ZFS Delegated Administration
This chapter describes how to use delegated administration to allow non-privileged users to perform ZFS administration tasks.
8.1. Overview of ZFS Delegated Administration
This feature enables you to distribute fine-grained permissions to specific users, groups, or everyone. Two styles of delegated permissions are supported:
-
Individual permissions can be explicitly specified such a create, destroy, mount and snapshot, and so on.
-
Groups of permissions called permission sets can be defined. A permission set can later be updated and all of the consumers of the set automatically pick up the change. Permission sets begin with the
@letter and are limited to 64 characters in length. After the@character, the remaining characters in the set name have the same restrictions as normal ZFS file system names.
ZFS delegated administration provides similar features to the RBAC security. However, ZFS delegated administration provides the following advantages for administering ZFS storage pools and file systems:
-
Permissions follow the ZFS storage pool when the pool is migrated.
-
Provides dynamic inheritance and you can control how the permissions propagate through the file systems.
-
Can be configured so that only the creator of a file system can destroy the file systems they create.
-
Permissions can be distributed to specific file systems. Newly created file systems can automatically pick up permissions.
-
Provides simple NFS administration. For example, a user with explicit permissions could create a snapshot over NFS in the appropriate
.zfs/snapshotdirectory.
Consider using delegated administration for distributing ZFS tasks. For information about using RBAC to manage general Solaris administration tasks, see Part III, Roles, Rights Profiles, and Privileges, in System Administration Guide: Security Services.
8.1.1. Disabling ZFS Delegated Permissions
You can modify the ability to use delegated administration with the
pool's delegation property. For example:
# zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation on default # zpool set delegation=off users # zpool get delegation users NAME PROPERTY VALUE SOURCE users delegation off local
By default, the delegation property is enabled.
8.2. Delegating ZFS Permissions
You can use the zfs allow command to grant permissions
on ZFS datasets to non-root users in the following ways:
-
Individual permissions can be granted to a user, group, or everyone.
-
Groups of individual permissions can be granted as a permission set to a user, group, or everyone.
-
Permissions can be granted either locally, which is to the current dataset only, or granted to all descendents of the current dataset.
The following table describes the operations that can be delegated and any dependent permissions that are required to do the delegated operations.
|
Permission (Subcommand) |
Description |
Dependencies |
|---|---|---|
|
|
The ability to grant permissions that you have to another user. |
Must also have the permission that is being allowed. |
|
|
The ability to clone any of the dataset's snapshots. |
Must also have the |
|
|
The ability to create descendent datasets. |
Must also have the |
|
|
The ability to destroy a dataset. |
Must also have the |
|
|
The ability to mount and unmount a dataset and create and destroy volume device links. |
|
|
|
The ability to promote a clone to a dataset. |
Must also have the |
|
|
The ability to create descendent file system with the |
Must also have the |
|
|
The ability to rename a dataset. |
Must also have the |
|
|
The ability to rollback a snapshot. |
Must also have the |
|
|
The ability to send a snapshot stream. |
|
|
|
The ability to share and unshare a dataset. |
|
|
|
The ability to take a snapshot of a dataset. |
In addition, you can delegate the following ZFS properties to non-root users:
-
aclinherit -
aclmode -
atime -
canmount -
casesensitivity -
checksum -
compression -
copies -
exec -
devices -
mountpoint -
nbmand -
normalization -
quota -
readonly -
recordsize -
reservation -
setuid -
shareiscsi -
sharenfs -
sharesmb -
snapdir -
userprop -
utf8only -
version -
volsize -
vscan -
xattr -
zoned
Some of the properties listed above can only set at dataset creation time. For a description of these properties, see Introducing ZFS Properties.
8.2.1. Syntax Descriptions for Delegating Permissions
The zfs allow syntax is as follows:
# zfs allow -[l d u g e c s] everyone|user|group[,,...] perm|@setname ,...] filesystem| volume
The following zfs allow syntax (in bold) identifies
to whom the permissions are delegated:
zfs allow [-uge] | user | group | everyone [,...] filesystem | volume
Multiple entities can be specified as a comma-separated list. If none
of the -uge options are specified, then the argument is
interpreted preferentially as the keyword everyone, then
as a user name, and lastly, as a group name. To specify a user or group
named “everyone,” use the -u or -g options.
To specify a group with the same name as a user, use the -g option.
The following zfs allow syntax (in bold) identifies
how permissions and permission sets are specified:
zfs allow [-s] ... perm | @setname [,...] filesystem | volume
Multiple permissions can be specified as a comma-separated list. Permission names are the same as ZFS subcommands and properties. For more information, see the section above.
Permissions can be aggregated into permissions sets and
are identified by the -s option. Permission sets can be used
by other zfs allow commands for the specified file system
and its descendents. Sets are evaluated dynamically, so changes to a set are
immediately updated. Permission sets follow the same naming conventions as
ZFS file systems, but the name must begin with an at sign (@),
and can be no more than 64 characters long.
