Kern Sibbald wrote:
> On Tuesday 30 January 2007 15:56, Zeratul wrote:
>> Hi
>>
>> I'm wondering if there is any way to limit the effect of some commands,
>> defined in CommandACL, to specific jobs or clients.
>>
>> Basically, I created a console with limited rights, as follows:
>> ------------------------------------------------------------------------
>> Console {
>> Name = projectserve01
>> Password = "restricted_passwordA"
>> JobACL = "Backup projectserve01 files", "Restore projectserve01 files"
>> ClientACL = projectserve01
>> StorageACL = pw_windows
>> ScheduleACL = *all*
>> FileSetACL = projectserve01
>> PoolACL = pw_windows
>> CatalogACL = Bacula_catalog
>> CommandACL = run, restore, help, status, .filesets, autodisplay
>> }
>> ------------------------------------------------------------------------
>>
>> All the commands are working fine - this restricted console has access just
>> to defined resources. But I want to give this console the posibility to
>> cancel one of its own jobs (related in this case to client projectserve01).
>> Adding the command "cancel" in CommandACL, I discovered the restricted
>> console is able to cancel _any_ running job.
>>
>> I am missing something in the console configuration?
>
> No, I don't think you are missing anything.
>
> This is what I would call a bug or more correctly just an oversight. There
> are
> probably a good number of such "little" oversights, many of which I corrected
> in version 2.0.0.
>
> I recommend that you submit a bug report with bugs.bacula.org, which will
> ensure that this item is fixed as soon as possible and will not be lost.
>
> Regards,
>
> Kern
We also noticed an 'oddity' in using ACLs. In fact we just started
deciding how an what to enable across our clients. I tested with the
following in my dir.conf
Console {
Name = EMWhite
Password = "xxxxxx"
JobACL = EMWhite
ClientACL = tls-emwhite-fd
StorageACL = storage1-tls-emwhite
ScheduleACL = FullCycle-emwhite
PoolACL = FullDaily-tls-emwhite-Pool
FileSetACL = EMWhite
CatalogACL = DataVault
CommandACL = exit, status, cancel, run
}
What I saw was that any client can run the status command for it's
assigned storage, and the SD reported the status of all volumes.
For instance, running the commands 'st' > '2' > 'storage1-tls-emwhite'
returned the status of every storage device on storage1, not just the
status of storage1-tls-emwhite.
If this is correct, can I avoid it?
DAve
--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?
Maybe they forgot who made that choice possible.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bacula-users
