From 39cb038c288eda7ebf8d14bdfe28ac4b1c910f4f Mon Sep 17 00:00:00 2001 From: "Johannes M. Scheuermann" Date: Tue, 22 Oct 2024 17:12:51 +0200 Subject: [PATCH 1/3] Add docs for required minimal permissions of the fdbbackup and backup_agent --- documentation/sphinx/source/backups.rst | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/documentation/sphinx/source/backups.rst b/documentation/sphinx/source/backups.rst index 274e0d2dc29..abb02747000 100644 --- a/documentation/sphinx/source/backups.rst +++ b/documentation/sphinx/source/backups.rst @@ -61,6 +61,35 @@ By default, the FoundationDB packages are configured to start a single ``backup_ If instead you want to perform a backup to the local disk of a particular machine or machines which are not network accessible to the FoundationDB servers, then you should disable the backup agents on the FoundationDB servers. This is accomplished by commenting out all of the ``[backup_agent.]`` sections in :ref:`foundationdb.conf `. Do not comment out the global ``[backup_agent]`` section. Next, start backup agents on the destination machine or machines. Now, when you start a backup, you can specify the destination directory (as a Backup URL) using a local path on the destination machines. The backup agents will fetch data from the database and store it locally on the destination machines. +Blobstore Access Permisions +=========== + +If a remote blobstore like AWS S3 is used to store the backup data, you should ensure to restrict the backup agent permissions as much as possible. +You can either use the same policy for the ``backup_agent`` and ``fdbbackup`` or separate those. +Note: Your actual required permissions might be different, depending on your setup and requirements. + +Required permissions for the ``backup_agent`` and ``fdbbackup`` at the bucket level: + +:: + + s3:ListBucket + + +Required permissions for the ``backup_agent`` and ``fdbbackup`` at the object level for a specific bucket: + +:: + + s3:AbortMultipartUpload + s3:PutObject + s3:GetObject + s3:DeleteObject + s3:ListBucketMultipartUploads + s3:ListMultipartUploadParts + +Note: If you want that the ``backup_agent`` or ``fdbbackup`` can create a bucket, you have to add the ``s3:CreateBucket`` permission. +If you want to encrypt the data at rest in S3 you have to make sure that S3 is properly configured and that the `backup_agent` and `fdbbackup` have access to [KMS] +For additional information read the AWS S3 documention for `Policy Actions `_ or the equivalent documentation for your blobstore. + Backup URLs =========== From fcacfbd46c687776217f0690d30f5583e0ff2fa6 Mon Sep 17 00:00:00 2001 From: "Johannes M. Scheuermann" Date: Mon, 25 Nov 2024 12:38:52 +0100 Subject: [PATCH 2/3] Update docs with feedback --- documentation/sphinx/source/backups.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/sphinx/source/backups.rst b/documentation/sphinx/source/backups.rst index abb02747000..fd418db9647 100644 --- a/documentation/sphinx/source/backups.rst +++ b/documentation/sphinx/source/backups.rst @@ -61,10 +61,10 @@ By default, the FoundationDB packages are configured to start a single ``backup_ If instead you want to perform a backup to the local disk of a particular machine or machines which are not network accessible to the FoundationDB servers, then you should disable the backup agents on the FoundationDB servers. This is accomplished by commenting out all of the ``[backup_agent.]`` sections in :ref:`foundationdb.conf `. Do not comment out the global ``[backup_agent]`` section. Next, start backup agents on the destination machine or machines. Now, when you start a backup, you can specify the destination directory (as a Backup URL) using a local path on the destination machines. The backup agents will fetch data from the database and store it locally on the destination machines. -Blobstore Access Permisions +Blobstore Access Permissions =========== -If a remote blobstore like AWS S3 is used to store the backup data, you should ensure to restrict the backup agent permissions as much as possible. +If a remote blobstore, like AWS S3, is used to store the backup data, you should ensure to restrict the backup agent permissions as much as possible. You can either use the same policy for the ``backup_agent`` and ``fdbbackup`` or separate those. Note: Your actual required permissions might be different, depending on your setup and requirements. @@ -87,7 +87,7 @@ Required permissions for the ``backup_agent`` and ``fdbbackup`` at the object le s3:ListMultipartUploadParts Note: If you want that the ``backup_agent`` or ``fdbbackup`` can create a bucket, you have to add the ``s3:CreateBucket`` permission. -If you want to encrypt the data at rest in S3 you have to make sure that S3 is properly configured and that the `backup_agent` and `fdbbackup` have access to [KMS] +If you want to encrypt the data at rest in S3 you have to make sure that S3 is properly configured and that the `backup_agent` and `fdbbackup` have access to `KMS `_. For additional information read the AWS S3 documention for `Policy Actions `_ or the equivalent documentation for your blobstore. Backup URLs From 2a6a432db9231cdbb95d4bb0f7c40405ce537f96 Mon Sep 17 00:00:00 2001 From: "Johannes M. Scheuermann" Date: Mon, 25 Nov 2024 16:47:38 +0100 Subject: [PATCH 3/3] Fix Title underline too short --- documentation/sphinx/source/backups.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/sphinx/source/backups.rst b/documentation/sphinx/source/backups.rst index fd418db9647..7b45d94f7f4 100644 --- a/documentation/sphinx/source/backups.rst +++ b/documentation/sphinx/source/backups.rst @@ -62,7 +62,7 @@ By default, the FoundationDB packages are configured to start a single ``backup_ If instead you want to perform a backup to the local disk of a particular machine or machines which are not network accessible to the FoundationDB servers, then you should disable the backup agents on the FoundationDB servers. This is accomplished by commenting out all of the ``[backup_agent.]`` sections in :ref:`foundationdb.conf `. Do not comment out the global ``[backup_agent]`` section. Next, start backup agents on the destination machine or machines. Now, when you start a backup, you can specify the destination directory (as a Backup URL) using a local path on the destination machines. The backup agents will fetch data from the database and store it locally on the destination machines. Blobstore Access Permissions -=========== +============================ If a remote blobstore, like AWS S3, is used to store the backup data, you should ensure to restrict the backup agent permissions as much as possible. You can either use the same policy for the ``backup_agent`` and ``fdbbackup`` or separate those.