth",
                "require" => "valid-user"
                )
        )
#}

Enable OAuth2 in API

Once the basic authentication is changed in the web server configuration, now please switch the Baculum API into the OAuth2 mode. You can do it in a Baculum API configuration wizard as shown on the following image:

../_images/baculum_enable_oauth2.png

Create admin OAuth2 client params

You need to create the admin OAuth2 client account which will be used by the Baculum Web to connect to the Baculum API. You can create it in a Baculum API admin panel as shown on the following image:

../_images/baculum_api_oauth2.png

Connect Baculum Web using OAuth2 method

Now you can connect the Baculum Web to the Baculum API with using an OAuth2 authorization method in the Baculum Web configuration wizard.

../_images/baculum_web_oauth2.png

Users

The Baculum Web provides a multi-user interface that uses roles (RBAC - role-based access control) to determine available the Baculum Web pages for individual users. Both users and roles can be set on the Baculum Web Security page.

Besides of restricted pages access there is also possible to assign dedicated Bacula resources (jobs, clients, storages …etc.) to users. This way each user (or an user group) can access to restricted Bacula resources. This feature uses a Bacula Console ACL functions. To setup this type of restricted access, please follow the instructions in the video below.

Note

Before implementing the configuration shown in the video, please make sure, you have the OAuth2 authorization configured in Baculum API and Baculum Web. See the OAuth2 chapter.