IBM Fusion

IBM Fusion

Ask questions, exchange ideas, and learn about IBM Fusion

 View Only

IBM Fusion Backup & Restore: Self-Service Feature for Application Owners and Admins

By Madeva Tuppad posted Mon January 13, 2025 01:03 AM

  

IBM Fusion Backup & Restore has introduced a self-service feature for managing backups and restores operations for application owners and admins with granular permissions. Now application owner and admins have control over backups and restores of their applications within specific namespaces. Also, application owners and admins or any non-cluster admin can become Backup & Restotre admins to manage all the applications backup & restore operations from both Hub and Sploke clusters.

In this blog, we will explore the different roles available in IBM Fusion Backup & Restore and the use of these roles to manage Backup and Restore operations for Application Owner, Application Admins, and Backup & Restore Admins .


Roles Availble for Backup & Restore CRs

Each of the Backup & Restore CRs has specific roles associated with them. These roles are named in the following format:

<CR Name>.data-protection.isf.ibm.com-v1alpha1-<Role> 

These <Role> include:

  • admin: Full administrative access to the Backup & Restore resource.
  • crdview: Access to view the Custom Resource Definitions (CRDs).
  • edit: Allows modifying the Backup & Restore resource.
  • view: Provides read-only access to the Backup & Restore resource.

These <CR Name> include:

backuppolicies, backups, restores, backupstoragelocations, policyassignments, deletebackuprequets, recipes, and recoverbackupcrs.

For example, the IBM Fusion Backup CR has the following roles:

  • backups.data-protection.isf.ibm.com-v1alpha1-admin
  • backups.data-protection.isf.ibm.com-v1alpha1-crdview
  • backups.data-protection.isf.ibm.com-v1alpha1-edit
  • backups.data-protection.isf.ibm.com-v1alpha1-view

Note: If you want to reference a  backuppolicies or backupstoragelocations that is in another namespace, you must specify it in the namespace/<bp-name> or namespace/<bsl-name> format.


Application Owner:

The Application owner can manage Backup and Restore operations on their namespace with required rolebindings created with BnR roles. These users can create backups, restore backups, assign policies, and delete backups, but only within their specific namespace. They also cannot perform Backup & Restore operations on appliactions on Spoke clusters.

Capabilities:

  • Can perform backup, restore, policy assignments, and delete backups within their namespace.
  • Can restore applications to existing, or the same namespaces.
  • Cannot manage backup & Restore operations on Spoke applications.
  • Does not have access to the Fusion UI; operations are carried out through CRs.

Role Bindings:

To grant access to Application owner, execute the following rolebinding commands:

export FUSION_NS=ibm-spectrum-fusion-ns
export APP_USER=app-self-help-user1
export APP_NS=application1

oc create rolebinding ${APP_USER}-list-policies \
  --clusterrole=backuppolicies.data-protection.isf.ibm.com-v1alpha1-view \
  --user=${APP_USER} -n ${FUSION_NS}

oc create rolebinding ${APP_USER}-user-role \
  --clusterrole=basic-user --user=${APP_USER} -n ${APP_NS}

oc create rolebinding ${APP_USER}-assign-policies \
  --clusterrole=policyassignments.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${APP_USER} -n ${APP_NS}

oc create rolebinding ${APP_USER}-backups \
  --clusterrole=backups.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${APP_USER} -n ${APP_NS}

oc create rolebinding ${APP_USER}-restores \
  --clusterrole=restores.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${APP_USER} -n ${APP_NS}

oc create rolebinding ${APP_USER}-delete-backups \
  --clusterrole=deletebackuprequests.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${APP_USER} -n ${APP_NS}

Note: Cluster Admin can grant these accesses.


Application Admin:

The Application Admin can manage Backup and Restore operations on their namespace with required rolebindings created with BnR roles. These users can create backups, restore backups, assign policies, and delete backups, but only within their specific namespace. They also cannot perform Backup & Restore operations on the appliactions on Spoke clusters.

Capabilities:

  • Can manage backups, restores, and policies within the application namespace.
  • Can restore applications to existing, or the same namespaces.
  • Cannot manage backup & Restore operations on Spoke applications.
  • Does not have access to the Fusion UI; operations are carried out through CRs.

Role Bindings:

To grant access to Application Admins, execute the following rolebinding commands:

export FUSION_NS=ibm-spectrum-fusion-ns
export APP_ADMIN=app-admin1
export APP_NS=application1

oc create rolebinding ${APP_ADMIN}-policies-view \
  --clusterrole=backuppolicies.data-protection.isf.ibm.com-v1alpha1-view \
  --user=${APP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${APP_ADMIN}-user-role \
  --clusterrole=admin --user=${APP_ADMIN} -n ${APP_NS}

Note: Cluster Admin can grant these accesses.


Backup & Restore Admin:

A Non cluster admin can become a Backup & Restore Admin with proper rolebindigns created with BnR roles. They can manage All the Backup & Restore operations for both Hub and Spoke appliactions within a fusion namespace. However they dont have access to Fusion UI. 

Capabilities:

  • Full access to perform all Backup & Restore operations across Hub and Spoke applications.
  • Can restore applications to new, existing, or the same namespaces.
  • Does not have access to the Fusion UI; operations are carried out through CRs.

Role Bindings:

To grant BnR Admin access, execute the following rolebinding commands:

export FUSION_NS=ibm-spectrum-fusion-ns
export BACKUP_ADMIN=backup-restore-admin

oc create rolebinding ${BACKUP_ADMIN}-user-role \
  --clusterrole=basic-user --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-locations \
  --clusterrole=backupstoragelocations.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-policies \
  --clusterrole=backuppolicies.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-assign-policies \
  --clusterrole=policyassignments.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-backups \
  --clusterrole=backups.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-restores \
  --clusterrole=restores.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

oc create rolebinding ${BACKUP_ADMIN}-delete-backups \
  --clusterrole=deletebackuprequests.data-protection.isf.ibm.com-v1alpha1-admin \
  --user=${BACKUP_ADMIN} -n ${FUSION_NS}

Note: Cluster Admin can grant these accesses.


Imp: Recover Backup & Restore CRs in Application Namespace

When an application's namespace is accidentally deleted or corrupted, the RecoverBackupCRs CR can be used to recover lost Backup & Restore CRs. This ensures that the application can be restored from the backups.

Example of a RecoverBackupCRs CR:
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: RecoverBackupCRs
metadata:
  name: example
  namespace: <replacement namespace>
spec:
  application: <deleted application namespace>
  reassignPolicies: true  # (Optional: Recreate prior Policy Assignment CRs. Default is false)
  recreateDeleteBackupRequestCRs: false # (Optional: Recreate prior DeleteBackupRequest CRs. Default is false)
  recreateRestoreCRs: false # (Optional: Recreate prior Restore CRs. Default is false)
Steps to Recover from Accidental Deletion or Corruption:
  1. Create a replacement application namespace.
  2. Re-create the Backup & Restore RoleBindings for the new namespace, ensuring they match the original.
  3. Create a RecoverBackupCRs CR in the new namespace, referencing the original namespace.

The Backup & Restore service will verify the administrative RoleBindings and, if they match, will recreate the necessary Backup & Restore resources from metadata. The desired Backup CR can then be used to restore the application from a previous backup.

Note: Cluster Admin can grant these accesses.


Conclusion

IBM Fusion's Backup & Restore self-service feature empowers application owners and admins to manage backup and restore tasks within their specific namespaces, ensuring efficient operations and security. Non cluster admin can become a BnR Admins and they have full control over both Hub and Spoke applications, while Application Admins and Application Users can operate only within their respective namespaces in the Hub cluster.

Additionally, the RecoverBackupCRs feature enables Cluster Admins to recover lost Backup & Restore CRs when an application's namespace is deleted or corrupted, ensuring a smooth recovery process.

1 comment
50 views

Permalink

Comments

Tue February 18, 2025 11:43 AM

Nice blog, useful info you added.