Skip Navigation Links | |
Exit Print View | |
Oracle Solaris ZFS Administration Guide Oracle Solaris 11 Express 11/10 |
1. Oracle Solaris ZFS File System (Introduction)
2. Getting Started With Oracle Solaris ZFS
3. Oracle Solaris ZFS and Traditional File System Differences
4. Managing Oracle Solaris ZFS Storage Pools
5. Managing ZFS Root Pool Components
6. Managing Oracle Solaris ZFS File Systems
7. Working With Oracle Solaris ZFS Snapshots and Clones
8. Using ACLs and Attributes to Protect Oracle Solaris ZFS Files
9. Oracle Solaris ZFS Delegated Administration
Overview of ZFS Delegated Administration
Disabling ZFS Delegated Permissions
Delegating ZFS Permissions (Examples)
Displaying ZFS Delegated Permissions (Examples)
Removing ZFS Delegated Permissions (Examples)
10. Oracle Solaris ZFS Advanced Topics
11. Oracle Solaris ZFS Troubleshooting and Pool Recovery
You can use the zfs allow command to delegate permissions on ZFS datasets to non-root users in the following ways:
Individual permissions can be delegated to a user, group, or everyone.
Groups of individual permissions can be delegated as a permission set to a user, group, or everyone.
Permissions can be delegated either locally to the current dataset only or to all descendents of the current dataset.
The following table describes the operations that can be delegated and any dependent permissions that are required to perform the delegated operations.
|
You can delegate the following set of permissions but a permission might be limited to access, read, or change permission:
groupquota
groupused
userprop
userquota
userused
In addition, you can delegate administration of the following ZFS properties to non-root users:
aclinherit
atime
canmount
casesensitivity
checksum
compression
copies
dedup
devices
exec
logbias
mlslabel
mountpoint
nbmand
normalization
primarycache
quota
readonly
recordsize
refreservation
reservation
secondarycache
setuid
shareiscsi
sharenfs
sharesmb
snapdir
utf8only
version
volblocksize
volsize
vscan
xattr
zoned
Some of these properties can be set only at dataset creation time. For a description of these properties, see Introducing ZFS Properties.
zfs allow -[ldugecs] everyone|user|group[,...] perm|@setname,...] filesystem| volume
The following zfs allow syntax (in bold) identifies to whom the permissions are delegated:
zfs allow [-uge]|user|group|everyone [,...] filesystem | volume
Multiple entities can be specified as a comma-separated list. If no -uge options are specified, then the argument is interpreted preferentially as the keyword everyone, then as a user name, and lastly, as a group name. To specify a user or group named “everyone,” use the -u or -g option. To specify a group with the same name as a user, use the -g option. The -c option delegates create-time permissions.
The following zfs allow syntax (in bold) identifies how permissions and permission sets are specified:
zfs allow [-s] ... perm|@setname [,...] filesystem | volume
Multiple permissions can be specified as a comma-separated list. Permission names are the same as ZFS subcommands and properties. For more information, see the preceding section.
Permissions can be aggregated into permission sets and are identified by the -s option. Permission sets can be used by other zfs allow commands for the specified file system and its descendents. Permission sets are evaluated dynamically, so changes to a set are immediately updated. Permission sets follow the same naming requirements as ZFS file systems, but the name must begin with an at sign (@) and can be no more than 64 characters in length.
The following zfs allow syntax (in bold) identifies how the permissions are delegated:
zfs allow [-ld] ... ... filesystem | volume
The -l option indicates that the permissions are allowed for the specified dataset and not its descendents, unless the -d option is also specified. The -d option indicates that the permissions are allowed for the descendent datasets and not for this dataset, unless the -l option is also specified. If neither option is specified, then the permissions are allowed for the file system or volume and all of its descendents.
You can remove previously delegated permissions with the zfs unallow command.
For example, assume that you delegated create, destroy, mount, and snapshot permissions as follows:
# zfs allow cindys create,destroy,mount,snapshot tank/cindys # zfs allow tank/cindys ------------------------------------------------------------- Local+Descendent permissions on (tank/cindys) user cindys create,destroy,mount,snapshot -------------------------------------------------------------
To remove these permissions, you would use the following syntax:
# zfs unallow cindys tank/cindys # zfs allow tank/cindys