Skip Navigation Links | |
Exit Print View | |
Oracle Solaris ZFS Administration Guide Oracle Solaris 11 Express 11/10 |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Oracle Solaris ZFS and Traditional File System Differences
4. Managing Oracle Solaris ZFS Storage Pools
5. Managing ZFS Root Pool Components
6. Managing Oracle Solaris ZFS File Systems
7. Working With Oracle Solaris ZFS Snapshots and Clones
8. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
9. Oracle Solaris ZFS Delegated Administration
Overview of ZFS Delegated Administration
Disabling ZFS Delegated Permissions
Delegating ZFS Permissions (zfs allow)
Removing ZFS Delegated Permissions (zfs unallow)
Displaying ZFS Delegated Permissions (Examples)
Removing ZFS Delegated Permissions (Examples)
10. Oracle Solaris ZFS Advanced Topics
11. Oracle Solaris ZFS Troubleshooting and Pool Recovery
Example 9-1 Delegating Permissions to an Individual User
When you delegate create and mount permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.
For example, to delegate user marks create and mount permissions on the tank file system, set the permissions first:
# chmod A+user:marks:add_subdirectory:fd:allow /tank
Then, use the zfs allow command to delegate create, destroy, and mount permissions. For example:
# zfs allow marks create,destroy,mount tank
Now, user marks can create his own file systems in the tank file system. For example:
# su marks marks$ zfs create tank/marks marks$ ^D # su lp $ zfs create tank/lp cannot create 'tank/lp': permission denied
Example 9-2 Delegating create and destroy Permissions to a Group
The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the tank file system, as well as destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.
# zfs allow staff create,mount tank # zfs allow -c create,destroy tank # zfs allow tank ------------------------------------------------------------- Create time permissions on (tank) create,destroy Local+Descendent permissions on (tank) group staff create,mount ------------------------------------------------------------- # su cindys cindys% zfs create tank/cindys cindys% exit # su marks marks% zfs create tank/marks/data marks% exit cindys% zfs destroy tank/marks/data cannot destroy 'tank/mark': permission denied
Example 9-3 Delegating Permissions at the Correct File System Level
Ensure that you delegate users permission at the correct file system level. For example, user marks is delegated create, destroy, and mount permissions for the local and descendent file systems. User marks is delegated local permission to snapshot the tank file system, but he is not allowed to snapshot his own file system. So, he has not been delegated the snapshot permission at the correct file system level.
# zfs allow -l marks snapshot tank # zfs allow tank ------------------------------------------------------------- Local permissions on (tank) user marks snapshot Local+Descendent permissions on (tank) user marks create,destroy,mount ------------------------------------------------------------- # su marks marks$ zfs snapshot tank/@snap1 marks$ zfs snapshot tank/marks@snap1 cannot create snapshot 'mark/marks@snap1': permission denied
To delegate user marks permission at the descendent file system level, use the zfs allow -d option. For example:
# zfs unallow -l marks snapshot tank # zfs allow -d marks snapshot tank # zfs allow tank ------------------------------------------------------------- Descendent permissions on (tank) user marks snapshot Local+Descendent permissions on (tank) user marks create,destroy,mount ------------------------------------------------------------- # su marks $ zfs snapshot tank@snap2 cannot create snapshot 'tank@snap2': permission denied $ zfs snapshot tank/marks@snappy
Now, user marks can only create a snapshot below the tank file system level.
Example 9-4 Defining and Using Complex Delegated Permissions
You can delegate specific permissions to users or groups. For example, the following zfs allow command delegates specific permissions to the staff group. In addition, destroy and snapshot permissions are delegated after tank file systems are created.
# zfs allow staff create,mount tank # zfs allow -c destroy,snapshot tank # zfs allow tank ------------------------------------------------------------- Create time permissions on (tank) destroy,snapshot Local+Descendent permissions on (tank) group staff create,mount -------------------------------------------------------------
Because user marks is a member of the staff group, he can create file systems in tank. In addition, user marks can create a snapshot of tank/marks2 because he has specific permissions to do so. For example:
# su marks $ zfs create tank/marks2 $ zfs allow tank/marks2 ------------------------------------------------------------- Local permissions on (tank/marks2) user marks destroy,snapshot ------------------------------------------------------------- Create time permissions on (tank) destroy,snapshot Local+Descendent permissions on (tank) group staff create everyone mount -------------------------------------------------------------
But, user marks cannot create a snapshot in tank/marks because he doesn't have specific permissions to do so. For example:
$ zfs snapshot tank/marks2@snap1 $ zfs snapshot tank/marks@snappp cannot create snapshot 'tank/marks@snappp': permission denied
In this example, user marks has create permission in his home directory, which means he can create snapshots. This scenario is helpful when your file system is NFS mounted.
$ cd /tank/marks2 $ ls $ cd .zfs $ ls snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 marks staff 2 Dec 15 13:53 snap1 $ pwd /tank/marks2/.zfs/snapshot $ mkdir snap2 $ zfs list NAME USED AVAIL REFER MOUNTPOINT tank 264K 33.2G 33.5K /tank tank/marks 24.5K 33.2G 24.5K /tank/marks tank/marks2 46K 33.2G 24.5K /tank/marks2 tank/marks2@snap1 21.5K - 24.5K - tank/marks2@snap2 0 - 24.5K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1
Example 9-5 Defining and Using a ZFS Delegated Permission Set
The following example shows how to create the permission set @myset and delegates the permission set and the rename permission to the group staff for the tank file system. User cindys, a staff group member, has the permission to create a file system in tank. However, user lp does not have permission to create a file system in tank.
# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly tank # zfs allow tank ------------------------------------------------------------- Permission sets on (tank) @myset clone,create,destroy,mount,promote,readonly,snapshot ------------------------------------------------------------- # zfs allow staff @myset,rename tank # zfs allow tank ------------------------------------------------------------- Permission sets on (tank) @myset clone,create,destroy,mount,promote,readonly,snapshot Local+Descendent permissions on (tank) group staff @myset,rename # chmod A+group:staff:add_subdirectory:fd:allow tank # su cindys cindys% zfs create tank/data Cindys% zfs allow tank ------------------------------------------------------------- Permission sets on (tank) @myset clone,create,destroy,mount,promote,readonly,snapshot Local+Descendent permissions on (tank) group staff @myset,rename ------------------------------------------------------------- cindys% ls -l /tank total 15 drwxr-xr-x 2 cindys staff 2 Aug 8 14:10 data cindys% exit # su lp $ zfs create tank/lp cannot create 'tank/lp': permission denied