IBM Fusion

IBM Fusion

Ask questions, exchange ideas, and learn about IBM Fusion

 View Only

Fusion Backup and Restore of Cloudpak for Data as a Non-admin User

By AshaRani GR posted Mon September 23, 2024 01:50 AM

  

Introduction

This guide provides step-by-step instructions on how a non-admin user can perform backup and restore operations for a Cloud Pak for Data (CPD) application using Fusion Backup and Restore CRs in an OpenShift environment. By following these steps, you will learn how to set up the environment, assign appropriate roles, and execute backup and restore tasks effectively.

Background

Fusion Backup and Restore was initially an administrator-only feature, preventing non-admin users from performing these tasks on any application. This limitation restricted RBAC support, preventing specific users from carrying out backup and restore activities within designated namespaces.

Procedure

Executed the following  steps from the Linux system

A user may skip the 'Non-admin User Creation' section if a non-admin user already exists on the OpenShift cluster. In all subsequent steps, replace the username 'test' with the existing user's name.

Non-admin User creation:

  1. Install `htpasswd` tool:

Install the `htpasswd` command-line tool, which is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users

sudo yum install https-tools

    2.  Create a User

Create a user using the `htpasswd` tool. Replace `test` and `test123` with the desired username and password

htpasswd -c -B -b users.htpasswd test test123

Verify the user creation:

htpasswd -b -v users.htpasswd test test123

   3. Create a Secret for User Authentication

Log in to openshift cluster CLI as the kubeadmin user and create a secret to store the `htpasswd` file:

oc create secret generic htpass-secret \

--from-file=htpasswd=./users.htpasswd \ -n openshift-config

  4. Configure HTPasswd Identity Provider

Create a configuration file to set up the HTPasswd identity provider:

cat <<EOF | oc apply -f -

apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: admins_htpasswd_provider   mappingMethod: claim   type: HTPasswd   htpasswd:     fileData:       name: htpass-secret EOF

Grant the non-admin user(test) the required access to perform backup and restore operations:

 5.  Assign Roles to the User

 Assign the necessary roles to the user `test` to enable the user to perform backup and restore operations:

oc adm policy add-role-to-user backuppolicies.data-protection.isf.ibm.com-v1alpha1-admin test

oc adm policy add-role-to-user backups.data-protection.isf.ibm.com-v1alpha1-admin test oc adm policy add-role-to-user backupstoragelocations.data-protection.isf.ibm.com-v1alpha1-admin testoc adm policy add-role-to-user deletebackuprequests.data-protection.isf.ibm.com-v1alpha1-admin test oc adm policy add-role-to-user migrateapps.data-protection.isf.ibm.com-v1alpha1-admin testoc adm policy add-role-to-user policyassignments.data-protection.isf.ibm.com-v1alpha1-admin test oc adm policy add-role-to-user recipes.spp-data-protection.isf.ibm.com-v1alpha1-admin test oc adm policy add-role-to-user restores.data-protection.isf.ibm.com-v1alpha1-admin test

Install IBM Cloud Pak for Data

6.  As a user, install Cloud Pak for Data  by following the installation documentation. Below is the high-level procedure for performing the installation.

Manually creating projects (namespaces) for an instance of IBM Cloud Pak for Data

Applying the required permissions to the projects (namespaces) for an instance of IBM Cloud Pak for Data

Authorising a user to act as an IBM Cloud Pak for Data instance administrator

Create a project

    6a.  Create required projects (namespaces) for IBM Cloud Pak for Data:

oc new-project cpd-operator

oc new-project cpd-instance

    6b.  Authorise Instance Topology: Configure the instance topology by running:

./cpd-cli manage authorize-instance-topology \

--cpd_operator_ns=cpd-operator \ --cpd_instance_ns=cpd-instance

    6c:  Authorise Instance Administrator: 

Grant the necessary permissions for the user to manage IBM Cloud Pak for Data.

