From ed9797d67eef737f3dc66659eb9ae2e0c8cf4c7b Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 17 May 2022 13:29:02 +0200
Subject: [PATCH] storage: add some initial namespace docs

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 docs/storage.rst | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/docs/storage.rst b/docs/storage.rst
index b7eb645e..55da69a9 100644
--- a/docs/storage.rst
+++ b/docs/storage.rst
@@ -261,6 +261,46 @@ categorized by checksum, after a backup operation has been executed.
  276490 drwxr-x--- 1 backup backup 1.1M Jul  8 12:35 .
 
 
+Once you uploaded some backups, or created namespaces, you may see the Backup
+Type (`ct`, `vm`, `host`) and the start of the namespace hierachy (`ns`).
+
+Backup Namespaces
+~~~~~~~~~~~~~~~~~
+
+A datastore can host many backups as long as the underlying storage is big
+enough and provides the performance required for one's use case.
+But, without any hierarchy or separation its easy to run into naming conflicts,
+especially when using the same datastore for multiple Proxmox VE instances or
+multiple users.
+
+The backup namespace hierarchy allows you to clearly separate different users
+or backup sources in general, avoiding naming conflicts and providing
+well-organized backup content view.
+
+Each namespace level can host any backup type, CT, VM or Host but also other
+namespaces, up to a depth of 8 level, where the root namespace is the first
+level.
+
+
+Namespace Permissions
+^^^^^^^^^^^^^^^^^^^^^
+
+You can make the permission configuration of a datastore more fine-grained by
+setting permissions only on a specific namespace.
+
+To see a datastore you need permission that has at least one of `AUDIT`,
+`MODIFY`, `READ` or `BACKUP` privilege on any namespace it contains.
+
+To create or delete a namespace you require the modify privilege on the parent
+namespace. So, to initially create namespaces you need to have a permission
+with a access role that includes the `MODIFY` privilege on the datastore itself.
+
+For backup groups the existing privilege rules still apply, you either need a
+powerful permission or be the owner of the backup group, nothing changed here.
+
+.. todo:: continue
+
+
 Options
 ~~~~~~~