# OADP Self Service ( draft documentation) ## OADP Self Service OADP (Openshift API for Data Protection) Operator previously required cluster administrator access to perform all Backup and Restore operations. OADP self-service enables users the ability to safely perform Backup and Restore operations in the namespaces they have access to. Openshift users will be able to create and access the logs and status of backup and restore objects including the relevant velero log and velero description of the backup or restore. Each user will only have access to the objects and logs from the namespace where they have administrative rights. Additionally users will can create their own backup storage locations (BSL) to further. Cluster Administrators can template backup and restore specifications to ensure users are complying with the cluster administrators requirements. ## Glossary of terms * NAB - Non Admin Backup * NAR - Non Admin Restore * NAC - Non Admin Controller * NABSL - Non Admin Backup Storage Location ## Cluster Administrator Setup Install and configure the OADP operator according to the documentation and your requirements. To enable OADP Self-Service the DPA spec must have these 2 things: ``` nonAdmin: enable: true unsupportedOverrides: tech-preview-ack: "true" ``` Once the OADP DPA is reconciled the cluster administrator should see the non-admin-controller running in the openshift-adp namespace. The Openshift users without cluster admin rights can create NAB objects in their namespace to create a backup. ## OpenShift User Instructions Prior to OpenShift users taking advantage of OADP self-service feature the OpenShift cluster administrator must have completed the following prerequisite steps: * The OADP DPA has been configured to support self-service * The cluster administrator has created the users * account * namespace * namespace admin priviledges Non Cluster Administrators can utilize OADP self-service by creating NonAdminBackup (NAB) and NonAdminRestore (NAR) objects in the namespace to be backed up or restored. A NonAdminBackup is an OpenShift custom resource that securily facilitates the creation, status and lifecycle of a Velero Backup custom resource.  For the most part one can think of a NonAdminBackup and a Velero Backup in very much the same way. Both objects specify a velero backup and how the backup should be executed. There are a few differences to keep in mind when creating a NonAdminBackup. 1. The NonAdminBackup creates the Velero Backup CR instance in a secure way that limits the users access. 2. A user can not specify the namespace that will be backed up. The namespace from which the NAB oject is created is the defined namespace to be backed up. 3. In addition to the creation of the Velero Backup the NonAdminBackup object's main purpose is to track the status of the Velero Backup in a secure and clear way. ### NAB / NAR Status #### Phase The phase field is a simple one high-level summary of the lifecycle of the objects, that only moves forward. Once a phase changes, it can not return to the previous value. | **Value** | **Description** | |-----------|-----------------| | New | *NonAdminBackup/NonAdminRestore* resource was accepted by the NAB/NAR Controller, but it has not yet been validated by the NAB/NAR Controller | | BackingOff | *NonAdminBackup/NonAdminRestore* resource was invalidated by the NAB/NAR Controller, due to invalid Spec. NAB/NAR Controller will not reconcile the object further, until user updates it | | Created | *NonAdminBackup/NonAdminRestore* resource was validated by the NAB/NAR Controller and Velero *Backup/restore* was created. The Phase will not have additional information about the *Backup/Restore* run | | Deletion | *NonAdminBackup/NonAdminRestore* resource has been marked for deletion. The NAB/NAR Controller will delete the corresponding Velero *Backup/Restore* if it exists. Once this deletion completes, the *NonAdminBackup/NonAdminRestore* object itself will also be removed |