A cluster administrator must complete this task

cat auth.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  name: cpd-instance-admin-apply-olm

namespace: ${PROJECT_CPD_INST_OPERATORS}

rules:

- apiGroups:   - operators.coreos.com   resources:   - catalogsources   - operatorgroups   - subscriptions - clusterserviceversions   - installplans verbs:
  - create   - update   - patch
- get - list

oc apply -f auth.yaml role.rbac.authorization.k8s.io/cpd-instance-admin-apply-olm create

oc get rolebinding -n cpd-operator NAME                                 ROLE                                      AGE admin                                ClusterRole/admin                         16h cpd-instance-admin-rbac              ClusterRole/admin                         16h nss-managed-role-from-cpd-operator   Role/nss-managed-role-from-cpd-operator   16h system:deployers                     ClusterRole/system:deployer               16h system:image-builders                ClusterRole/system:image-builder          16h
system:image-pullers                 ClusterRole/system:image-puller           16h

oc adm policy add-role-to-user cpd-instance-admin-apply-olm test \
--namespace=cpd-operator \ --role-namespace=cpd-operator \ --rolebinding-name="cpd-instance-admin-apply-olm-rbac" role.rbac.authorization.k8s.io/cpd-instance-admin-apply-olm added: "test"

    6d:  Installing an instance of IBM Cloud Pak for Data

Log in to Red Hat OpenShift Container Platform as a user (test) to complete the task.

oc login --token=sha256XXXXX- --server=https://URL

WARNING: Using insecure TLS client config. Setting this option is not supported! Logged into "https://URL" as "test" using the token provided. You have access to the following projects and can switch between them with 'oc project <projectname>': * cpd-instance    cpd-operator
Using project "cpd-instance".

6e: Run the cpd-cli manage setup-instance-topology to install IBM Cloud Pak foundational services and create the required ConfigMap

./cpd-cli manage setup-instance-topology \ --release=5.0.0 \
--cpd_operator_ns=cpd-operator \ --cpd_instance_ns=cpd-instance \ --license_acceptance=true \ --block_storage_class=ibm-storage-fusion-cp-sc

    6f:  Installing IBM Cloud Pak for Data Control plane

An instance administrator(test user) must complete the appropriate tasks to install an instance of IBM Cloud Pak for Data on the cluster.

./cpd-cli manage get-license \ --release=5.0.0 \ --license-type=EE

   6g: Install the operators in the cpd-operator project for the instance.

./cpd-cli manage apply-olm \

--release=5.0.0 \ --cpd_operator_ns=cpd-operator \ --components=cpd_platform

If the apply-olm fails check for the roles:

oc get Role cpd-instance-admin-apply-olm -oyaml

apiVersion: rbac.authorization.k8s.io/v1kind: Role

metadata:

  annotations:

    kubectl.kubernetes.io/last-applied-configuration: |

      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"cpd-instance-admin-apply-olm","namespace":"cpd-operator"},"rules":[{"apiGroups":["operators.coreos.com"],"resources":["operatorgroups"],"verbs":["create","get","list","patch","update"]},{"apiGroups":["operators.coreos.com"],"resources":["catalogsources"],"verbs":["create","patch","update","get","list"]}]}

  creationTimestamp: "2024-05-07T06:17:24Z"

  name: cpd-instance-admin-apply-olm

  namespace: cpd-operator

  resourceVersion: "6442291"

  uid: 3500302f-665e-4605-a320-eb32f8c89168

rules:

- apiGroups:

  - operators.coreos.com

  resources:

  - operatorgroups

  verbs:

  - create

  - get

  - list

  - patch

  - update

- apiGroups:

  - operators.coreos.com

  resources:

  - catalogsources

  verbs:

  - create

  - patch

  - update

  - get

  - list

   6h:  Create Cloudpak for Data instance:

./cpd-cli manage apply-cr \ --release=${VERSION} \ --cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \ --components=cpd_platform \ --block_storage_class=${STG_CLASS_BLOCK} \ --file_storage_class=${STG_CLASS_FILE} \
--license_acceptance=true

