Introduction
This guide provides step-by-step instructions on how a non-admin user can perform backup and restore operations for a Cloud Pak for Data (CPD) application using Fusion Backup and Restore CRs in an OpenShift environment. By following these steps, you will learn how to set up the environment, assign appropriate roles, and execute backup and restore tasks effectively.
Background
Fusion Backup and Restore was initially an administrator-only feature, preventing non-admin users from performing these tasks on any application. This limitation restricted RBAC support, preventing specific users from carrying out backup and restore activities within designated namespaces.
Procedure
Executed the following steps from the Linux system
A user may skip the 'Non-admin User Creation' section if a non-admin user already exists on the OpenShift cluster. In all subsequent steps, replace the username 'test' with the existing user's name.
Non-admin User creation:
- Install `htpasswd` tool:
Install the `htpasswd` command-line tool, which is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users
sudo yum install https-tools
2. Create a User
Create a user using the `htpasswd` tool. Replace `test` and `test123` with the desired username and password
htpasswd -c -B -b users.htpasswd test test123
Verify the user creation:
htpasswd -b -v users.htpasswd test test123
3. Create a Secret for User Authentication
Log in to openshift cluster CLI as the kubeadmin user and create a secret to store the `htpasswd` file:
oc create secret generic htpass-secret \
--from-file=htpasswd=./users.htpasswd \
-n openshift-config
4. Configure HTPasswd Identity Provider
Create a configuration file to set up the HTPasswd identity provider:
cat <<EOF | oc apply -f -
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: admins_htpasswd_provider
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpass-secret
EOF
Grant the non-admin user(test) the required access to perform backup and restore operations:
5. Assign Roles to the User
Assign the necessary roles to the user `test` to enable the user to perform backup and restore operations:
oc adm policy add-role-to-user backuppolicies.data-protection.isf.ibm.com-v1alpha1-admin test
oc adm policy add-role-to-user backups.data-protection.isf.ibm.com-v1alpha1-admin test
oc adm policy add-role-to-user backupstoragelocations.data-protection.isf.ibm.com-v1alpha1-admin testoc adm policy add-role-to-user deletebackuprequests.data-protection.isf.ibm.com-v1alpha1-admin test
oc adm policy add-role-to-user migrateapps.data-protection.isf.ibm.com-v1alpha1-admin testoc adm policy add-role-to-user policyassignments.data-protection.isf.ibm.com-v1alpha1-admin test
oc adm policy add-role-to-user recipes.spp-data-protection.isf.ibm.com-v1alpha1-admin test
oc adm policy add-role-to-user restores.data-protection.isf.ibm.com-v1alpha1-admin test
Install IBM Cloud Pak for Data
6. As a user, install Cloud Pak for Data by following the installation documentation. Below is the high-level procedure for performing the installation.
Manually creating projects (namespaces) for an instance of IBM Cloud Pak for Data
Applying the required permissions to the projects (namespaces) for an instance of IBM Cloud Pak for Data
Authorising a user to act as an IBM Cloud Pak for Data instance administrator
Create a project
6a. Create required projects (namespaces) for IBM Cloud Pak for Data:
oc new-project cpd-operator
oc new-project cpd-instance
6b. Authorise Instance Topology: Configure the instance topology by running:
./cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=cpd-operator \
--cpd_instance_ns=cpd-instance
6c: Authorise Instance Administrator:
Grant the necessary permissions for the user to manage IBM Cloud Pak for Data.
A cluster administrator must complete this task
cat auth.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cpd-instance-admin-apply-olm
namespace: ${PROJECT_CPD_INST_OPERATORS}
rules:
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
- operatorgroups
- subscriptions
- clusterserviceversions
- installplans
verbs:
- create
- update
- patch
- get
- list
oc apply -f auth.yaml
role.rbac.authorization.k8s.io/cpd-instance-admin-apply-olm create
oc get rolebinding -n cpd-operator
NAME ROLE AGE
admin ClusterRole/admin 16h
cpd-instance-admin-rbac ClusterRole/admin 16h
nss-managed-role-from-cpd-operator Role/nss-managed-role-from-cpd-operator 16h
system:deployers ClusterRole/system:deployer 16h
system:image-builders ClusterRole/system:image-builder 16h
system:image-pullers ClusterRole/system:image-puller 16h
oc adm policy add-role-to-user cpd-instance-admin-apply-olm test \
--namespace=cpd-operator \
--role-namespace=cpd-operator \
--rolebinding-name="cpd-instance-admin-apply-olm-rbac"
role.rbac.authorization.k8s.io/cpd-instance-admin-apply-olm added: "test"
6d: Installing an instance of IBM Cloud Pak for Data
Log in to Red Hat OpenShift Container Platform as a user (test) to complete the task.
oc login --token=sha256XXXXX- --server=https://URL
WARNING: Using insecure TLS client config. Setting this option is not supported!
