Identify hardened linux repository

[matteu]

Hello,

My function gives me all linux server + the credentials used to register them.
When repository is hardened, no credentials are stored and my function return error. Is there a way to identify if linux managed server is registered with linux account/private key or single use credentials ?

This is my code:

Code: Select all

$LinuxManagedServersReq = Get-VBRServer | where {$_.type -eq "linux"}
$LinuxManagedServers = foreach ($linux in $LinuxManagedServersReq)
{
    [pscustomobject]@{
        Name = $linux.name
        Credentials = (Get-VBRCredentials | where {$_.id -eq $linux.GetSshCreds().credsid.guid}).name
    }
}

It's normal my script return error but I would like to know how I can identify my server was registred with single use credential to manage it

[oleg.feoktistov]

Hi matteu,

If you add single use credentials for your hardened repo, no ssh creds are found and exception is thrown. So, you just need to add some error handling and, I think, some property, which would indicate if repository is hardened given the creds are null. Example:

Code: Select all

$servers = Get-VBRServer | where {$_.Type -eq 'Linux'}
$linuxServers = foreach ($linux in $servers) {
try {
$sshCreds = $linux.GetSshCreds()
$creds = (Get-VBRCredentials | where {$_.Id -eq $sshCreds.CredsId}).Name
$isHardened = $false
}
catch  {
 if ($_.CategoryInfo.Category -eq 'NotSpecified') {
   $creds = $null
   $isHardened = $true
 }
}

  [pscustomobject]@{
    Name = $linux.Name
    Credentials = $creds
    IsHardened = $isHardened
  }
}

Thanks,
Oleg

[matteu]

Hello,

Thanks for your answer.
What you submit is the first idea I had but it's not a "technical" solution.

There is no way to identify it's an hardened repository ?

[oleg.feoktistov]

My mistake was that I let myself think single use credentials is enough to define a repository as hardened. But that's just the best practices. The main point is immutability. So, you need to check if immutability is enabled on your repo:

Code: Select all

$repo = Get-VBRBackupRepository -Name 'LinuxRepo'
$repo.IsImmutabilityEnabled()

If in your specific case you define your repository as hardened when both immutability and single us credentials used, there is, indeed, no separate
property like "IsHardened" to indicate both.

Thanks!

[matteu]

Thanks for your answer.
Unfortunately, there is no "good" way to do it I think...

for this, the attribute AuthType should be set when we use single use authentication...

I will use the following code but I don't like it. :

Code: Select all

Write-host "Linux Managed Servers"
$LinuxManagedServersReq = Get-VBRServer | where {$_.type -eq "linux"}
$LinuxManagedServers = foreach ($linux in $LinuxManagedServersReq)
{
    $credentials = try
                    {
                        (Get-VBRCredentials | where {$_.id -eq $linux.GetSshCreds().credsid.guid}).name
                    }
                    catch
                    {
                        if ($_.CategoryInfo.Category -eq 'NotSpecified')
                        {
                            "Single-Use Credentials"
                        }
                    }
    $AuthenticationType = try {$linux.GetSshCreds().AuthType} catch {"<N/A>"}

    [pscustomobject]@{
        Name = $linux.name
        Credentials = $credentials
        AuthenticationType = $AuthenticationType
    }
}
Write-host "-------------------"

It should be good if getsshcreds could work and be empty and authType set to single use cred.

[oleg.feoktistov]

So, what you are really after is credentials type used in a certain repository regardless the immutability being enabled/disabled, right?
There is no such boolean property for that either, but I noted it for further internal discussions. As for ssh creds info, it is being set to null every time single use creds are utilized. It is just that GetSshCreds() method is written to throw an exception in that case instead of an empty value. Thanks!

[matteu]

Yes, you're right
Immutable is just a repository property.
I would like to inventory all my linux managed server and the credentials used to import them on Veeam.
If it's with login / pass -> AuthType = PasswordAuthentication
If it's with sshKey -> AuthType = sshkeys or something else (I delete my test)
If it's with single use credential -> AuthType = throw an exception. Maybe this can be modify

[oleg.feoktistov]

Yes, specifying that info makes sense to me. Although, I don't think it would be a best practice to overload CBackupRepository class
with all these properties since some of them (not just the ones you mentioned) are the features of just one repository type. Putting it all together in a class with quite general info is what we are trying to avoid now. Anyway, it is definitely worth discussing internally and leaning towards the logic of Get-VBRObjectStorageRepository cmdlet. Thanks!

[matteu]

OK, I can understand it !

Thanks for your answer.