   6i:  Validate Cloudpak for Data installation:

./cpd-cli manage get-cr-status \                                                                           

--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}

[INFO] Output the result in the below chart: Component     CR-kind        CR-name            Namespace     Status     Version    Creationtimestamp     Reconciled-version    Operator-info ------------  -------------  -----------------  ------------  ---------  ---------  --------------------  --------------------  ----------------------------------- cpfs          CommonService  common-service     cpd-instance  Succeeded  N/A        2024-05-07T09:52:01Z  N/A                   N/A cpfs          CommonService  im-common-service  cpd-instance  Succeeded  N/A        2024-05-07T23:51:20Z  N/A                   N/A zen           ZenService     lite-cr            cpd-instance  Completed  6.0.0      2024-05-07T23:50:27Z  6.0.0                 zen operator 6.0.0 build 302 cpd_platform  Ibmcpd         ibmcpd-cr          cpd-instance  Completed  5.0.0      2024-05-07T23:47:55Z  5.0.0                 cpdPlatform operator 6.0.0 build 32 The get_cr_status.py script ran successfully. End of the log. ================================================================ [SUCCESS] 2024-05-07T20:09:09.161893Z The get-cr-status command ran successfully.

Perform Backup Operations

7: Fusion Backup creation using Custom Resources(CRs):

Log in as the `kubeadmin` and create a backup storage location:

Note: Non-admin user will not have the privilege to add backup storage. 

oc create -f storagelocation.yaml

Sample storage location YAML file:

cat storagelocation.yaml apiVersion: v1 data: access-key-id: XXXXX
secret-access-key: XXXXXX kind: Secret metadata: name: backup-storage-secret-0
namespace: ibm-spectrum-fusion-ns --- apiVersion: data-protection.isf.ibm.com/v1alpha1 kind: BackupStorageLocation metadata: name: s3-testuser
namespace: ibm-spectrum-fusion-ns spec: type: s3 credentialName: backup-storage-secret-0 provider: isf-backup-restore
params:

    bucket: <storage_bucket_name>

8: Create a backup policy and assign it to Cloudpak for Data operator namespace :

Note: A non-admin user (test) can create backup policies and assign them to an application.

Login as test user to the cluster and create a backup policy.

oc apply -f backuppolicy.yaml

Sample backup policy:

cat backuppolicy.yaml

apiVersion: data-protection.isf.ibm.com/v1alpha1 kind: BackupPolicy metadata:
name: daily-policy namespace: ibm-spectrum-fusion-ns spec: provider: isf-backup-restore backupStorageLocation: s3-testuser retention:    number: 10    unit: days schedule:    cron: "30 10 * * *"    timezone: America/Los_Angeles

Assign the above created policy to the application:

oc create -f policyassignment.yaml

Sample policy assignment file.

cat policyassignment.yaml apiVersion: data-protection.isf.ibm.com/v1alpha1 kind: PolicyAssignment metadata: name: backup-policy-assignment-example namespace: ibm-spectrum-fusion-ns spec: application: cpd-operator backupPolicy: daily-policy

9: Install Cloudpak for Data backup/restore capability (cpdbr ) :

As cluster administrator. Login to cpd-cli.

./cpd-cli oadp install \

--component=cpdbr-tenant \ --tenant-operator-namespace=cpd-operator \ --cpdbr-hooks-image-prefix=icr.io/cpopen/cpd \ --log-level=debug \ --verbose

    9a. Validate cpdbr install on the instance:

oc get pod -n cpd-operator | grep cpdbr cpdbr-tenant-service-684c5fb758-tk8g4                             1/1     Running     0          57s

    9b: Validate Fusion Backup recipe:

oc get frcpe -n cpd-operator ibmcpd-tenant NAME            AGE ibmcpd-tenant   81s

