From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BB4E672322 for ; Wed, 6 Oct 2021 17:28:10 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ADA73F352 for ; Wed, 6 Oct 2021 17:28:10 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 62F3AF33B for ; Wed, 6 Oct 2021 17:28:08 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id CBE284584F for ; Wed, 6 Oct 2021 17:20:05 +0200 (CEST) From: Dylan Whyte To: pbs-devel@lists.proxmox.com Date: Wed, 6 Oct 2021 17:19:57 +0200 Message-Id: <20211006151957.437820-2-d.whyte@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211006151957.437820-1-d.whyte@proxmox.com> References: <20211006151957.437820-1-d.whyte@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.577 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 2/2] docs: Update for new features/functionality X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Oct 2021 15:28:10 -0000 Update GUI section and GUI instructions to reflect current layout and features List OpenID connect in possible realms (user management) Link Access Control section when referring to it (user management) Include Tape roles in access control section Minor formatting changes Signed-off-by: Dylan Whyte --- docs/gui.rst | 41 +++++++++++++++++++++++++++------------- docs/storage.rst | 10 +++++----- docs/user-management.rst | 32 +++++++++++++++++++++++-------- 3 files changed, 57 insertions(+), 26 deletions(-) diff --git a/docs/gui.rst b/docs/gui.rst index bbe59e5a..c7ae5b90 100644 --- a/docs/gui.rst +++ b/docs/gui.rst @@ -49,12 +49,13 @@ GUI Overview The Proxmox Backup Server web interface consists of 3 main sections: -* **Header**: At the top. This shows version information, and contains buttons to view - documentation, monitor running tasks, set the language and logout. -* **Sidebar**: On the left. This contains the configuration options for +* **Header**: At the top. This shows version information and contains buttons to + view documentation, monitor running tasks, set the language, configure various + display settings, and logout. +* **Sidebar**: On the left. This contains the administration options for the server. -* **Configuration Panel**: In the center. This contains the control interface for the - configuration options in the *Sidebar*. +* **Configuration Panel**: In the center. This contains the respective control + interfaces for the administration options in the *Sidebar*. Sidebar @@ -75,12 +76,14 @@ previous and currently running tasks, and subscription information. Configuration ^^^^^^^^^^^^^ -The Configuration section contains some system configuration options, such as -time and network configuration. It also contains the following subsections: +The Configuration section contains some system options, such as time, network, +WebAuthn, and HTTP proxy configuration. It also contains the following +subsections: * **Access Control**: Add and manage users, API tokens, and the permissions associated with these items * **Remotes**: Add, edit and remove remotes (see :term:`Remote`) +* **Certificates**: Manage ACME accounts and create SSL certificates. * **Subscription**: Upload a subscription key, view subscription status and access a text-based system report. @@ -99,6 +102,7 @@ tasks and information. These are: resource usage statistics * **Services**: Manage and monitor system services * **Updates**: An interface for upgrading packages +* **Repositories**: An interface for configuring APT repositories * **Syslog**: View log messages from the server * **Tasks**: Task history with multiple filter options @@ -120,11 +124,20 @@ Tape Backup :align: right :alt: Tape Backup: Tape changer overview -The `Tape Backup`_ section contains a top panel, managing tape media sets, -inventories, drives, changers and the tape backup jobs itself. +The `Tape Backup`_ section contains a top panel, with options for managing tape +media sets, inventories, drives, changers, encryption keys, and the tape backup +jobs itself. The tabs are as follows: -It also contains a subsection per standalone drive and per changer, with a -status and management view for those devices. +* **Content**: Information on the contents of the tape backup +* **Inventory**: Manage the tapes attached to the system +* **Changers**: Manage tape loading devices +* **Drives**: Manage drives used for reading and writing to tapes +* **Media Pools**: Manage logical pools of tapes +* **Encryption Keys**: Manage tape backup encryption keys +* **Backup Jobs**: Manage tape backup jobs + +The section also contains a subsection per standalone drive and per changer, +with a status and management view for those devices. Datastore ^^^^^^^^^ @@ -145,5 +158,7 @@ can use the top panel to view: collection ` operations, and run garbage collection manually * **Sync Jobs**: Create, manage and run :ref:`syncjobs` from