Go to main content

Managing ZFS File Systems in Oracle® Solaris 11.3

Exit Print View

Updated: May 2019
 
 

Delegating ZFS Permissions Examples

Example 43  Delegating Permissions to an Individual User

When you delegate create and mount permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.

For example, to delegate user mark create and mount permissions on the system1 file system, set the permissions first:

# chmod A+user:mark:add_subdirectory:fd:allow /system1/home

Then, use the zfs allow command to delegate create, destroy, and mount permissions. For example:

# zfs allow mark create,destroy,mount system1/home

Now, user mark can create his own file systems in the system1/home file system. For example:

# su mark
mark$ zfs create system1/home/mark
mark$ ^D
# su lp
$ zfs create system1/home/lp
cannot create 'system1/home/lp': permission denied
Example 44  Delegating create and destroy Permissions to a Group

The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the system1/home file system, as well as destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.

# zfs allow staff create,mount system1/home
# zfs allow -c create,destroy system1/home
# zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
Local+descendant permissions:
group staff create,mount
# su cindy
cindy% zfs create system1/home/cindy/files
cindy% exit
# su mark
mark% zfs create system1/home/mark/data
mark% exit
cindy% zfs destroy system1/home/mark/data
cannot destroy 'system1/home/mark/data': permission denied
Example 45  Delegating Permissions at the Correct File System Level

Ensure that you delegate users permission at the correct file system level. For example, user mark is delegated create, destroy, and mount permissions for the local and descendant file systems. User mark is delegated local permission to snapshot the system1/home file system, but he is not allowed to snapshot his own file system. So, he has not been delegated the snapshot permission at the correct file system level.

# zfs allow -l mark snapshot system1/home
# zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
Local permissions:
user mark snapshot
Local+descendant permissions:
group staff create,mount
# su mark
mark$ zfs snapshot system1/home@snap1
mark$ zfs snapshot system1/home/mark@snap1
cannot create snapshot 'system1/home/mark@snap1': permission denied

To delegate user mark permission at the descendant file system level, use the zfs allow –d option. For example:

# zfs unallow -l mark snapshot system1/home
# zfs allow -d mark snapshot system1/home
# zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
descendant permissions:
user mark snapshot
Local+descendant permissions:
group staff create,mount
# su mark
$ zfs snapshot system1/home@snap2
cannot create snapshot 'system1/home@snap2': permission denied
$ zfs snapshot system1/home/mark@snappy

Now, user mark can only create a snapshot below the system1/home file system level.

Example 46  Defining and Using Complex Delegated Permissions

You can delegate specific permissions to users or groups. For example, the following zfs allow command delegates specific permissions to the staff group. In addition, destroy and snapshot permissions are delegated after system1/home file systems are created.

# zfs allow staff create,mount system1/home
# zfs allow -c destroy,snapshot system1/home
# zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy,snapshot
Local+descendant permissions:
group staff create,mount

Because user mark is a member of the staff group, he can create file systems in system1/home. In addition, user mark can create a snapshot of system1/home/mark2 because he has specific permissions to do so. For example:

# su mark
$ zfs create system1/home/mark2
$ zfs allow system1/home/mark2
---- Permissions on system1/home/mark2 ----------------------------------
Local permissions:
user mark create,destroy,snapshot
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy,snapshot
Local+descendant permissions:
group staff create,mount

But, user mark cannot create a snapshot in system1/home/mark because he doesn't have specific permissions to do so. For example:

$ zfs snapshot system1/home/mark@snap1
cannot create snapshot 'system1/home/mark@snap1': permission denied

In this example, user mark has create permission in his home directory, which means he can create snapshots. This scenario is helpful when your file system is NFS mounted.

$ cd /system1/home/mark2
$ ls
$ cd .zfs
$ ls
shares snapshot
$ cd snapshot
$ ls -l
total 3
drwxr-xr-x   2 mark    staff          2 Sep 27 15:55 snap1
$ pwd
/system1/home/mark2/.zfs/snapshot
$ mkdir snap2
$ zfs list
# zfs list -r system1/home
NAME                       USED  AVAIL  REFER  MOUNTPOINT
system1/home/mark           63K  62.3G    32K  /system1/home/mark
system1/home/mark2          49K  62.3G    31K  /system1/home/mark2
system1/home/mark2@snap1    18K      -    31K  -
system1/home/mark2@snap2      0      -    31K  -
$ ls
snap1  snap2
$ rmdir snap2
$ ls
snap1
Example 47  Defining and Using a ZFS Delegated Permission Set

The following example shows how to create the permission set @myset and delegates the permission set and the rename permission to the group staff for the system1 file system. User cindy, a staff group member, has the permission to create a file system in system1. However, user lp does not have permission to create a file system in system1.

# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly system1
# zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
# zfs allow staff @myset,rename system1
# zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+descendant permissions:
group staff @myset,rename
# chmod A+group:staff:add_subdirectory:fd:allow system1
# su cindy
cindy% zfs create system1/data
cindy% zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+descendant permissions:
group staff @myset,rename
cindy% ls -l /system1
total 15
drwxr-xr-x   2 cindy   staff          2 Jun 24 10:55 data
cindy% exit
# su lp
$ zfs create system1/lp
cannot create 'system1/lp': permission denied
Copyright © 2006, 2019, Oracle and/or its affiliates. All rights reserved. 
Previous
Next