zfs discuss - Apr 2010 - How to delegate zfs snapshot destroy to users?

Hi,

I''m trying to let zfs users to create and destroy snapshots in their
zfs
filesystems.

So rpool/vm has the permissions:

osol137 19:07 ~: zfs allow rpool/vm
---- Permissions on rpool/vm -----------------------------------------
Permission sets:
        @virtual
clone,create,destroy,mount,promote,readonly,receive,rename,rollback,send,share,snapshot,userprop
Create time permissions:
        @virtual
Local permissions:
        group staff create,mount


now as regular user I do:

$ zfs create rpool/vm/vm156888
$ zfs create rpool/vm/vm156888/a
$ zfs snapshot rpool/vm/vm156888/a at 1
$ zfs destroy rpool/vm/vm156888/a at 1
cannot destroy ''rpool/vm/vm156888/a at 1'': permission denied


The only way around I found is to add ''allow'' right to the
@virtual
group

sudo zfs allow -s @virtual allow rpool/vm

Now as regular user I can:

zfs allow vm156888 mount,destroy rpool/vm/vm156888/a
zfs destroy rpool/vm/vm156888/a at 1

I believe that I need to do this because the "Create time" permissions
are used only as "Local permissions" on new filesystem, while for
deleting snapshot I need them as Local+Descendent.


So user if he wants to use snapshots, he has to know to grant himself
mount+delete permissions first. Is this the intended way to go?

Thank you
-- 
	Vlad

Hi Vlad,

The create-time permissions do not provide the correct permissions for
destroying descendent datasets, such as clones.

See example 9-5 in this section that describes how to use zfs allow -d
option to grant permissions on descendent datasets:

http://docs.sun.com/app/docs/doc/819-5461/gebxb?l=en&a=view

Example 9?5 Delegating Permissions at the Correct File System Level

Delegating or granting the appropriate permissions will take some
testing on the part of the administrator who is granting the
permissions. I hope the examples help.

Thanks,

Cindy



On 04/26/10 05:28, Vladimir Marek wrote:
> Hi,
> 
> I''m trying to let zfs users to create and destroy snapshots in
their zfs
> filesystems.
> 
> So rpool/vm has the permissions:
> 
> osol137 19:07 ~: zfs allow rpool/vm
> ---- Permissions on rpool/vm -----------------------------------------
> Permission sets:
>         @virtual
clone,create,destroy,mount,promote,readonly,receive,rename,rollback,send,share,snapshot,userprop
> Create time permissions:
>         @virtual
> Local permissions:
>         group staff create,mount
> 
> 
> now as regular user I do:
> 
> $ zfs create rpool/vm/vm156888
> $ zfs create rpool/vm/vm156888/a
> $ zfs snapshot rpool/vm/vm156888/a at 1
> $ zfs destroy rpool/vm/vm156888/a at 1
> cannot destroy ''rpool/vm/vm156888/a at 1'': permission
denied
> 
> 
> The only way around I found is to add ''allow'' right to
the @virtual
> group
> 
> sudo zfs allow -s @virtual allow rpool/vm
> 
> Now as regular user I can:
> 
> zfs allow vm156888 mount,destroy rpool/vm/vm156888/a
> zfs destroy rpool/vm/vm156888/a at 1
> 
> I believe that I need to do this because the "Create time"
permissions
> are used only as "Local permissions" on new filesystem, while for
> deleting snapshot I need them as Local+Descendent.
> 
> 
> So user if he wants to use snapshots, he has to know to grant himself
> mount+delete permissions first. Is this the intended way to go?
> 
> Thank you

Hi Cindy,
> The create-time permissions do not provide the correct permissions for
> destroying descendent datasets, such as clones.
> 
> See example 9-5 in this section that describes how to use zfs allow -d
> option to grant permissions on descendent datasets:
> 
> http://docs.sun.com/app/docs/doc/819-5461/gebxb?l=en&a=view
Ah I was missing the fact, that subsequent snapshots inherit access
modes. So simple

zfs allow -d -g staff mount,destroy rpool/vm

fixed things for me.

Thank you !
-- 
	Vlad