ZFS: Delegate ZFS Permissions

ZFS: Delegate ZFS Permissions

It is widely accepted as best practice to not use your root account in general.  In Solaris they like some Linux distributions have gone so far as to prevent root access to SSH.  Now we could go the route of permitting route logins to SSH however this would not be ideal from a security perspective.  Instead we will be going about it a the “proper way” and allowing the delegation needed to perform actions via a named user.

Also please keep in mind, I have written this as an example of sorts with the delegation targeted towards an admin user.  As such you will not want a user to have anywhere near these permissions.  Also delegation can be performed on any ZFS file system level, including the zpool level (which is where I have done it – again targeted more toward an admin user configuration).

Create a Delegation Set

Alright so for simplicity of management I prefer to manage my delegation using permission sets which we can create with the zfs allow -s option, basically we list all of the actions that we want our delegated users to do, also we must define which .

# zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank

Multiple Tank Variation

Keep in mind that you can use the same name for the set, since it is unique to the zpool, just run it multiple times specifying a different tank.

# zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank1
# zfs allow -s @adminrole create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank2

Assign a Delegation Set to a User or Group

Now that we have created the delegation set we can use them to grant permissions to a user or a group.  It is important to note that the syntax is exactly the same if you are delegating permissions to a user or a group.

# zfs allow admin @adminrole tank

Multiple Tank Variation

# zfs allow admin @adminrole tank1
# zfs allow admin @adminrole tank2

View the Current Delegations

Once we have applied it we can view everything and make sure it came out the way we expected it.  Now obviously you can run this against as many zpools as you have in your environment.

# zfs allow tank
---- Permissions on tank ---------------------------------------------
Permission sets:
@adminrole clone,create,destroy,mount,promote,quota,receive,rename,reservation,rollback,send,snapshot
Local+Descendent permissions:
user admin @adminrole

Delegate Permissions to a User or Group

This is essentially the same as using the delegation set, and if you only have a single user the set may not make sense for you, but if you have a bunch of users who use this then you will want to use the set.

# zfs allow admin create,destroy,snapshot,rollback,clone,promote,rename,mount,send,receive,quota,reservation tank

Delete a Delegation from a User or Group

This is fairly straight forward, however I am a big believer in not doing anything without knowing how I can undo it.

# zfs unallow admin tank

One thought on “ZFS: Delegate ZFS Permissions

  1. Jens Henriksen

    You might at least on FreeBSD also use the hold permission in order to send and receive snapshots. Otherwise you might get the error cannot hold snapshot permission denied.

    Thanks for a great article.