Delegating ZFS Permissions
You can use the zfs
allow command to delegate permissions on ZFS file systems to non-root users in the
following ways:
-
Individual permissions can be delegated to a user, group, or everyone.
-
Groups of individual permissions can be delegated as a permission set to
a user, group, or everyone.
-
Permissions can be delegated either locally to the current file system only or to all
descendents of the current file system.
The following table describes the operations that can be delegated and any
dependent permissions that are required to perform the delegated operations.
|
|
|
allow
|
The permission to grant permissions that you have to another user.
|
Must also have the permission that is being allowed.
|
clone
|
The permission to clone any of the dataset's snapshots.
|
Must also have the create permission and the mount
permission in the original file system.
|
create
|
The permission to create descendent datasets.
|
Must also have the mount permission.
|
destroy
|
The permission to destroy a dataset.
|
Must also have the mount permission.
|
diff
|
The permission to identify paths within a dataset.
|
Non-root users need this permission to use the zfs diff command.
|
hold
|
The permission to hold a snapshot.
|
|
mount
|
The permission to mount and unmount a file system, and create and destroy volume device
links.
|
|
promote
|
The permission to promote a clone to a dataset.
|
Must also have the mount permission and the promote
permission in the original file system.
|
receive
|
The permission to create descendent file systems with the zfs receive
command.
|
Must also have the mount permission and the create
permission.
|
release
|
The permission to release a snapshot hold, which might destroy the snapshot.
|
|
rename
|
The permission to rename a dataset.
|
Must also have the create permission and the mount
permission in the new parent.
|
rollback
|
The permission to roll back a snapshot.
|
|
send
|
The permission to send a snapshot stream.
|
|
share
|
The permission to share and unshare a file system.
|
Must have both share and share.nfs to create an NFS
share.
Must have both share and share.smb to create an SMB
share.
|
snapshot
|
The permission to create a snapshot of a dataset.
|
|
|
You can delegate the following set of permissions but a permission might be
limited to access, read, or change permission:
-
groupquota
-
groupused
-
key
-
keychange
-
userprop
-
userquota
-
userused
In addition, you can delegate administration of the following ZFS properties to
non-root users:
-
aclinherit
-
aclmode
-
atime
-
canmount
-
casesensitivity
-
checksum
-
compression
-
copies
-
dedup
-
defaultgroupquota
-
defaultuserquota
-
devices
-
encryption
-
exec
-
keysource
-
logbias
-
mountpoint
-
nbmand
-
normalization
-
primarycache
-
quota
-
readonly
-
recordsize
-
refquota
-
refreservation
-
reservation
-
rstchown
-
secondarycache
-
setuid
-
shadow
-
share.nfs
-
share.smb
-
snapdir
-
sync
-
utf8only
-
version
-
volblocksize
-
volsize
-
vscan
-
xattr
-
zoned
Some of these properties can be set only at dataset creation time. For a
description of these properties, see Introducing ZFS
Properties.