The following zfs allow syntax (in bold) identifies
how the permissions are delegated:
zfs allow [-ld] ... ... filesystem | volume
The -l option identifies if whether the permission is
allowed for the specified dataset and not its descendents, unless the -d option
is also specified. The -d option indicates that the permission
is allowed for the descendent datasets and not for this dataset, unless the -l option is also specified. If neither of the -ld options
are specified, then the permissions are allowed for the file system or volume
and all of its descendents.
8.2.2. Removing ZFS Delegated Permissions (zfs unallow)
You can remove previously granted permissions with the zfs unallow command.
For example, if you delegated create, destroy, mount, and snapshot permissions as follows:
# zfs allow cindys, create,destroy,mount,snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount,snapshot
-------------------------------------------------------------You would need to use syntax similar to the following to remove these permissions:
# zfs unallow cindys tank/cindys # zfs allow tank/cindys
8.3. Using ZFS Delegated Administration
This section provides examples of displaying and delegating permissions.
8.3.1. Displaying ZFS Delegated Permissions (Examples)
You can use the following command to display permissions:
# zfs allow dataset
The above command prints permissions that are set or allowed on this dataset. The output contains the following components:
-
Permissions sets
-
Specific permissions or create time permissions
-
Local
-
Local and descendent
-
Descendent only
The following example output indicates that user cindys has
permission to create, destroy, mount, snapshot in the tank/cindys file
system.
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount,snapshot
The following example output indicates the following permissions on the pool and pool/fred file systems.
For the pool/fred file system:
-
Two permission sets are defined:
-
@eng(create, destroy, snapshot, mount, clone, promote, rename) -
@simple(create, mount)
-
-
Create time permissions are set for the
@engpermission set and themountpointproperty. Create time means that after a dataset set is created, the@engpermission set and themountpointproperty are granted. -
User
tomis granted the@engpermission set and the userjoeis granted create, destroy, mount permissions for local file systems. -
User
fredis granted the@basicpermission set and share and rename permissions for the local and descendent file systems. -
User
barneyis granted the@basicpermission set for descendent file systems only.
For the pool file system:
-
The permission set
@simple(create, destroy, mount) is defined. -
The group
staffis granted the@simplepermission set on the local file system.
$ zfs allow pool/fred
------------------------------------------------------------------------------
Permission sets on (pool/fred)
@eng create,destroy,snapshot,mount,clone,promote,rename
@simple create,mount
Create time permissions on (pool/fred)
@eng,mountpoint
Local permissions on (pool/fred)
user tom @eng
user joe create,destroy,mount
Local+Descendent permissions on (pool/fred)
user fred @basic,share,rename
Descendent permissions on (pool/fred)
user barney @basic
group staff @basic
------------------------------------------------------------------------------
Permission sets on (pool)
@simple create,destroy,mount
Local permissions on (pool)
group staff @simple
------------------------------------------------------------------------------
8.3.2. Delegating ZFS Permissions (Examples)
When you provide create and mount permissions, you need to make sure that the user has permissions on the underlying mount point.
For example, to give marks create and mount permissions
on tank, set the permissions first:
# chmod A+user:marks:add_subdirectory:fd:allow /tank
Then, use the zfs allow to grant create, destroy,
and mount permissions. For example:
# zfs allow marks create,destroy,mount tank
This means that marks can create his own file systems
in the tank file system. For example:
# su marks marks$ zfs create tank/marks marks$ ^D # su lp $ zfs create tank/lp cannot create 'tank/lp': permission denied
The following example shows how to set up a file system so that anyone
in the staff group can create and mount file systems in
the tank file system, and also allows them to destroy
their own file systems. However, staff group members cannot
destroy anyone else's file systems.
# zfs allow staff create,mount tank
# zfs allow -c create,destroy tank
# zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
create,destroy
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
# su cindys
cindys% zfs create tank/cindys
cindys% exit
# su marks
marks% zfs create tank/marks/data
marks% exit
cindys% zfs destroy tank/marks/data
cannot destroy 'tank/mark': permission denied
Make sure to grant users permission at the right file system level.
User marks is granted create, destroy, and mount permissions
for the local and descendent file systems. User marks is
granted local permission to snapshot the tank file system,
but this does not allow him to snapshot his own file system.
