Overview of ZFS Delegated Administration
ZFS delegated administration enables you to distribute refined permissions to specific users, groups, or everyone. Two types of delegated permissions are supported:
-
Individual permissions can be explicitly delegated such as create, destroy, mount, snapshot, and so on.
-
Groups of permissions called permission sets can be defined. A permission set can later be updated, and all of the consumers of the set automatically get the change. Permission sets begin with the @ symbol and are limited to 64 characters in length. After the @ symbol, the remaining characters in the set name have the same restrictions as normal ZFS file system names.
ZFS delegated administration provides features similar to the RBAC security model. ZFS delegation provides the following advantages for administering ZFS storage pools and file systems:
-
Permissions follow the ZFS storage pool whenever a pool is migrated.
-
Provides dynamic inheritance where you can control how the permissions propagate through the file systems.
-
Can be configured so that only the creator of a file system can destroy the file system.
-
You can delegate permissions to specific file systems. Newly created file systems can automatically pick up permissions.
-
Provides simple NFS administration. For example, a user with explicit permissions can create a snapshot over NFS in the appropriate .zfs/snapshot directory.
Consider using delegated administration for distributing ZFS tasks. For information about using RBAC to manage general Oracle Solaris administration tasks, see Part III, Roles, Rights Profiles, and Privileges, in System Administration Guide: Security Services.
Disabling ZFS Delegated Permissions
You control the delegated administration features by using a pool's delegation property. For example:
# zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation on default # zpool set delegation=off users # zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation off local |
By default, the delegation property is enabled.
- © 2010, Oracle Corporation and/or its affiliates