Veeam Storage Plugin for DataCore - Define a role to access DataCore with least privilege

  • 19 February 2022
  • 4 comments
  • 81 views

Userlevel 6
Badge +2

A Veeam storage plugin needs to control your storage device in a way. Therefore you need a user account inside your storage system. The same of course is true for the DataCore plugin.

From a security standpoint one always wants to have only the least amount of permissions to be allowed to the user. Avoid using a global admin here to minimize your attack surface!

Here I will describe how to achieve that with the Veeam storage plugin for DataCore:

First create a new role inside your DataCore console. In the screenshot the permissions to attach to the role are shown:

Veeam storage plugin for DataCore - Role permissions

Once the role is setup, you can create the user inside DataCore and select the role to assign it to:

Veeam storage plugin for DataCore - Create the user for Veeam access

Finally you will have to create a local user of the exact same name inside all Windows servers involved in your DataCore cluster. Usually one has two nodes in a mirrored cluster. As the nodes are not supposed to be joined to a Windows domain, you have to manually make sure that username and password are the same on all the nodes. Now from the VBR plugin you can connect to DataCore using this user with the least amount of permissions necessary.

 


4 comments

Userlevel 7
Badge +8

Very interesting will need to take a look at Datacore.

Userlevel 7
Badge +8

I think using the least possible permissions is a good practice with every device.

Thank your for this, Michael.

Hello Michael,

thank your for sharing.

Just a quick question here with regards to Veeam Backup Server placement in order to leverage the Veeam Storage Plugin for DataCore.

In most of the DataCore deployments, we use two DataCore Servers connected to each other over DAC cables and iSCSI transport protocol (Hyperconverged Virtual SAN scenario). In such scenario, does it make sense to deploy the Veeam backup server in a VM in order for its virtual NIC adapters to be able to reach the DataCore front-end ports ?

Thanks!

Massimiliano

Userlevel 6
Badge +2

Hello Michael,

thank your for sharing.

Just a quick question here with regards to Veeam Backup Server placement in order to leverage the Veeam Storage Plugin for DataCore.

In most of the DataCore deployments, we use two DataCore Servers connected to each other over DAC cables and iSCSI transport protocol (Hyperconverged Virtual SAN scenario). In such scenario, does it make sense to deploy the Veeam backup server in a VM in order for its virtual NIC adapters to be able to reach the DataCore front-end ports ?

Thanks!

Massimiliano

Hi Massimiliano.

We deploy the VBR server as a VM most of the times. So this at least makes total sense to me.

Regarding the network you have to be in: I would count DataCore to the inner circle of the management layer. So either you have to have firewall rules to be able to reach it through Rest-API calls from your VBR server or you have to place the VBR server in the same security ring of your netzwork to be able to gain access to the functionality.

Same is true for a HCI scenario. Here you might also think of having a second network leg into DataCores management network from your VBR VM.

Best,

Michael

Comment