Hi Vlad,
The create-time permissions do not provide the correct permissions for
destroying descendent datasets, such as clones.
See example 9-5 in this section that describes how to use zfs allow -d
option to grant permissions on descendent datasets:
http://docs.sun.com/app/docs/doc/819-5461/gebxb?l=en&a=view
Example 9–5 Delegating Permissions at the Correct File System Level
Delegating or granting the appropriate permissions will take some
testing on the part of the administrator who is granting the
permissions. I hope the examples help.
Thanks,
Cindy
On 04/26/10 05:28, Vladimir Marek wrote:
Hi,
I'm trying to let zfs users to create and destroy snapshots in their zfs
filesystems.
So rpool/vm has the permissions:
osol137 19:07 ~: zfs allow rpool/vm
---- Permissions on rpool/vm -----------------------------------------
Permission sets:
@virtual
clone,create,destroy,mount,promote,readonly,receive,rename,rollback,send,share,snapshot,userprop
Create time permissions:
@virtual
Local permissions:
group staff create,mount
now as regular user I do:
$ zfs create rpool/vm/vm156888
$ zfs create rpool/vm/vm156888/a
$ zfs snapshot rpool/vm/vm156888/a...@1
$ zfs destroy rpool/vm/vm156888/a...@1
cannot destroy 'rpool/vm/vm156888/a...@1': permission denied
The only way around I found is to add 'allow' right to the @virtual
group
sudo zfs allow -s @virtual allow rpool/vm
Now as regular user I can:
zfs allow vm156888 mount,destroy rpool/vm/vm156888/a
zfs destroy rpool/vm/vm156888/a...@1
I believe that I need to do this because the "Create time" permissions
are used only as "Local permissions" on new filesystem, while for
deleting snapshot I need them as Local+Descendent.
So user if he wants to use snapshots, he has to know to grant himself
mount+delete permissions first. Is this the intended way to go?
Thank you
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
