Veritas NetBackup™ DataStore SDK Programmer's Guide for XBSA 1.1.0
- Introduction to NetBackup XBSA
- How to set up the SDK
- Using the NetBackup XBSA interface
- NetBackup XBSA data structures
- NetBackup XBSA environment
- XBSA sessions and transactions
- Creating a NetBackup XBSA application
- How to build an XBSA application
- How to run a NetBackup XBSA application
- API reference
- Function calls
- Function specifications
- Type definitions
- Process flow and troubleshooting
- How to use the sample files
- Support and updates
- Appendix A. Register authorized locations
NetBackup object ownership
Default behavior
When the NetBackup XBSA interface is used to create an object, by default the owner of the object is the logon user of the process that created the object. The default group of the object is also the logon user, not the primary group of the logon user, but the exact same name as the logon user name. The permissions of the file are set to 600, or 'rw- - - - - - -', which is read/write for owner and no access permissions for anyone else. This requires that the user restoring an object be an administrator or the same user that created the object. The XBSA objectOwner fields are saved in the NetBackup catalog with the object, but they are kept as attributes of the object and are not used for security purposes.
Ownership options
Using the XBSA environmental variables NBBSA_USE_OBJECT_OWNER, NBBSA_USE_OBJECT_GROUP, NBBSA_OBJECT_OWNER, and NBBSA_GROUP_OWNER, an agent can change the default owner. These variables allow the XBSA agent to be able to specify who owns the objects.
Note:
Specifying object ownership only works when creating objects using BSACreateObject(). Accessing the objects by BSAQueryObject() and BSAGetObject() is dependent on the logon process having permissions to access the objects. So if user_Y creates an object with an object owner of user_X, then user_X or an administrator (root) can access and restore the object, but user_Y cannot.
Object owner
To specify the owner of an object, the XBSA environment variable NBBSA_USE_OBJECT_OWNER needs to be set. There are four values that this variable can be set to. These values are defined in nbbsa.h.
/* * XBSA values to use to define how to specify NetBackup object ownership */ #define VxLOGIN_USER 0 /* Default, owner/group field is set to the logon user */ #define VxLOGIN_GROUP 1 /* group field is set to the primary group of the logon user */ #define VxBSA_OWNER 2 /* owner/group field is set to \ objectDescriptor->objectOwner.bsa_ObjectOwner */ #define VxAPP_OWNER 3 /* owner/group field is set to \ objectDescriptor->objectOwner.app_ObjectOwner */ #define VxENV_OWNER 4 /* owner/group field is set to value of \ NBBSA_OBJECT_OWNER/NBBSA_OBJECT_GROUP */
VxLOGIN_USER is the default behavior that you would get if the NBBSA_USE_OBJECT_OWNER variable wasn't set.
VxLOGIN_GROUP does not apply to object ownership.
VxBSA_OWNER sets the object owner to the value stored in the objectDescriptor field objectOwner.bsa_ObjectOwner. The value in the bsa_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.bsa_ObjectOwner is still stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.
VxAPP_OWNER sets the object owner to the value stored in the objectDescriptor field objectOwner.app_ObjectOwner. The value in the app_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.app_ObjectOwner is still stored as an attribute of the object and a query needs to correctly specify this field in the query descriptor to successfully find the object.
VxENV_OWNER sets the object owner to the value of the XBSA environmental variable NBBSA_OBJECT_OWNER. The value stored in the NBBSA_OBJECT_OWNER must be a valid user name without any spaces in the name.
The variables NBBSA_USE_OBJECT_OWNER and NBBSA_OBJECT_OWNER can be changed within a transaction so that an XBSA agent can set different ownerships of each object in a transaction.
Object group
An XBSA agent can also change the group ownership of an object. When the group ownership is set by one of these options, other than the default, the permissions on the object are set to 660, or 'rw - rw- - - -', which is read/write for owner and group. This allows any user in the specified group to access and restore the object.
To specify the group of an object, the XBSA environment variable NBBSA_USE_OBJECT_GROUP needs to be set. There are five values that this variable can be set to. These values are defined in nbbsa.h.
/* * XBSA values to use to define how to specify NetBackup object ownership */ #define VxLOGIN_USER 0 /* Default, owner/group field is set to the logon user */ #define VxLOGIN_GROUP 1 /* group field is set to the primary group of the logon user */ #define VxBSA_OWNER 2 /* owner/group field is set to \ objectDescriptor->objectOwner.bsa_ObjectOwner */ #define VxAPP_OWNER 3 /* owner/group field is set to \ objectDescriptor->objectOwner.app_ObjectOwner */ #define VxENV_OWNER 4 /* owner/group field is set to value of \ NBBSA_OBJECT_OWNER/NBBSA_OBJECT_GROUP */
VxLOGIN_USER is the default behavior that you would get if the NBBSA_USE_OBJECT_GROUP variable was not set. The group name is the same name as the owner field, whether that is the logon user or a user name defined by one of the other options, and the permissions of the object will be 600, owner read/write only.
VxLOGIN_GROUP sets the group field to the primary group of the logon user.
VxBSA_OWNER sets the object group to the value stored in the objectDescriptor field objectOwner.bsa_ObjectOwner. The value in the bsa_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.bsa_ObjectOwner still is stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.
VxAPP_OWNER sets the object group to the value stored in the objectDescriptor field objectOwner.app_ObjectOwner. The value in the app_ObjectOwner field must be a valid user name without any spaces in the name. The value in objectOwner.app_ObjectOwner is still stored as an attribute of the object and a query must correctly specify this field in the query descriptor to successfully find the object.
VxENV_OWNER sets the object group to the value of the XBSA environmental variable NBBSA_OBJECT_GROUP. The value stored in the NBBSA_OBJECT_GROUP must be a valid user name without any spaces in the name.
The variables NBBSA_USE_OBJECT_GROUP and NBBSA_OBJECT_GROUP can be changed within a transaction so that an XBSA agent can set different group ownerships of each object in a transaction.