remote servers -* **Verify Jobs**: Create, manage and run :ref:`maintenance_verification` jobs on the - datastore +* **Verify Jobs**: Create, manage and run :ref:`maintenance_verification` jobs + on the datastore +* **Options**: Configure notification and verification settings +* **Permissions**: Manage permissions on the datastore diff --git a/docs/storage.rst b/docs/storage.rst index 562da160..4b692503 100644 --- a/docs/storage.rst +++ b/docs/storage.rst @@ -15,7 +15,7 @@ accessed using the ``disk`` subcommand. This subcommand allows you to initialize disks, create various filesystems, and get information about the disks. To view the disks connected to the system, navigate to **Administration -> -Disks** in the web interface or use the ``list`` subcommand of +Storage/Disks** in the web interface or use the ``list`` subcommand of ``disk``: .. code-block:: console @@ -42,9 +42,9 @@ To initialize a disk with a new GPT, use the ``initialize`` subcommand: :alt: Create a directory You can create an ``ext4`` or ``xfs`` filesystem on a disk using ``fs -create``, or by navigating to **Administration -> Disks -> Directory** in the -web interface and creating one from there. The following command creates an -``ext4`` filesystem and passes the ``--add-datastore`` parameter, in order to +create``, or by navigating to **Administration -> Storage/Disks -> Directory** +in the web interface and creating one from there. The following command creates +an ``ext4`` filesystem and passes the ``--add-datastore`` parameter, in order to automatically create a datastore on the disk (in this case ``sdd``). This will create a datastore at the location ``/mnt/datastore/store1``: @@ -57,7 +57,7 @@ create a datastore at the location ``/mnt/datastore/store1``: :alt: Create ZFS You can also create a ``zpool`` with various raid levels from **Administration --> Disks -> Zpool** in the web interface, or by using ``zpool create``. The command +-> Storage/Disks -> ZFS** in the web interface, or by using ``zpool create``. The command below creates a mirrored ``zpool`` using two disks (``sdb`` & ``sdc``) and mounts it under ``/mnt/datastore/zpool1``: diff --git a/docs/user-management.rst b/docs/user-management.rst index 435e0368..f5734bbe 100644 --- a/docs/user-management.rst +++ b/docs/user-management.rst @@ -21,11 +21,13 @@ choose the realm when you add a new user. Possible realms are: :pbs: Proxmox Backup Server realm. This type stores hashed passwords in ``/etc/proxmox-backup/shadow.json``. -After installation, there is a single user ``root@pam``, which -corresponds to the Unix superuser. User configuration information is stored in the file -``/etc/proxmox-backup/user.cfg``. You can use the -``proxmox-backup-manager`` command line tool to list or manipulate -users: +:openid: OpenID Connect server. Users can authenticate against an external + OpenID Connect server. + +After installation, there is a single user, ``root@pam``, which corresponds to +the Unix superuser. User configuration information is stored in the file +``/etc/proxmox-backup/user.cfg``. You can use the ``proxmox-backup-manager`` +command line tool to list or manipulate users: .. code-block:: console @@ -71,7 +73,7 @@ The resulting user list looks like this: │ root@pam │ 1 │ │ │ │ │ Superuser │ └──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘ -Newly created users do not have any permissions. Please read the Access Control +Newly created users do not have any permissions. Please read the :ref:`user_acl` section to learn how to set access permissions. You can disable a user account by setting ``--enable`` to ``0``: @@ -193,6 +195,18 @@ following roles exist: **RemoteSyncOperator** Is allowed to read data from a remote. +**TapeAudit** + Can view tape related configuration and status + +**TapeAdministrat** + Can do anything related to tape backup + +**TapeOperator** + Can do tape backup and restore (but no configuration changes) + +**TapeReader** + Can read and inspect tape configuration and media content + .. image:: images/screenshots/pbs-gui-user-management-add-user.png :align: right :alt: Add permissions for user @@ -370,7 +384,8 @@ For WebAuthn to work, you need to have two things: setups. Once you have fulfilled both of these requirements, you can add a WebAuthn -configuration in the *Access Control* panel. +configuration in the **Two Factor Authentication** tab of the **Access Control** +panel. .. _user_tfa_setup_recovery_keys: @@ -382,7 +397,8 @@ Recovery Keys :alt: Add a new user Recovery key codes do not need any preparation; you can simply create a set of -recovery keys in the *Access Control* panel. +recovery keys in the **Two Factor Authentication** tab of the **Access Control** +panel. .. note:: There can only be one set of single-use recovery keys per user at any time. -- 2.30.2