Delegating ZFS Permissions Examples
Example 9-1 Delegating Permissions to an Individual User
When you delegate create
and mount
permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.
For example, to delegate user mork
create
and mount
permissions on the
system1
file system, set the permissions first:
$ chmod A+user:mork:add_subdirectory:fd:allow /system1/home
Then, use the zfs allow
command to delegate create
, destroy
, and mount
permissions. For example:
$ zfs allow mork create,destroy,mount system1/home
Now, user mork
can create his own file systems in the
system1/home
file system. For example:
$ su mork mork$ zfs create system1/home/mork mork$ ^D $ su lp $ zfs create system1/home/lp cannot create 'system1/home/lp': permission denied
Example 9-2 Delegating create
and destroy
Permissions to a Group
The following example shows how to set up a file system so that anyone in the staff
group can create and mount file systems in the system1/home
file system, as well as destroy their own file systems. However, staff
group members cannot destroy anyone else's file systems.
$ zfs allow staff create,mount system1/home $ zfs allow -c create,destroy system1/home $ zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy Local+descendant permissions: group staff create,mount $ su mindy mindy% zfs create system1/home/mindy/files mindy% exit $ su mork mork% zfs create system1/home/mork/data mork% exit mindy% zfs destroy system1/home/mork/data cannot destroy 'system1/home/mork/data': permission denied
Example 9-3 Delegating Permissions at the Correct File System Level
Ensure that you delegate users permission at the correct file system level. For
example, user mork
is delegated create
,
destroy
, and mount
permissions for the
local and descendant file systems. User mork
is delegated local
permission to snapshot the system1/home
file system, but he is
not allowed to snapshot his own file system. So, he has not been delegated the
snapshot
permission at the correct file system level.
$ zfs allow -l mork snapshot system1/home $ zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy Local permissions: user mork snapshot Local+descendant permissions: group staff create,mount $ su mork mork$ zfs snapshot system1/home@snap1 mork$ zfs snapshot system1/home/mork@snap1 cannot create snapshot 'system1/home/mork@snap1': permission denied
To delegate user mork
permission at the descendant file system
level, use the zfs allow -d
command. For example:
$ zfs unallow -l mork snapshot system1/home $ zfs allow -d mork snapshot system1/home $ zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy descendant permissions: user mork snapshot Local+descendant permissions: group staff create,mount $ su mork $ zfs snapshot system1/home@snap2 cannot create snapshot 'system1/home@snap2': permission denied $ zfs snapshot system1/home/mork@snappy
Now, user mork
can only create a snapshot below the
system1/home
file system level.
Example 9-4 Defining and Using Complex Delegated Permissions
You can delegate specific permissions to users or groups. For example, the following zfs allow
command delegates specific permissions to the staff
group. In addition, destroy
and snapshot
permissions are delegated after system1/home
file systems are created.
$ zfs allow staff create,mount system1/home $ zfs allow -c destroy,snapshot system1/home $ zfs allow system1/home ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+descendant permissions: group staff create,mount
Because user mork
is a member of the staff
group, he can create file systems in system1/home
. In addition,
user mork
can create a snapshot of
system1/home/mark2
because he has specific permissions to
do so. For example:
$ su mork $ zfs create system1/home/mark2 $ zfs allow system1/home/mark2 ---- Permissions on system1/home/mark2 ---------------------------------- Local permissions: user mork create,destroy,snapshot ---- Permissions on system1/home ---------------------------------------- Create time permissions: create,destroy,snapshot Local+descendant permissions: group staff create,mount
But, user mork
cannot create a snapshot in
system1/home/mork
because he does not have specific
permissions to do so. For example:
$ zfs snapshot system1/home/mork@snap1
cannot create snapshot 'system1/home/mork@snap1': permission denied
In this example, user mork
has create
permission in his home directory, which means he can create snapshots. This scenario
is helpful when your file system is NFS mounted.
$ cd /system1/home/mark2 $ ls $ cd .zfs $ ls shares snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 mork staff 2 Sep 27 15:55 snap1 $ pwd /system1/home/mark2/.zfs/snapshot $ mkdir snap2 $ zfs list # zfs list -r system1/home NAME USED AVAIL REFER MOUNTPOINT system1/home/mork 63K 62.3G 32K /system1/home/mork system1/home/mark2 49K 62.3G 31K /system1/home/mark2 system1/home/mark2@snap1 18K - 31K - system1/home/mark2@snap2 0 - 31K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1
Example 9-5 Defining and Using a ZFS Delegated Permission Set
The following example shows how to create the permission set
@myset
and delegates the permission set and the
rename
permission to the group staff
for
the system1
file system. User mindy
, a
staff
group member, has the permission to create a file
system in system1
. However, user lp
does not
have permission to create a file system in system1
.
$ zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly \ system1 $ zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot $ zfs allow staff @myset,rename system1 $ zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+descendant permissions: group staff @myset,rename $ chmod A+group:staff:add_subdirectory:fd:allow system1 # su mindy mindy% zfs create system1/data mindy% zfs allow system1 ---- Permissions on system1 --------------------------------------------- Permission sets: @myset clone,create,destroy,mount,promote,readonly,snapshot Local+descendant permissions: group staff @myset,rename mindy% ls -l /system1 total 15 drwxr-xr-x 2 mindy staff 2 Jun 24 10:55 data mindy% exit $ su lp $ zfs create system1/lp cannot create 'system1/lp': permission denied