It is widely accepted as best practice to not use your root account in general. In Solaris they like some Linux distributions have gone so far as to prevent root access to SSH. Now we could go the route of permitting route logins to SSH however this would not be ideal from a security perspective. Instead we will be going about it a the “proper way” and allowing the delegation needed to perform actions via a named user.
Also please keep in mind, I have written this as an example of sorts with the delegation targeted towards an admin user. As such you will not want a user to have anywhere near these permissions. Also delegation can be performed on any ZFS file system level, including the zpool level (which is where I have done it – again targeted more toward an admin user configuration).
Create a Delegation Set
Alright so for simplicity of management I prefer to manage my delegation using permission sets which we can create with the zfs allow -s option, basically we list all of the actions that we want our delegated users to do, also we must define which .
# zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank
Multiple Tank Variation
Keep in mind that you can use the same name for the set, since it is unique to the zpool, just run it multiple times specifying a different tank.
# zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank1 # zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank2
Assign a Delegation Set to a User or Group
Now that we have created the delegation set we can use them to grant permissions to a user or a group. It is important to note that the syntax is exactly the same if you are delegating permissions to a user or a group.
# zfs allow admin @adminrole tank
Multiple Tank Variation
# zfs allow admin @adminrole tank1 # zfs allow admin @adminrole tank2
View the Current Delegations
Once we have applied it we can view everything and make sure it came out the way we expected it. Now obviously you can run this against as many zpools as you have in your environment.
# zfs allow tank ---- Permissions on tank --------------------------------------------- Permission sets: @adminrole clone,create,destroy,mount,promote,quota,receive,rename,reservation,rollback,send,snapshot Local+Descendent permissions: user admin @adminrole
Delegate Permissions to a User or Group
This is essentially the same as using the delegation set, and if you only have a single user the set may not make sense for you, but if you have a bunch of users who use this then you will want to use the set.
# zfs allow admin create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank
Delete a Delegation from a User or Group
This is fairly straight forward, however I am a big believer in not doing anything without knowing how I can undo it.
# zfs unallow admin tank