Logged into "https://URL" as "test" using the token provided.
You have access to the following projects and can switch between them with 'oc project <projectname>':
* cpd-instance
cpd-operator
Using project "cpd-instance".
6e: Run the cpd-cli manage setup-instance-topology to install IBM Cloud Pak foundational services and create the required ConfigMap
./cpd-cli manage setup-instance-topology \
--release=5.0.0 \
--cpd_operator_ns=cpd-operator \
--cpd_instance_ns=cpd-instance \
--license_acceptance=true \
--block_storage_class=ibm-storage-fusion-cp-sc
6f: Installing IBM Cloud Pak for Data Control plane
An instance administrator(test user) must complete the appropriate tasks to install an instance of IBM Cloud Pak for Data on the cluster.
./cpd-cli manage get-license \
--release=5.0.0 \
--license-type=EE
6g: Install the operators in the cpd-operator project for the instance.
./cpd-cli manage apply-olm \
--release=5.0.0 \
--cpd_operator_ns=cpd-operator \
--components=cpd_platform
If the apply-olm fails check for the roles:
oc get Role cpd-instance-admin-apply-olm -oyaml
apiVersion: rbac.authorization.k8s.io/v1kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"cpd-instance-admin-apply-olm","namespace":"cpd-operator"},"rules":[{"apiGroups":["operators.coreos.com"],"resources":["operatorgroups"],"verbs":["create","get","list","patch","update"]},{"apiGroups":["operators.coreos.com"],"resources":["catalogsources"],"verbs":["create","patch","update","get","list"]}]}
creationTimestamp: "2024-05-07T06:17:24Z"
name: cpd-instance-admin-apply-olm
namespace: cpd-operator
resourceVersion: "6442291"
uid: 3500302f-665e-4605-a320-eb32f8c89168
rules:
- apiGroups:
- operators.coreos.com
resources:
- operatorgroups
verbs:
- create
- get
- list
- patch
- update
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
verbs:
- create
- patch
- update
- get
- list
6h: Create Cloudpak for Data instance:
./cpd-cli manage apply-cr \
--release=${VERSION} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=cpd_platform \
--block_storage_class=${STG_CLASS_BLOCK} \
--file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true
6i: Validate Cloudpak for Data installation:
./cpd-cli manage get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
[INFO] Output the result in the below chart:
Component CR-kind CR-name Namespace Status Version Creationtimestamp Reconciled-version Operator-info
------------ ------------- ----------------- ------------ --------- --------- -------------------- -------------------- -----------------------------------
cpfs CommonService common-service cpd-instance Succeeded N/A 2024-05-07T09:52:01Z N/A N/A
cpfs CommonService im-common-service cpd-instance Succeeded N/A 2024-05-07T23:51:20Z N/A N/A
zen ZenService lite-cr cpd-instance Completed 6.0.0 2024-05-07T23:50:27Z 6.0.0 zen operator 6.0.0 build 302
cpd_platform Ibmcpd ibmcpd-cr cpd-instance Completed 5.0.0 2024-05-07T23:47:55Z 5.0.0 cpdPlatform operator 6.0.0 build 32
The get_cr_status.py script ran successfully. End of the log.
================================================================
[SUCCESS] 2024-05-07T20:09:09.161893Z The get-cr-status command ran successfully.
Perform Backup Operations
7: Fusion Backup creation using Custom Resources(CRs):
Log in as the `kubeadmin` and create a backup storage location:
Note: Non-admin user will not have the privilege to add backup storage.
oc create -f storagelocation.yaml
Sample storage location YAML file:
cat storagelocation.yaml
apiVersion: v1
data:
access-key-id: XXXXX
secret-access-key: XXXXXX
kind: Secret
metadata:
name: backup-storage-secret-0
namespace: ibm-spectrum-fusion-ns
---
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupStorageLocation
metadata:
name: s3-testuser
namespace: ibm-spectrum-fusion-ns
spec:
type: s3
credentialName: backup-storage-secret-0
provider: isf-backup-restore
params:
bucket: <storage_bucket_name>
8: Create a backup policy and assign it to Cloudpak for Data operator namespace :
Note: A non-admin user (test) can create backup policies and assign them to an application.
