docs.oracle.com
ZFS Delegated Administration
OpenSolaris
Overview of ZFS Delegated Administration
Bloggers
Mark Shellenbaum's Weblog ZFS Delegated Administration
Once Upon A Blog I Want My ZFS
Czech techie's adventures ZFS is going to save my laptop data next time
The Observatory, Quick & Dirty NFS.
Other
Linuxtopia Using ZFS Delegated Administration
zfs allow options | Description |
|---|
-l,-d, or -ld | Specifies where the permissions are delegated. If neither of the -ld options are specified, or both are, then the permissions are allowed for the file system or volume and all of its descendents. If only the -l option is used, then is allowed "locally" only for the specified file system. If only the -d option is used, then is allowed only for the descendent file systems. |
-u,-g, or -ug | Specifies to whom the permissions are delegated. Multiple entities can be specified as a comma-separated list. If neither of the -ug options are specified, then the argument is interpreted preferentially as the keyword "everyone", then as a user name, and lastly as a group name. To specify a user or group named "everyone", use the -u or -g options. To specify a group with the same name as a user, use the -g options. |
-e | Specifies that the permissions be delegated to "everyone." Multiple permissions may be specified as a comma-separated list. Permission names are the same as ZFS subcommand and property names. Property set names, which begin with an "at sign" ("@"). |
-c | Sets "create time" permissions. These permissions are granted (locally) to the creator of any newly-created descendent file system. |
-s | Defines or adds permissions to a permission set. The set can be used by other zfs allow commands for the specified file system and its descendents. Sets are evaluated dynamically, so changes to a set are immediately reflected. Permission sets follow the same naming restrictions as ZFS file systems, but the name must begin with an "at sign" ("@"), and can be no more than 64 characters long. |
The following table describes the operations that can be delegated and
any dependent permissions that are required to perform the delegated operations.
|
Permission (Subcommand)
|
Description
|
Dependencies
|
|
allow
|
The ability to grant permissions that you have to another user.
|
Must also have the permission that is being allowed.
|
|
clone
|
The ability to clone any of the dataset's snapshots.
|
Must also have the create ability and the mount ability in the origin file system.
|
|
create
|
The ability to create descendent datasets.
|
Must also have the mount ability.
|
|
destroy
|
The ability to destroy a dataset.
|
Must also have the mount ability.
|
|
mount
|
The ability to mount and unmount a dataset, and create and destroy volume device
links.
|
|
|
promote
|
The ability to promote a clone to a dataset.
|
Must also have the mount ability and promote ability
in the origin file system.
|
|
receive
|
The ability to create descendent file system with the zfs receive command.
|
Must also have the mount ability and the create ability.
|
|
rename
|
The ability to rename a dataset.
|
Must also have the create ability and the mount ability in the new parent.
|
|
rollback
|
The ability to rollback a snapshot.
|
Must also have the mount ability.
|
|
send
|
The ability to send a snapshot stream.
|
|
|
share
|
The ability to share and unshare a dataset.
|
|
|
snapshot
|
The ability to take a snapshot of a dataset.
|
|
|
userprop
|
Allows changing any user property.
|
|
The following list of ZFS properties that can be delegated.
aclinherit
aclmode
atime
canmount
checksum
compression
copies
devices
exec
mountpoint
quota
readonly
recordsize
reservation
setuid
shareiscsi
sharenfs
snapdir
version
volsize
xattr
zoned