Hi Vlad, The create-time permissions do not provide the correct permissions for destroying descendent datasets, such as clones.
See example 9-5 in this section that describes how to use zfs allow -d option to grant permissions on descendent datasets: http://docs.sun.com/app/docs/doc/819-5461/gebxb?l=en&a=view Example 9–5 Delegating Permissions at the Correct File System Level Delegating or granting the appropriate permissions will take some testing on the part of the administrator who is granting the permissions. I hope the examples help. Thanks, Cindy On 04/26/10 05:28, Vladimir Marek wrote:
Hi, I'm trying to let zfs users to create and destroy snapshots in their zfs filesystems. So rpool/vm has the permissions: osol137 19:07 ~: zfs allow rpool/vm ---- Permissions on rpool/vm ----------------------------------------- Permission sets: @virtual clone,create,destroy,mount,promote,readonly,receive,rename,rollback,send,share,snapshot,userprop Create time permissions: @virtual Local permissions: group staff create,mount now as regular user I do: $ zfs create rpool/vm/vm156888 $ zfs create rpool/vm/vm156888/a $ zfs snapshot rpool/vm/vm156888/a...@1 $ zfs destroy rpool/vm/vm156888/a...@1 cannot destroy 'rpool/vm/vm156888/a...@1': permission denied The only way around I found is to add 'allow' right to the @virtual group sudo zfs allow -s @virtual allow rpool/vm Now as regular user I can: zfs allow vm156888 mount,destroy rpool/vm/vm156888/a zfs destroy rpool/vm/vm156888/a...@1 I believe that I need to do this because the "Create time" permissions are used only as "Local permissions" on new filesystem, while for deleting snapshot I need them as Local+Descendent. So user if he wants to use snapshots, he has to know to grant himself mount+delete permissions first. Is this the intended way to go? Thank you
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss