Repository Server
By default, every user of Kopia repository directly connects to an underlying storage using read-write access. If the users who share repository don’t completely trust each other, some malicious actors can delete repository data structures causing data loss for others.
Repository Server allows an instance of kopia to proxy access to the underlying storage and has Kopia clients proxy all access through it, only requiring username and password to talk to server without any knowledge of repository storage credentials.
In repository server mode, each user is limited to seeing their own snapshots and policy manifest without being able to access those from another user account.
NOTE: Only snapshot and policy manifests are access-controlled, not the underlying contents. If two users shared the same file, it will be backed using exactly the same content IDs. The consequence of this is that if a third user can guess the content ID of files in the repository, they will be able to access the files. Because content IDs are one-way salted hashes of contents, in principle it should be impossible to guess content ID without possessing original content.
Starting Repository Server
Repository Server should be started on a dedicated server in LAN, such that all clients can directly connect to it.
Before we can start repository server, we must first create a list of usernames and passwords that will be allowed access.
Configuring Allowed Users
Starting in Kopia v0.8, allowed repository users can be configured using kopia server user
commands. Each user is identified by its lowercase [email protected]
where hostname by default is the name of the computer the client is connecting from (without domain name suffix).
To add a user:
$ kopia server user add [email protected]
Enter new password for user [email protected]:
Re-enter new password for verification:
Updated user credentials will take effect in 5-10 minutes or when the server is restarted.
To refresh credentials in a running server use 'kopia server refresh' command.
Other commands are also available:
kopia server user list
- lists user accountskopia server user set
- changes passwordkopia server user delete
- deletes user account
Prior to Kopia v0.8, the user list must be put in a text file formatted using the htpasswd utility from Apache. This method is still supported in v0.8, but it’s recommended to use
kopia server user
to manage users instead. To create password file for two users:$ htpasswd -c password.txt [email protected] New password: Re-type new password: Adding password for user [email protected] $ htpasswd password.txt [email protected] New password: Re-type new password: Adding password for user [email protected]
Auto-Generated TLS Certificate
To start repository server with auto-generated TLS certificate for the first time:
kopia server start \
--tls-generate-cert \
--tls-cert-file ~/my.cert \
--tls-key-file ~/my.key \
--address 0.0.0.0:51515 \
--server-control-username control \
--server-control-password PASSWORD_HERE
This will generate TLS certificate and key files and store them in the provided paths (~/my.cert
and ~/my.key
respectively). It will also print certificate SHA256 fingerprint, which will be used later:
SERVER CERT SHA256: 48537cce585fed39fb26c639eb8ef38143592ba4b4e7677a84a31916398d40f7
Note that when starting the server again the --tls-generate-cert
must be omitted, otherwise the server will fail to start.
Prior to Kopia v0.8, the command line for
kopia server start
also needs--htpasswd-file ~/password.txt
Custom TLS Certificates
If a user has obtained custom certificate (for example from LetsEncrypt or another CA), using it is simply a matter of providing PEM-formatted certificate and key files on server startup.
To get SHA256 certificate of existing file use:
$ openssl x509 -in ~/my.cert -noout -fingerprint -sha256 | sed 's/://g' | cut -f 2 -d =
48537CCE585FED39FB26C639EB8EF38143592BA4B4E7677A84A31916398D40F7
On Client Computer
Assuming we’re on another machine running as [email protected]
, we can now run the following command to connect to the repository (notice we’re using fingerprint obtained before without :
separators)
kopia repository connect server --url https://<address>:51515 \
--server-cert-fingerprint 48537cce585fed39fb26c639eb8ef38143592ba4b4e7677a84a31916398d40f7
Once connected, all snapshot and policy kopia
commands should work for the current user, but low-level commands such as repo status
will fail:
$ kopia repository status
kopia: error: operation supported only on direct repository, try --help
You can override username and hostname with this command :
$ kopia repo connect server --url=http://11.222.111.222:51515 --override-username=johndoe --override-hostname=my-laptop
Server Access Control (ACL)
Kopia server will check permissions when users try to access contents and manifests based on rules we call ACLs (access control list).
Prior to Kopia v0.8, the rules were non-configurable and each user could only read and write their own snapshot manifests. Starting in Kopia v0.8 the ACLs can be controlled by using
kopia server acl
commands.
If no ACLs are explicitly defined, Kopia will use a set of built-in access control rules, which grants all authenticated users identified by [email protected]
ability to:
- read and write policies for
[email protected]
and[email protected]:/path
, - read and write snapshots for
[email protected]:/path
, - read
global
policy, - read
host
-level policies for their ownhostname
, - read and write
user
-level policies for their own[email protected]
, - read and write their own
user
account[email protected]
(to be able to change password), - read objects if they know their object IDs
- write new
content
to the repository
Access control for individual files or directories
Kopia does not currently perform access control checks to verify that a user trying to access file or directory by object ID is the original owner of the file (because of Kopia’s deduplication, two different users who have the same file will get the same object ID when snapshotting it).
