KOPIA server: SERVER_CONTROL_USER

iBackup · April 6, 2022, 11:15pm

Hi,

What is this user for: SERVER_CONTROL_USER ?

A test server:

repo=/path/2/repo/dir
kopia repository create filesystem --path=${repo}

export KOPIA_SERVER_CONTROL_USER='control-sever'
export KOPIA_SERVER_CONTROL_PASSWORD='SuperP@5w0rd'

kopia server start \
  --ui \
  --tls-cert-file "${repo}/srv.cert" \
  --tls-key-file "${repo}/srv.key" \
  --address 0.0.0.0:51515 \
  --async-repo-connect

It accepts credentials and allowed me to bypass basic HTTP authentication as a SERVER_CONTROL_USER, but all I got is:

UI Access denied. See https://github.com/kopia/kopia/issues/880#issuecomment-798421751 for more information.

But this link is related more to KOPIA_SERVER_USERNAME that works fine and allow to see web UI, the same as with kopiaUI. I understand that KOPIA_SERVER_USERNAME is a client to particular instance of repository and can be used in the same way as kopiaUI with given local repository, but what is SERVER_CONTROL_USER is for?

BTW, the mentioned option --allow-repository-users referenced in the issue #880 is unknown in recent 0.10.6 version of kopia, as well it isn’t present in any source files and as result attempt to login as registered repository user (created with kopia server user add xxx@zzz) to the server instance directly (not from remote machine that is subject to back to kopia’s repository server) it failed too and returns link to issue #880

jkowalski · April 7, 2022, 7:08am

This user is for control operations, it’s primarily used by KopiaUI by can also be used for triggering snapshots:

Here’s the current list of APIs that require this user:

github.com

kopia/kopia/blob/5d87d817335f6d547e094ab80062113dc3a1fdf4/internal/server/server.go#L169

      
        
            	m.HandleFunc("/api/v1/contents/{contentID}", s.handleRepositoryAPI(requireContentAccess(auth.AccessLevelAppend), handleContentPut)).Methods(http.MethodPut)
            	m.HandleFunc("/api/v1/contents/prefetch", s.handleRepositoryAPI(requireContentAccess(auth.AccessLevelRead), handleContentPrefetch)).Methods(http.MethodPost)
            
            
	m.HandleFunc("/api/v1/manifests/{manifestID}", s.handleRepositoryAPI(handlerWillCheckAuthorization, handleManifestGet)).Methods(http.MethodGet)
            	m.HandleFunc("/api/v1/manifests/{manifestID}", s.handleRepositoryAPI(handlerWillCheckAuthorization, handleManifestDelete)).Methods(http.MethodDelete)
            	m.HandleFunc("/api/v1/manifests", s.handleRepositoryAPI(handlerWillCheckAuthorization, handleManifestCreate)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/manifests", s.handleRepositoryAPI(handlerWillCheckAuthorization, handleManifestList)).Methods(http.MethodGet)
            }
            
            
// SetupControlAPIHandlers registers control API handlers.
            func (s *Server) SetupControlAPIHandlers(m *mux.Router) {
            	// server control API, requires authentication as `server-control` and no CSRF token.
            	m.HandleFunc("/api/v1/control/sources", s.handleServerControlAPI(handleSourcesList)).Methods(http.MethodGet)
            	m.HandleFunc("/api/v1/control/status", s.handleServerControlAPIPossiblyNotConnected(handleRepoStatus)).Methods(http.MethodGet)
            	m.HandleFunc("/api/v1/control/flush", s.handleServerControlAPI(handleFlush)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/refresh", s.handleServerControlAPI(handleRefresh)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/shutdown", s.handleServerControlAPIPossiblyNotConnected(handleShutdown)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/trigger-snapshot", s.handleServerControlAPI(handleUpload)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/cancel-snapshot", s.handleServerControlAPI(handleCancel)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/pause-source", s.handleServerControlAPI(handlePause)).Methods(http.MethodPost)
            	m.HandleFunc("/api/v1/control/resume-source", s.handleServerControlAPI(handleResume)).Methods(http.MethodPost)

iBackup · April 7, 2022, 2:46pm

Thank you very much for response as well for the kopia !

guerby · April 15, 2022, 7:46am

I’ve been trying to make “kopia server status” work by setting those variables at server launch (kopia repository server with local dir as backend) and in the client but no luck:

$ kopia server status 
kopia: error: unable to list sources: 400 Bad Request, try --help

Any idea what I’m missing?

iBackup · April 15, 2022, 2:04pm

You should run it something like that:

kopia server status --remote \
--address https://8.8.8.8:51515 \
--server-cert-fingerprint=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx	\ <<SHA2 hash that been generate on certificate creation
--server-control-username=your-ctrl-user  \
--server-password=and-here-his-passwd

Topic		Replies	Views
Server UI user (server-control-username) hardcoded to "kopia"? Support	0	61	September 23, 2024
I can't access "kopia server: Support	0	1360	December 4, 2021
Repo password vs. Kopia server htpasswd Support	5	2177	October 26, 2021
3 Client PCs Backup To Repository Server - How To? Support	5	202	July 30, 2024
Where to set: --server-control-username and --server-control-password Support	6	321	August 17, 2024

KOPIA server: SERVER_CONTROL_USER

Related topics