Using ZFS Delegated Administration
This section provides examples of delegating and displaying ZFS delegated permissions.
Delegating ZFS Permissions (Examples)
Example 9–1 Delegating Permissions to an Individual User
When you provide create and mount permissions to an individual user, you need to make sure that the user has permissions on the underlying mount point.
For example, to give user marks create and mount permissions on tank, set the permissions first:
# chmod A+user:marks:add_subdirectory:fd:allow /tank |
Then, use the zfs allow command to grant create, destroy, and mount permissions. For example:
# zfs allow marks create,destroy,mount tank |
Now user marks can create his own file systems in the tank file system. For example:
# su marks marks$ zfs create tank/marks marks$ ^D # su lp $ zfs create tank/lp cannot create 'tank/lp': permission denied |
Example 9–2 Delegating Create and Destroy Permissions to a Group
The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the tank file system, as well as to destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.
# zfs allow staff create,mount tank
# zfs allow -c create,destroy tank
# zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
create,destroy
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
# su cindys
cindys% zfs create tank/cindys
cindys% exit
# su marks
marks% zfs create tank/marks/data
marks% exit
cindys% zfs destroy tank/marks/data
cannot destroy 'tank/mark': permission denied
|
Example 9–3 Delegating Permissions at the Correct File System Level
Make sure that you grant users permission at the correct file system level. For example, user marks is granted create, destroy, and mount permissions for the local and descendent file systems. User marks is granted local permission to snapshot the tank file system, but he is not allowed to snapshot his own file system. So, he has not been granted the snapshot permission at the correct file system level.
# zfs allow -l marks snapshot tank
# zfs allow tank
-------------------------------------------------------------
Local permissions on (tank)
user marks snapshot
Local+Descendent permissions on (tank)
user marks create,destroy,mount
-------------------------------------------------------------
# su marks
marks$ zfs snapshot tank/@snap1
marks$ zfs snapshot tank/marks@snap1
cannot create snapshot 'mark/marks@snap1': permission denied
|
To grant user marks permission at the descendent level, use the zfs allow -d option. For example:
# zfs unallow -l marks snapshot tank
# zfs allow -d marks snapshot tank
# zfs allow tank
-------------------------------------------------------------
Descendent permissions on (tank)
user marks snapshot
Local+Descendent permissions on (tank)
user marks create,destroy,mount
-------------------------------------------------------------
# su marks
$ zfs snapshot tank@snap2
cannot create snapshot 'tank@snap2': permission denied
$ zfs snapshot tank/marks@snappy
|
Now, user marks can only create a snapshot below the tank level.
Example 9–4 Defining and Using Complex Delegated Permissions
You can grant specific permissions to users or groups. For example, the following zfs allow command grants specific permissions to the staff group. In addition, destroy and snapshot permissions are granted after tank file systems are created.
# zfs allow staff create,mount tank
# zfs allow -c destroy,snapshot tank
# zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
destroy,snapshot
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
|
Because user marks is a member of the staff group, he can create file systems in tank. In addition, user marks can create a snapshot of tank/marks2 because he has specific permissions to do so. For example:
# su marks
$ zfs create tank/marks2
$ zfs allow tank/marks2
-------------------------------------------------------------
Local permissions on (tank/marks2)
user marks destroy,snapshot
-------------------------------------------------------------
Create time permissions on (tank)
destroy,snapshot
Local+Descendent permissions on (tank)
group staff create
everyone mount
-------------------------------------------------------------
|
But, he can't create a snapshot in tank/marks because he doesn't have specific permissions to do so. For example:
$ zfs snapshot tank/marks2@snap1 $ zfs snapshot tank/marks@snappp cannot create snapshot 'tank/marks@snappp': permission denied |
If you have create permission in your home directory, you can create your own snapshot directories. This scenario is helpful when your file system is NFS mounted. For example:
$ cd /tank/marks2 $ ls $ cd .zfs $ ls snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 marks staff 2 Dec 15 13:53 snap1 $ pwd /tank/marks2/.zfs/snapshot $ mkdir snap2 $ zfs list NAME USED AVAIL REFER MOUNTPOINT tank 264K 33.2G 33.5K /tank tank/marks 24.5K 33.2G 24.5K /tank/marks tank/marks2 46K 33.2G 24.5K /tank/marks2 tank/marks2@snap1 21.5K - 24.5K - tank/marks2@snap2 0 - 24.5K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1 |
Example 9–5 Defining and Using a ZFS Delegated Permission Set
The following example shows how to create a permission set @myset and grants the permission set and the rename permission to the group staff for the tank file system. User cindys, a staff group member, has the permission to create a file system in tank. However, user lp has no permission to create a file system in tank.
# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly tank
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
-------------------------------------------------------------
# zfs allow staff @myset,rename tank
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+Descendent permissions on (tank)
group staff @myset,rename
# chmod A+group:staff:add_subdirectory:fd:allow tank
# su cindys
cindys% zfs create tank/data
Cindys% zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+Descendent permissions on (tank)
group staff @myset,rename
-------------------------------------------------------------
cindys% ls -l /tank
total 15
drwxr-xr-x 2 cindys staff 2 Aug 8 14:10 data
cindys% exit
# su lp
$ zfs create tank/lp
cannot create 'tank/lp': permission denied
|
Displaying ZFS Delegated Permissions (Examples)
You can use the following command to display permissions:
# zfs allow dataset |
This command displays permissions that are set or allowed on this dataset. The output contains the following components:
-
Permissions sets
-
Specific permissions or create-time permissions
-
Local dataset
-
Local and descendent datasets
-
Descendent datasets only
Example 9–6 Displaying Basic Delegated Administration Permissions
The following output in this example indicates that user cindys has permissions to create, destroy, mount, snapshot in the tank/cindys file system.
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount,snapshot
|
Example 9–7 Displaying Complex Delegated Administration Permissions
The output in this example indicates the following permissions on the pool/fred and pool file systems.
For the pool/fred file system:
-
Two permission sets are defined:
-
@eng (create, destroy, snapshot, mount, clone, promote, rename)
-
@simple (create, mount)
-
-
Create-time permissions are set for the @eng permission set and the mountpoint property. Create-time means that after a dataset set is created, the @eng permission set and the mountpoint property are granted.
-
User tom is granted the @eng permission set, and user joe is granted create, destroy, and mount permissions for local file systems.
-
User fred is granted the @basic permission set, and share and rename permissions for the local and descendent file systems.
-
User barney and the staff group are granted the @basic permission set for descendent file systems only.
For the pool file system:
-
The permission set @simple (create, destroy, mount) is defined.
-
The group staff is granted the @simple permission set on the local file system.
Here is the output for this example:
$ zfs allow pool/fred
------------------------------------------------------------------------------
Permission sets on (pool/fred)
@eng create,destroy,snapshot,mount,clone,promote,rename
@simple create,mount
Create time permissions on (pool/fred)
@eng,mountpoint
Local permissions on (pool/fred)
user tom @eng
user joe create,destroy,mount
Local+Descendent permissions on (pool/fred)
user fred @basic,share,rename
Descendent permissions on (pool/fred)
user barney @basic
group staff @basic
------------------------------------------------------------------------------
Permission sets on (pool)
@simple create,destroy,mount
Local permissions on (pool)
group staff @simple
------------------------------------------------------------------------------
|
Removing ZFS Permissions (Examples)
You can use the zfs unallow command to remove granted permissions. For example, user cindys has permissions to create, destroy, mount, and snapshot in the tank/cindys file system.
# zfs allow cindys create,destroy,mount,snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount,snapshot
-------------------------------------------------------------
|
The following zfs unallow syntax removes user cindys's snapshot permission from the tank/cindys file system:
# zfs unallow cindys snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount
-------------------------------------------------------------
cindys% zfs create tank/cindys/data
cindys% zfs snapshot tank/cindys@today
cannot create snapshot 'tank/cindys@today': permission denied
|
As another example, user marks has the following permissions in tank/marks:
# zfs allow tank/marks
-------------------------------------------------------------
Local+Descendent permissions on (tank/marks)
user marks create,destroy,mount
-------------------------------------------------------------
|
In this example, the following zfs unallow syntax removes all permissions for user marks from tank/marks:
# zfs unallow marks tank/marks |
The following zfs unallow syntax removes a permission set on the tank file system.
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Create time permissions on (tank)
create,destroy,mount
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
# zfs unallow -s @myset tank
$ zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
create,destroy,mount
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
|
- © 2010, Oracle Corporation and/or its affiliates