This means that any user who knows of a valid object ID will get be able to restore its contents (by kopia restore <object-id>
or kopia show <object-id>
etc.).
Users who currently are (or previously were) in possession of a file will be able to easily determine its object ID from one of the snapshot manifests, but it’s impractical for other users to guess 128-bit or 256-bit object identifiers.
On the flip side, this allows easy sharing of files between users simply by exchanging object IDs and letting another user restore the object (either a single file or an entire directory) from the repository.
Customizing ACL rules
Sometimes we want to be able to customize those rules, for example to allow some users to modify
global
or host
-level policies, to let one user see another user’s snapshots, etc.
To enable ACL mode, run:
$ kopia server acl enable
This will install ACL entries matching the default rules. Let’s take a look at the rules installed:
$ kopia server acl list
id:c95e5a13b0b0fc874e550677f5e89262 user:*@* access:APPEND target:type=content
id:633f998af93e00c715e6417cb41df0af user:*@* access:READ target:type=policy,policyType=global
id:de21ac7a55ec1d9cf939b4cb158cc85a user:*@* access:READ target:type=policy,hostname=OWN_HOST,policyType=host
id:2314795d54060ab84cdc7fcb6e6953c8 user:*@* access:FULL target:type=policy,username=OWN_USER,hostname=OWN_HOST
id:0245e5bc1eca296e775e137a9587d09e user:*@* access:FULL target:type=snapshot,hostname=OWN_HOST,username=OWN_USER
id:fb043d9e77299e182e9297d0f4601d9b user:*@* access:FULL target:type=user,username=[email protected]_HOST
As you can see, all rules have unique identifiers (different for each repository) and each rule defines:
-
The
user
the rule applies to (could be a wildcard pattern containing an asterisk (*) instead ofusername
orhostname
) -
The
access
level:READ
- allows reading but not writingAPPEND
- allows reading and writing, but not deletingFULL
- allows full read/write/delete access
-
The
target
, which specifies the manifests the rule applies to.The target specification consists of
key=value
pairs which must match the corresponding manifest labels. Each target must have atype
label and (optionally) other labels that are type-specific.
Supported types are:
snapshot
with optional labelsusername
,hostname
andpath
policy
with optional labelsusername
,hostname
,path
andpolicyType
(which must be one ofglobal
,user
,host
orpath
)user
with optional labelusername
acl
Only labels specified will be matched. The label values can be literals or one of two special values:
OWN_USER
- the user’s ownusername
OWN_HOST
- the user’s ownhostname
Defining ACL rules
To define an ACL rule use:
$ kopia server acl add --user U --access A --target T
For example:
- To grant user
[email protected]
the ability to modify global policy:
$ kopia server acl add --user [email protected] \
--access FULL --target type=policy,policyType=global
- To allow all users to see all snapshots in the system:
$ kopia server acl add --user "*@*" --access READ --target type=snapshot
- To give
[email protected]
the ability to modify that hosts' policy:
$ kopia server acl add --user "[email protected]" --access FULL \
--target type=policy,policyType=host,hostname=tall-tower
- To give
[email protected]
the ability to add new user accounts and change passwords for existing users:
$ kopia server acl add --user "[email protected]" --access FULL --target type=user
- To give
[email protected]
the ability to define new ACLs:
$ kopia server acl add --user "[email protected]" \
--access FULL --target type=acl
Deleting ACL rules
To delete a single ACL rule, use kopia server acl remove
passing the identifier of the entry:
$ kopia server acl remove 77fb0a5706ddbd9848294b36aae47079
To delete all ACL rules and revert to default set of rules, use:
$ kopia server acl remove --all
Both commands default to preview mode and must be confirmed by passing --delete
for safety.
Reloading server configuration
Kopia server will refresh its configuration by fetching it from repository periodically. To speed up this process after changing access control rules, adding or modifying users or to simply force server to discover new snapshots or policies, you may want to run:
$ kopia server refresh \
--address=https://server:port [--server-cert-fingerprint=FINGERPRINT] \
--server-username=control \
--server-password=PASSWORD_HERE
To authenticate, pass any valid username and password configured on the server.
Alternatively on Linux/macOS you can send SIGHUP
signal to a running Kopia process to trigger a refresh.
$ ps awx | grep kopia
74189 s003 U+ 0:19.19 kopia server start ...
$ kill -SIGHUP 74189
or simply:
$ killall -SIGHUP kopia
Kopia behind a reverse proxy
Kopia server can be run behind a reverse proxy. Here a working example for nginx.
server {
listen 443 ssl http2;
server_name mydomain.com;
ssl_certificate_key /path/to/your/key.key;
ssl_certificate /path/to/your/cert.crt;
client_max_body_size 0; # Allow unlimited upload size
location / {
grpc_pass grpcs://localhost:51515; # Adapt if your kopia is running on another server
}
}
Make sure you use a recent nginx version (>=1.16) and you start your kopia server with a certificate (--insecure
does not work), e.g.
kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/my.cert --tls-key-file ~/my.key
You can now connect to your kopia server via reverse proxy with your domain: mydomain.com:443
.