Skip Navigation Links | |
Exit Print View | |
Oracle Solaris ZFS Administration Guide Oracle Solaris 11 Express 11/10 |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Oracle Solaris ZFS and Traditional File System Differences
4. Managing Oracle Solaris ZFS Storage Pools
5. Managing ZFS Root Pool Components
6. Managing Oracle Solaris ZFS File Systems
7. Working With Oracle Solaris ZFS Snapshots and Clones
8. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
9. Oracle Solaris ZFS Delegated Administration
Delegating ZFS Permissions (zfs allow)
Removing ZFS Delegated Permissions (zfs unallow)
Delegating ZFS Permissions (Examples)
Displaying ZFS Delegated Permissions (Examples)
Removing ZFS Delegated Permissions (Examples)
10. Oracle Solaris ZFS Advanced Topics
11. Oracle Solaris ZFS Troubleshooting and Pool Recovery
ZFS delegated administration enables you to distribute refined permissions to specific users, groups, or everyone. Two types of delegated permissions are supported:
Individual permissions can be explicitly delegated such as create, destroy, mount, snapshot, and so on.
Groups of permissions called permission sets can be defined. A permission set can later be updated, and all of the consumers of the set automatically get the change. Permission sets begin with the @ symbol and are limited to 64 characters in length. After the @ symbol, the remaining characters in the set name have the same restrictions as normal ZFS file system names.
ZFS delegated administration provides features similar to the RBAC security model. ZFS delegation provides the following advantages for administering ZFS storage pools and file systems:
Permissions follow the ZFS storage pool whenever a pool is migrated.
Provides dynamic inheritance where you can control how the permissions propagate through the file systems.
Can be configured so that only the creator of a file system can destroy the file system.
You can delegate permissions to specific file systems. Newly created file systems can automatically pick up permissions.
Provides simple NFS administration. For example, a user with explicit permissions can create a snapshot over NFS in the appropriate .zfs/snapshot directory.
Consider using delegated administration for distributing ZFS tasks. For information about using RBAC to manage general Oracle Solaris administration tasks, see Part III, Roles, Rights Profiles, and Privileges, in System Administration Guide: Security Services.
You control the delegated administration features by using a pool's delegation property. For example:
# zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation on default # zpool set delegation=off users # zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation off local
By default, the delegation property is enabled.