User roles and permissions
Note the following for user authentication:
An Administrator must define the custom user credentials by creating a secret; and then provide the secret name at the time of primary server deployment.
A custom user is assigned the role of a NetBackup Security Administrator and can access the NetBackup Web UI after deployment.
A custom user will be persisted during the pods restart or upgrade.
For the custom user, you can change only the password after the deployment. The changed password will be persisted. If the username is changed after the deployment, an error message will be logged in the Operator pod.
You can delete the secret after the primary server deployment. In that case, if you want to deploy or scale the media servers, you must create a new secret with the same username which was used in the primary server CR. The password can be the same or different. If you change the password, it is also changed in the primary server pod, and gets persisted.
Do not create a local user in the pods (using the kubectl exec or useradd commands) as this user may or may not be persisted.
The Amazon Web Service user is supported through Single Sign-on (SSO). For the detailed user integration information, refer to the NetBackup Administrator's Guide Volume I.
An user is available in primary server container. This user is used as while creating data collector policy for data collection on NetBackup IT Analytics portal.
Service account that is used for this deployment is and it is defined in the
operator_deployment.yaml.NetBackup runs most of the primary server services and daemons as non-root user and only and are supported as a service account user.
ClusterRole named is set in the NetBackup Operator to define the cluster wide permissions to the resources. This is defined in the
operator_deployment.yaml.Appropriate roles and EKS specific permissions are set to the cluster at the time of cluster creation.
After successful deployment of the primary and media servers, the operator creates a custom Kubernetes role with name
<resourceNamePrefix>-adminwhereasresourceNamePrefixis given in primary server or media server CR specification.The following permissions are provided in the respective namespaces:
Resource name
API group
Allowed operations
ConfigMaps
default
Create
Delete
Get
List
Patch
Update
Watch
Nodes
default
Get
List
This role can be assigned to the NetBackup Administrator to view the pods that were created, and to execute into them. For more information on the access control, see Kubernetes Access Control Documentation.
Note:
One role would be created, only if primary and media servers are in same namespace with the same resource name prefix.
NetBackup Operator deployment uses a serviceAccount and it must have the following permissions:
Table:
Resource Name | API Group | Allowed Operations |
|---|---|---|
ConfigMaps | default |
|
Nodes | default |
|
PersistentVolumeClaims | default |
|
Pods | default |
|
Pods/exec | default |
|
Secret | default |
|
Services | default |
|
StatefulSet | app |
|
Jobs | batch |
|
Primary servers | netbackup.veritas.com |
|
PrimaryServers/status | netbackup.veritas.com |
|
Media servers | netbackup.veritas.com |
|
MediaServers/status | netbackup.veritas.com |
|
Secrets | netbackup.veritas.com | Watch |
Secrets/status | netbackup.veritas.com |
|
Roles | rbac.authorization.k8s.io |
|
Storageclasses | storage.k8s.io |
|
Deployment | app |
|