Re: [zfs-discuss] RFE filesystem ownership
Roland Mainz wrote: Darren J Moffat wrote: James Dickens wrote: I think ZFS should add the concept of ownership to a ZFS filesystem, so if i create a filesystem for joe, he should be able to use his space how ever he see's fit, if he wants to turn on compression or take 5000 snapshots its his filesystem, let him. If he wants to destroy snapshots, he created them it should be allowed, but he should not be allowed to do the same with carol's filesystem. The current filesystem management is not fine grained enough to deal with this. Of course if we don't assign an owner the filesystem should perform much like it does today. Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. That could be done if zfs would be based on ksh93... you could simply run it as profile shell (pfksh93) and make a profile for that user+ZFS filesystem... We already have an RBAC profile ZFS File System Management but that allows the user given that profile to manage ALL ZFS file systems. What this is really about is having the zfs kernel module check an ACL on the data set to determine if the user can create/snapshot/clone/destroy/ etc, also certain properties may need to be locked. I've given a lot of thought to this as has Mark Shellenbaum and trust me RBAC is not the answer here and ksh93 based zfs is not going to help one way or another since this is all kernel based policy. -- Darren J Moffat ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
Darren J Moffat wrote: Roland Mainz wrote: Darren J Moffat wrote: James Dickens wrote: I think ZFS should add the concept of ownership to a ZFS filesystem, so if i create a filesystem for joe, he should be able to use his space how ever he see's fit, if he wants to turn on compression or take 5000 snapshots its his filesystem, let him. If he wants to destroy snapshots, he created them it should be allowed, but he should not be allowed to do the same with carol's filesystem. The current filesystem management is not fine grained enough to deal with this. Of course if we don't assign an owner the filesystem should perform much like it does today. Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. That could be done if zfs would be based on ksh93... you could simply run it as profile shell (pfksh93) and make a profile for that user+ZFS filesystem... We already have an RBAC profile ZFS File System Management but that allows the user given that profile to manage ALL ZFS file systems. What this is really about is having the zfs kernel module check an ACL on the data set to determine if the user can create/snapshot/clone/destroy/ etc, also certain properties may need to be locked. Could it be worthwhile imposing limits, in addition to locking? For example, if I gave you the right to snapshot ~darrenm, I might want to only allow you 10 snapshots. Is that a worthwhile restriction or is it better to just let quotas take care of that? At issue here is the potential for (again :) zfs to spam df output through potentially accidental excessive use of snapshots by a user with a buggy cron job. Or maybe they have potential to be malicious through this avenue too? The point here is not to deny the action but to give it bounds. Darren ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
Mark Shellenbaum [EMAIL PROTECTED] writes: Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. These RFE's are currently being investigated. The basic idea is that an adminstrator will be allowed to grant specific users/groups to perform various zfs adminstrative tasks, such as create, destroy, clone, changing properties and so on. After the zfs team is in agreement as to what the interfaces should be, I will forward it to zfs-discuss for further feedback. In addition to this, what I think will become necessary is a way to perform this sort of end-user zfs administration securely over the network (maybe with an RPC service secured with RPCSEC_GSS?): I don't want to grant every single student login to the fileservers to admin their zfs filesystems ;-( Rainer -- - Rainer Orth, Faculty of Technology, Bielefeld University ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
Rainer Orth wrote: Mark Shellenbaum [EMAIL PROTECTED] writes: Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. These RFE's are currently being investigated. The basic idea is that an adminstrator will be allowed to grant specific users/groups to perform various zfs adminstrative tasks, such as create, destroy, clone, changing properties and so on. After the zfs team is in agreement as to what the interfaces should be, I will forward it to zfs-discuss for further feedback. In addition to this, what I think will become necessary is a way to perform this sort of end-user zfs administration securely over the network (maybe with an RPC service secured with RPCSEC_GSS?): I don't want to grant every single student login to the fileservers to admin their zfs filesystems ;-( I'm