juju-backup-all reference - hardening

charm
,
1

Security Hardening Guide

This page is an overview of how to configure Juju Backup All securely. For more information about the security concern, see the Explaination/Security/Risks section of the charm documentation.

Create a dedicated Juju user for backup

To reduce the attack surface, a dedicated Juju user should be created for this charm. The dedicated Juju user should only have access to the required Juju model.

1. Create a Juju user on the controller

export CONTROLLER_NAME=my-controller
export BACKUP_USER_NAME=juju-backup-all-user

# Create a new Juju user on the controller
juju add-user --controller $CONTROLLER_NAME $BACKUP_USER_NAME

# Generate a password and store it in securely somewhere
juju change-user-password $BACKUP_USER_NAME

2. Grant the Juju user with appropriate permissions

The dedicated Juju user should only be granted with necessary permissions.

2.1 Backup Databases

If you only want to backup databases, you only need to grant the Juju user admin access to the model containing the database charms.

export MODEL=admin/mysql
export BACKUP_USER_NAME=juju-backup-all-user
  
# Grant the user with admin access to a particular model.
juju grant $BACKUP_USER_NAME admin $MODEL

2.2 Backup Juju Controller

If you need to backup the controller, the Juju user must be granted superuser permission for the controller, and the admin permission on the controller model.

Note, in this case, the Juju user is a privileged user that can grant itself any permissions.

export MODEL=admin/controller
export BACKUP_USER_NAME=juju-backup-all-user

# Grant the user with superuser permission; this is required to access the controller's database (grant this only if you want to backup controller)
juju grant $BACKUP_USER_NAME superuser

# Grant the user with admin access; this is required to access Juju controller's API for backup
juju grant $BACKUP_USER_NAME admin $MODEL

3. Update charm config to use the dedicated Juju user

After you created the new Juju user, a separated Juju controller and account file should be created for this charm.

  1. Prepare separated YAML files for Juju controller (e.g. jba_controllers.yaml) and account (e.g. jba_account.yaml).
  2. Update the permission of those files to be only readable by the owner.
  3. Update the charm config to use those files.
juju config juju-backup-all controllers=@jba_controllers.yaml accounts=@jba_accounts.yaml