Restic Systems Backup Setup, Part 5 - minio multi-user support

This is Part 5 of my series on building a restic-based system backup series. The rest of the articles can be found here.

One of the original design decisions in my restic systems backup setup was isolation between hosts. I didn't want root on one system to be able to access the backups of other hosts, even if they were storing backups on a common backup server.

At that time, Minio, the object storage server I was using on the backup server, only supported single-tenancy — there was a single "access key"/"secret key" per instance, with access to every object and every bucket in that instance. Minio's recommendation at the time was to run multiple instances, each on a distinct port, to provide isolation. That's the solution I went with at that time.

Sometime in October, when I was pre-occupied with my wedding, Minio added Multi-User Support. This support adds the ability to have multiple users per Minio instance, each with distinct access and secret keys, and adds decent support for S3-style policies. After a bit of experimentation I was able to figure out a setup where I could run a single Minio instance, put each system's backup in a distinct bucket, and create policies that kept everything separate.

This would greatly simplify my backup setup, and ties in with some other changes I want to make. I want to make it much more easier to add and remove backup clients, and to get the current status of them, amongst other things. I've also started eating, well, not my dogfood, but work's dogfood, and I've got a running Consul and Vault cluster running, and I want to start leveraging that as well.

Expect the next post in this series to talk about the new setup, while hopefully avoiding System 2.0 tarpits.