Login as test user to the cluster and create a backup policy.
oc apply -f backuppolicy.yaml
Sample backup policy:
cat backuppolicy.yaml
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupPolicy
metadata:
name: daily-policy
namespace: ibm-spectrum-fusion-ns
spec:
provider: isf-backup-restore
backupStorageLocation: s3-testuser
retention:
number: 10
unit: days
schedule:
cron: "30 10 * * *"
timezone: America/Los_Angeles
Assign the above created policy to the application:
oc create -f policyassignment.yaml
Sample policy assignment file.
cat policyassignment.yaml
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: PolicyAssignment
metadata:
name: backup-policy-assignment-example
namespace: ibm-spectrum-fusion-ns
spec:
application: cpd-operator
backupPolicy: daily-policy
9: Install Cloudpak for Data backup/restore capability (cpdbr ) :
As cluster administrator. Login to cpd-cli.
./cpd-cli oadp install \
--component=cpdbr-tenant \
--tenant-operator-namespace=cpd-operator \
--cpdbr-hooks-image-prefix=icr.io/cpopen/cpd \
--log-level=debug \
--verbose
9a. Validate cpdbr install on the instance:
oc get pod -n cpd-operator | grep cpdbr
cpdbr-tenant-service-684c5fb758-tk8g4 1/1 Running 0 57s
9b: Validate Fusion Backup recipe:
oc get frcpe -n cpd-operator ibmcpd-tenant
NAME AGE
ibmcpd-tenant 81s
9c: Check the policy assignment:
oc get policyassignments.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns
NAME CLUSTER APPLICATION BACKUPPOLICY RECIPE RECIPENAMESPACE PHASE LASTBACKUPTIMESTAMP CAPACITY
backup-policy-assignment-example cpd-operator daily-policy Assigned <no value>
9d. If recipe “ibmcpd-tenant “ is not mapped to the policy assignment then manually patch the policy assignment to map the recipe:
oc -n ibm-spectrum-fusion-ns patch policyassignment backup-policy-assignment-example --type merge -p '{"spec":{"recipe":{"name":"ibmcpd-tenant", "namespace":"cpd-operator", "apiVersion":"spp-data-protection.isf.ibm.com/v1alpha1"}}}'
policyassignment.data-protection.isf.ibm.com/backup-policy-assignment-example patched
oc get policyassignments.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns
NAME CLUSTER APPLICATION BACKUPPOLICY RECIPE RECIPENAMESPACE PHASE LASTBACKUPTIMESTAMP CAPACITY
backup-policy-assignment-example cpd-operator daily-policy ibmcpd-tenant cpd-operator Assigned <no value>
10. Create backup CR for on-demand backup
Login as test user.
cat CR_Ondemand_backup.yaml
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Backup
metadata:
name: backup-test-user-job
namespace: ibm-spectrum-fusion-ns
spec:
appCluster: apps.ocp-c.cpst-lab.ibm.com
application: cpd-operator
backupPolicy: daily-policy
oc create -f CR_Ondemand_backup.yaml
backup.data-protection.isf.ibm.com/backup-test-user-job created
Allow some time for the backup to complete. As the test user, validate the backup's success by running the following command:
oc get backups.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns
NAME CLUSTER APPLICATION PHASE STARTTIME ENDTIME EXPIRATION OBJECTSNUM OBJECTSPROCESSED SIZE(BYTES)
backup-test-user-job cpd-operator Completed 2024-05-08T15:03:46Z 2024-05-08T15:10:24Z 2024-05-18T15:10:26Z 13 0 429471518
10. Restore of CP4D on target cluster:
Login to target cluster as non-admin(test) user. As “test” user, create a restore file to initiate the restore operation on the target cluster:
cat backup-restore.yaml
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Restore
metadata:
name: restore-cpd-test-user-job
namespace: ibm-spectrum-fusion-ns
spec:
backup: backup-test-user-job
Apply the restore file:
oc create -f backup-restore.yaml
Restore is successful:
oc get restores.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns
NAME BACKUP TARGETCLUSTER POLICYASSIGNMENT PHASE STARTTIME ENDTIME OBJECTSNUM OBJECTSPROCESSED
restore-cpd-test-user-job backup-test-user-job target.cluster.ibm.com Completed 2024-05-08T23:00:42Z 2024-05-08T23:30:11Z 25 1
Conclusion
This document provides guidance on how a non-admin user can perform backup and restore operations on IBM Storage Fusion using specific roles and permissions. This approach ensures that data protection tasks are delegated safely without granting full administrative privileges to other OpenShift users.
References:
Backup and restore commands
https://www.ibm.com/docs/en/storage-fusion-software/2.8.x?topic=restore-backup-commands
Installing IBM Cloud Pak for Data
https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=installing
Cloud Pak for Data online backup and restore to the same cluster
https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=restore-online-backup-same-cluster
Cloud Pak for Data online backup and restore to a different cluster (disaster recovery)
https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=restore-online-backup-different-cluster-disaster-recovery
