When you delegate create and mount permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.
For example, to delegate user mark create and mount permissions on the system1 file system, set the permissions first:
# chmod A+user:mark:add_subdirectory:fd:allow /system1/home
Then, use the zfs allow command to delegate create, destroy, and mount permissions. For example:
# zfs allow mark create,destroy,mount system1/home
Now, user mark can create his own file systems in the system1/home file system. For example:
# su mark mark$ zfs create system1/home/mark mark$ ^D # su lp $ zfs create system1/home/lp cannot create 'system1/home/lp': permission deniedExample 44 Delegating create and destroy Permissions to a Group
The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the system1/home file system, as well as destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.
# zfs allow staff create,mount system1/home # zfs allow -c create,destroy system1/home # zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy Local+descendant permissions: group staff create,mount # su cindy cindy% zfs create system1/home/cindy/files cindy% exit # su mark mark% zfs create system1/home/mark/data mark% exit cindy% zfs destroy system1/home/mark/data cannot destroy 'system1/home/mark/data': permission deniedExample 45 Delegating Permissions at the Correct File System Level
Ensure that you delegate users permission at the correct file system level. For example, user mark is delegated create, destroy, and mount permissions for the local and descendant file systems. User mark is delegated local permission to snapshot the system1/home file system, but he is not allowed to snapshot his own file system. So, he has not been delegated the snapshot permission at the correct file system level.
# zfs allow -l mark snapshot system1/home # zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy Local permissions: user mark snapshot Local+descendant permissions: group staff create,mount # su mark mark$ zfs snapshot system1/home@snap1 mark$ zfs snapshot system1/home/mark@snap1 cannot create snapshot 'system1/home/mark@snap1': permission denied
To delegate user mark permission at the descendant file system level, use the zfs allow –d option. For example:
# zfs unallow -l mark snapshot system1/home # zfs allow -d mark snapshot system1/home # zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy descendant permissions: user mark snapshot Local+descendant permissions: group staff create,mount # su mark $ zfs snapshot system1/home@snap2 cannot create snapshot 'system1/home@snap2': permission denied $ zfs snapshot system1/home/mark@snappy
Now, user mark can only create a snapshot below the system1/home file system level.
Example 46 Defining and Using Complex Delegated PermissionsYou can delegate specific permissions to users or groups. For example, the following zfs allow command delegates specific permissions to the staff group. In addition, destroy and snapshot permissions are delegated after system1/home file systems are created.
# zfs allow staff create,mount system1/home # zfs allow -c destroy,snapshot system1/home # zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+descendant permissions: group staff create,mount
Because user mark is a member of the staff group, he can create file systems in system1/home. In addition, user mark can create a snapshot of system1/home/mark2 because he has specific permissions to do so. For example:
# su mark $ zfs create system1/home/mark2 $ zfs allow system1/home/mark2 ---- Permissions on system1/home/mark2 ---------------------------------- Local permissions: user mark create,destroy,snapshot ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+descendant permissions: group staff create,mount
But, user mark cannot create a snapshot in system1/home/mark because he doesn't have specific permissions to do so. For example:
$ zfs snapshot system1/home/mark@snap1 cannot create snapshot 'system1/home/mark@snap1': permission denied
In this example, user mark has create permission in his home directory, which means he can create snapshots. This scenario is helpful when your file system is NFS mounted.
$ cd /system1/home/mark2 $ ls $ cd .zfs $ ls shares snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 mark staff 2 Sep 27 15:55 snap1 $ pwd /system1/home/mark2/.zfs/snapshot $ mkdir snap2 $ zfs list # zfs list -r system1/home NAME USED AVAIL REFER MOUNTPOINT system1/home/mark 63K 62.3G 32K /system1/home/mark system1/home/mark2 49K 62.3G 31K /system1/home/mark2 system1/home/mark2@snap1 18K - 31K - system1/home/mark2@snap2 0 - 31K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1Example 47 Defining and Using a ZFS Delegated Permission Set
The following example shows how to create the permission set @myset and delegates the permission set and the rename permission to the group staff for the system1 file system. User cindy, a staff group member, has the permission to create a file system in system1. However, user lp does not have permission to create a file system in system1.
# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly system1 # zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot # zfs allow staff @myset,rename system1 # zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+descendant permissions: group staff @myset,rename # chmod A+group:staff:add_subdirectory:fd:allow system1 # su cindy cindy% zfs create system1/data cindy% zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+descendant permissions: group staff @myset,rename cindy% ls -l /system1 total 15 drwxr-xr-x 2 cindy staff 2 Jun 24 10:55 data cindy% exit # su lp $ zfs create system1/lp cannot create 'system1/lp': permission denied