# zfs allow -l marks snapshot tank
# zfs allow tank
-------------------------------------------------------------
Local permissions on (tank)
user marks snapshot
Local+Descendent permissions on (tank)
user marks create,destroy,mount
-------------------------------------------------------------
# su marks
marks$ zfs snapshot tank/@snap1
marks$ zfs snapshot tank/marks@snap1
cannot create snapshot 'mark/marks@snap1': permission deniedUse the zfs allow -d option to grant
marks permission at the descendent level. For example:
# zfs unallow -l marks snapshot tank
# zfs allow -d marks snapshot tank
# zfs allow tank
-------------------------------------------------------------
Descendent permissions on (tank)
user marks snapshot
Local+Descendent permissions on (tank)
user marks create,destroy,mount
-------------------------------------------------------------
# su marks
$ zfs snapshot tank@snap2
cannot create snapshot 'sandbox@snap2': permission denied
$ zfs snapshot tank/marks@snappyUser marks can only create a snapshot below the tank level.
You can grant specific permissions to users or groups. For example,
the following zfs allow command grants specific permissions
to the staff group. In addition, destroy and snapshot permissions
are granted after tank file systems are created.
# zfs allow staff create,mount tank
# zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
destroy,snapshot
Local+Descendent permissions on (tank)
group staff create
-------------------------------------------------------------Because marks is a member of the staff group,
he can create file systems in tank. In addition, user marks can create a snapshot of tank/marks2 because
he has specific permissions. For example:
# su marks
$ zfs create tank/marks2
$ zfs allow tank/marks2
-------------------------------------------------------------
Local permissions on (tank/marks2)
user marks destroy,snapshot
-------------------------------------------------------------
Create time permissions on (tank)
destroy,snapshot
Local+Descendent permissions on (tank)
group staff create
everyone mount
-------------------------------------------------------------But, he can't create a snapshot in tank/marks because
he doesn't have specific permissions. See the listing above. For example:
$ zfs snapshot tank/marks2@snap1 $ zfs snapshot tank/marks@snappp cannot create snapshot 'tank/marks@snappp': permission denied
You can create snapshot directories if you have create permission in your home directory, for example. This is helpful when your file system is NFS mounted. For example:
$ cd /tank/marks2 $ ls $ cd .zfs $ ls snapshot $ cd snapshot $ ls -l total 3 drwxr-xr-x 2 marks staff 2 Dec 15 13:53 snap1 $ pwd /tank/marks2/.zfs/snapshot $ mkdir snap2 $ zfs list NAME USED AVAIL REFER MOUNTPOINT tank 264K 33.2G 33.5K /tank tank/marks 24.5K 33.2G 24.5K /tank/marks tank/marks2 46K 33.2G 24.5K /tank/marks2 tank/marks2@snap1 21.5K - 24.5K - tank/marks2@snap2 0 - 24.5K - $ ls snap1 snap2 $ rmdir snap2 $ ls snap1
The following example creates a permission set @myset and
grants the permission set and the rename permission to the group staff for
the tank file system. User cindys,
a group staff member, has the ability to create a file
system in tank but user lp has no
permission to create a file system in tank.
# zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly tank
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
-------------------------------------------------------------
# zfs allow staff @myset,rename tank
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+Descendent permissions on (tank)
group staff @myset,rename
# chmod A+group:staff:add_subdirectory:fd:allow tank
# su cindys
cindys% zfs create tank/data
Cindys% zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+Descendent permissions on (tank)
group staff @myset,rename
-------------------------------------------------------------
cindys% ls -l /tank
total 15
drwxr-xr-x 2 cindys staff 2 Aug 8 14:10 data
cindys% exit
# su lp
$ zfs create tank/lp
cannot create 'tank/lp': permission denied
8.3.3. Removing ZFS Permission (Examples)
You can use the following command to remove granted permissions. For
example, user cindys has permission to create, mount, destroy,
and snapshot in the tank/cindys file system.
# zfs allow cindys create,destroy,mount,snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount,snapshot
-------------------------------------------------------------This zfs unallow syntax removes user cindys's
snapshot permission from the tank/cindys file system.
# zfs unallow cindys snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
user cindys create,destroy,mount
-------------------------------------------------------------
cindys% zfs create tank/cindys/data
cindys% zfs snapshot tank/cindys@today
cannot create snapshot 'tank/cindys@today': permission deniedUser marks has the following permissions in tank/marks.
# zfs allow tank/marks
-------------------------------------------------------------
Local+Descendent permissions on (tank/marks)
user marks create,destroy,mount
-------------------------------------------------------------The following zfs unallow syntax removes all permissions
for user marks from tank/marks.
# zfs unallow marks tank/marks
The following zfs unallow syntax removes a permission
set on the tank file system.
# zfs allow tank
-------------------------------------------------------------
Permission sets on (tank)
@myset clone,create,destroy,mount,promote,readonly,snapshot
Create time permissions on (tank)
create,destroy,mount
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------
# zfs unallow -s @myset tank
$ zfs allow tank
-------------------------------------------------------------
Create time permissions on (tank)
create,destroy,mount
Local+Descendent permissions on (tank)
group staff create,mount
-------------------------------------------------------------