assuming you mean using zfs(1) but having a remote mode where you indicate the name of the server and pool. There is, sadly, the problem of mandating RPCSEC_GSS because so many people don't have the Kerberos infrastructure setup to use it. Personally I'd be more than happy to say that if you want to use this you must use RPCSEC_GSS but that might not go down well with everyone. I do actually like your suggestion of a zfs command that talks over RPCSEC_GSS and it would work great for me since I do have Kerberos creds on the client and servers I use! However it would be really really nice if we didn't need a special command on the client side. Particularly since it might not be a Solaris machine on the client. As it happens we have a client interface that doesn't require you run Solaris on the client side or have Kerberos deployed; the web based ZFS gui that is secured by SSL. The other option is to allow users to this by doing operations in the special .zfs directory. This should even be possible over NFS or CIFS. For example creation, rename and delete of snapshots using normal file system tools, in .zfs/snapshot. mv seems to be able to rename a snapshot. Maybe we could have cp on a snapshot mean clone eg: $ cd .zfs/snapshot $ mv foo bar $ cp bar baz $ rm may Would rename the snapshot called foo to the snapshot called bar It would then create a clone called baz based on the snapshot bar. Finally removing the snapshot called may. Given that the .zfs directory is special we might be able to invent additional things for doing the other operations. The harder part is setting the options like share/checksum/compression etc. -- Darren J Moffat ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
James Dickens wrote: Hi I think ZFS should add the concept of ownership to a ZFS filesystem, so if i create a filesystem for joe, he should be able to use his space how ever he see's fit, if he wants to turn on compression or take 5000 snapshots its his filesystem, let him. If he wants to destroy snapshots, he created them it should be allowed, but he should not be allowed to do the same with carol's filesystem. The current filesystem management is not fine grained enough to deal with this. Of course if we don't assign an owner the filesystem should perform much like it does today. Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. -- Darren J Moffat ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
On 5/23/06, Robert Milkowski [EMAIL PROTECTED] wrote: Hello James, Tuesday, May 23, 2006, 6:43:11 PM, you wrote: JD Hi JD I think ZFS should add the concept of ownership to a ZFS filesystem, JD so if i create a filesystem for joe, he should be able to use his JD space how ever he see's fit, if he wants to turn on compression or JD take 5000 snapshots its his filesystem, let him. If he wants to JD destroy snapshots, he created them it should be allowed, but he should JD not be allowed to do the same with carol's filesystem. The current JD filesystem management is not fine grained enough to deal with this. Of JD course if we don't assign an owner the filesystem should perform much JD like it does today. JD zfs set owner=joe pool/joe IIRC it's planned - however I'm not sure it a user should be able to turn on compression, especially when it's directly turned off by sys admin. perhaps if compression turned/forced off by the admin then it shouldn't be alowed, but enabling compression on a filesystem that just had it off by default should be allowed but of course this complicates implementation. They could create a system wide config file disallowing compression/encryption etc. James uadmin.blogspot.com -- Best regards, Robertmailto:[EMAIL PROTECTED] http://milek.blogspot.com ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
Re: [zfs-discuss] RFE filesystem ownership
Darren J Moffat wrote: James Dickens wrote: Hi I think ZFS should add the concept of ownership to a ZFS filesystem, so if i create a filesystem for joe, he should be able to use his space how ever he see's fit, if he wants to turn on compression or take 5000 snapshots its his filesystem, let him. If he wants to destroy snapshots, he created them it should be allowed, but he should not be allowed to do the same with carol's filesystem. The current filesystem management is not fine grained enough to deal with this. Of course if we don't assign an owner the filesystem should perform much like it does today. Yes we do need something like this. This is already covered by the following CRs 6280676, 6421209. These RFE's are currently being investigated. The basic idea is that an adminstrator will be allowed to grant specific users/groups to perform various zfs adminstrative tasks, such as create, destroy, clone, changing properties and so on. After the zfs team is in agreement as to what the interfaces should be, I will forward it to zfs-discuss for further feedback. -Mark ___ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
