Mark Shellenbaum wrote:
Darren J Moffat wrote:
Bill La Forge wrote:
I like to think of delegation as being a bit different than granting
permision--in fact, as a special permission that may include counts.
For example, you might delegate to a manager the ability to grant
select permissions. You may want to limit the number of users the
manager may grant these permissions to and perhaps allow that manager
to further delegate one more degree removed to project managers.
Delegation then has two counts associated with it--the total number
of users to which a permission may be granted and the depth of
delegation permitted (often 0). Very handy when working accross trust
domains, as may be the case when a resource is for open source or
involves multiple departments.
We have this concept in Solaris RBAC.
For example the authorisation for SMF solaris.smf.value.cde.login
allows you to change properties of the SMF service that starts
dtlogin. It does not allow you to give that authorisation to anyone
else. The RBAC authorisations are hierarchical so
solaris.smf.value.cde would also allow you to do that but still not to
give it to others.
To give out to others you need the special "grant" authorisation,
which in this example would be one of the following:
solaris.grant # Grant all Solaris auths
solaris.smf.grant # Grant all SMF auths
solaris.smf.value.grant # Grant all SMF value auths
solaris.smf.value.cde.grant # Grant all CDE service SMF
solaris.smf.value.cde.login.grant # Grant just CDE login auth
I think it would be nice if we could have this same concept in ZFS.
It doesn't have to be the same syntax but the concept. Which is what
I think Bill is saying, separation of use from the ability to delegate
to others.
We could have a special permission "allow", for example that would allow
this behavior. When a normal user delegates to another user they would
be allowed to only hand out permissions they currently have.
I really don't like the use of allow as the zfs command and as the
actual argument. Could we use grant instead, particularly since grant
already has this meaning in Solaris.
For example:
# zfs allow joe create,destroy,allow <ds>
# zfs allow joe create,destroy,grant <ds>
However that doesn't allow you to give the ability to grant create
but not destroy.
This would.
# zfs allow joe create,create.grant,destroy <ds>
That gives joe the ability to create stuff and to destroy but
he can only delegate creation to others.
Whats more that is consistent with the use of adding .grant in
Solaris RBAC.
A more "interesting" example might be:
# zfs allow joe create,destroy,snapshot,create.grant,snapshot.grant <ds>
joe$ zfs allow betty snapshot <ds>
joe$ zfs allow fred create,snapshot <ds>
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