   9c:  Check the policy assignment:

oc get policyassignments.data-protection.isf.ibm.com -n  ibm-spectrum-fusion-ns NAME                               CLUSTER   APPLICATION    BACKUPPOLICY   RECIPE   RECIPENAMESPACE   PHASE      LASTBACKUPTIMESTAMP   CAPACITY backup-policy-assignment-example             cpd-operator   daily-policy                              Assigned                         <no value>

    9d.  If recipe “ibmcpd-tenant “ is not mapped to the policy assignment then manually patch the policy assignment to map the recipe:

oc -n ibm-spectrum-fusion-ns patch policyassignment backup-policy-assignment-example --type merge -p '{"spec":{"recipe":{"name":"ibmcpd-tenant", "namespace":"cpd-operator", "apiVersion":"spp-data-protection.isf.ibm.com/v1alpha1"}}}'

policyassignment.data-protection.isf.ibm.com/backup-policy-assignment-example patched
oc get policyassignments.data-protection.isf.ibm.com -n  ibm-spectrum-fusion-ns NAME                               CLUSTER   APPLICATION    BACKUPPOLICY   RECIPE          RECIPENAMESPACE   PHASE      LASTBACKUPTIMESTAMP   CAPACITY backup-policy-assignment-example             cpd-operator   daily-policy   ibmcpd-tenant   cpd-operator      Assigned                         <no value>

10. Create backup CR for on-demand backup

Login as test user.

cat CR_Ondemand_backup.yaml apiVersion: data-protection.isf.ibm.com/v1alpha1 kind: Backup metadata:  name: backup-test-user-job namespace: ibm-spectrum-fusion-ns spec: appCluster: apps.ocp-c.cpst-lab.ibm.com application: cpd-operator backupPolicy: daily-policy

oc create -f CR_Ondemand_backup.yaml backup.data-protection.isf.ibm.com/backup-test-user-job created

Allow some time for the backup to complete. As the test user, validate the backup's success by running the following command:

oc get backups.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns NAME                   CLUSTER   APPLICATION    PHASE       STARTTIME              ENDTIME                EXPIRATION             OBJECTSNUM   OBJECTSPROCESSED   SIZE(BYTES) backup-test-user-job             cpd-operator   Completed   2024-05-08T15:03:46Z   2024-05-08T15:10:24Z   2024-05-18T15:10:26Z   13           0                  429471518

10. Restore of CP4D on target cluster:

Login to target cluster as non-admin(test) user. As “test” user, create a restore file to initiate the restore operation on the target cluster:

cat backup-restore.yaml apiVersion: data-protection.isf.ibm.com/v1alpha1 kind: Restore metadata:
name: restore-cpd-test-user-job namespace: ibm-spectrum-fusion-ns spec: backup: backup-test-user-job

Apply the restore file:

oc create -f backup-restore.yaml

Restore is successful:

oc get restores.data-protection.isf.ibm.com -n ibm-spectrum-fusion-ns

NAME                              BACKUP                                                             TARGETCLUSTER                  POLICYASSIGNMENT   PHASE               STARTTIME              ENDTIME                OBJECTSNUM   OBJECTSPROCESSED

restore-cpd-test-user-job backup-test-user-job   target.cluster.ibm.com                      Completed           2024-05-08T23:00:42Z   2024-05-08T23:30:11Z   25           1

A screenshot of a computer

Description automatically generated

Conclusion

This document provides guidance on how a non-admin user can perform backup and restore operations on IBM Storage Fusion using specific roles and permissions. This approach ensures that data protection tasks are delegated safely without granting full administrative privileges to other OpenShift users.

References:

Backup and restore commands
https://www.ibm.com/docs/en/storage-fusion-software/2.8.x?topic=restore-backup-commands

Installing IBM Cloud Pak for Data

https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=installing

Cloud Pak for Data online backup and restore to the same cluster

https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=restore-online-backup-same-cluster

Cloud Pak for Data online backup and restore to a different cluster (disaster recovery)

https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x?topic=restore-online-backup-different-cluster-disaster-recovery

0 comments
34 views

Permalink