juju-backup-all
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 46 | 01 Nov 2023 | |
| latest/stable | 41 | 28 Apr 2023 | |
| latest/stable | 1 | 10 Jan 2022 | |
| latest/candidate | 23 | 25 Oct 2023 | |
| latest/candidate | 46 | 24 Oct 2023 | |
| latest/candidate | 41 | 06 Apr 2023 | |
| latest/candidate | 1 | 10 Jan 2022 | |
| latest/edge | 46 | 24 Oct 2023 | |
| latest/edge | 41 | 31 Mar 2023 | |
| latest/edge | 26 | 18 Aug 2022 | |
| latest/edge | 25 | 18 Aug 2022 | |
| latest/edge | 24 | 18 Aug 2022 | |
| latest/edge | 23 | 18 Aug 2022 |
juju deploy bootstack-charmers-juju-backup-all
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Security Hardening Guide
This page is an overview of how to configure Juju Backup All securely. For more information about the security concern, see the Explaination/Security/Risks section of the charm documentation.
Create a dedicated Juju user for backup
To reduce the attack surface, a dedicated Juju user should be created for this charm. The dedicated Juju user should only have access to the required Juju model.
1. Create a Juju user on the controller
export CONTROLLER_NAME=my-controller
export BACKUP_USER_NAME=juju-backup-all-user
# Create a new Juju user on the controller
juju add-user --controller $CONTROLLER_NAME $BACKUP_USER_NAME
# Generate a password and store it in securely somewhere
juju change-user-password $BACKUP_USER_NAME
2. Grant the Juju user with appropriate permissions
The dedicated Juju user should only be granted with necessary permissions.
2.1 Backup Databases
If you only want to backup databases, you only need to grant the Juju user admin access to the model containing the database charms.
export MODEL=admin/mysql
export BACKUP_USER_NAME=juju-backup-all-user
# Grant the user with admin access to a particular model.
juju grant $BACKUP_USER_NAME admin $MODEL
2.2 Backup Juju Controller
If you need to backup the controller, the Juju user must be granted superuser permission for the controller, and the admin permission on the controller model.
Note, in this case, the Juju user is a privileged user that can grant itself any permissions.
export MODEL=admin/controller
export BACKUP_USER_NAME=juju-backup-all-user
# Grant the user with superuser permission; this is required to access the controller's database (grant this only if you want to backup controller)
juju grant $BACKUP_USER_NAME superuser
# Grant the user with admin access; this is required to access Juju controller's API for backup
juju grant $BACKUP_USER_NAME admin $MODEL
3. Update charm config to use the dedicated Juju user
After you created the new Juju user, a separated Juju controller and account file should be created for this charm.
- Prepare separated YAML files for Juju controller (e.g.
jba_controllers.yaml) and account (e.g.jba_account.yaml). - Update the permission of those files to be only readable by the owner.
- Update the charm config to use those files.
juju config juju-backup-all controllers=@jba_controllers.yaml accounts=@jba_accounts.yaml