BPAM Plugin Registration

BPAM assumes that any authentication or authorization workflows manages a very sensitive information (user credentials or permissions) which must be handled with extreme care, i.e. it should not be visible outside the selected plugin. This makes a clear break in general Bacula’s plugin workflow design where every event is forwarded to every plugin until one of them raise event handling is done. This kind of event workflow handling can leads to unexpected user credentials data breach which is unacceptable.

Before a plugin will get authentication or authorization requests it has to register its services with getPluginAuthenticationData() or getPluginAuthorizationData() plugin entry points. Director will call this plugin’s functions (if defined in pDirFuncs structure) on every new bconsole connection for selected plugin only when appropriate Console resource is configured (see below for more info).

Console {
  Name = "bpamauthconsole"
  Password = "xxx"

  # New directives
  Authentication Plugin = "<plugin>:<optional parameters>"
  Authorization Plugin = "<plugin>:<optional parameters>"       # not implemented yet!
  ...
}

Possible Next Steps

Go to bacula-dir.conf - Console Resource Configuration.

Go back to Bacula FD Plugin API.

Go back to Developer Guide.