Snowflake-Labs · sfc-gh-gnugmanov · Apr 15, 2025 · Apr 15, 2025
diff --git a/cmd/sansshell-server/default-policy.rego b/cmd/sansshell-server/default-policy.rego
@@ -121,3 +121,14 @@ allow {
     input.message.zero = true
     input.message.remove = true
 }
+
+# Allow fdbbackup commands
+allow {
+    input.type = "Exec.ExecRequest"
+    input.message.command = "/usr/sbin/fdbbackup"
+}
+
+# Allow all FDBBackup service methods
+allow {
+    startswith(input.method, "/Fdb.FDBBackup/")
+}
diff --git a/cmd/sansshell-server/main.go b/cmd/sansshell-server/main.go
@@ -109,6 +109,7 @@ func init() {
 	*fdbCLIEnvList.Target = append(*fdbCLIEnvList.Target, "") // To set a default
 	flag.Var(&fdbCLIEnvList, "fdbcli-env-list", "List of environment variable names (separated by comma) to retain before fork/exec'ing fdbcli")
 	flag.StringVar(&fdbserver.FDBMoveOrchestrator, "fdb-move-orchestrator", "/usr/bin/fdb_move_orchestrator.py", "Path to python data movement script.")
+	flag.StringVar(&fdbserver.FDBBackup, "fdbbackup", "/usr/sbin/fdbbackup", "Path to fdbbackup binary.")
 
 	flag.StringVar(&mtlsFlags.ClientCertFile, "client-cert", mtlsFlags.ClientCertFile, "Path to this client's x509 cert, PEM format")
 	flag.StringVar(&mtlsFlags.ClientKeyFile, "client-key", mtlsFlags.ClientKeyFile, "Path to this client's key")