Re: [zfs-discuss] Proposal: delegated administration

Tue, 18 Jul 2006 13:38:29 -0700 

Darren J Moffat wrote:

Bill La Forge wrote:
I like to think of delegation as being a bit different than granting permision--in fact, as a special permission that may include counts. 


For example, you might delegate to a manager the ability to grant 
select permissions. You may want to limit the number of users the 
manager may grant these permissions to and perhaps allow that manager 
to further delegate one more degree removed to project managers. 
Delegation then has two counts associated with it--the total number of 
users to which a permission may be granted and the depth of delegation 
permitted (often 0). Very handy when working accross trust domains, as 
may be the case when a resource is for open source or involves 
multiple departments.


We have this concept in Solaris RBAC.


For example the authorisation for SMF solaris.smf.value.cde.login allows 
you to change properties of the SMF service that starts dtlogin.  It 
does not allow you to give that authorisation to anyone else.   The RBAC 
authorisations are hierarchical so solaris.smf.value.cde would also 
allow you to do that but still not to give it to others.



To give out to others you need the special "grant" authorisation, which 
in this example would be one of the following:

    solaris.grant            # Grant all Solaris auths
    solaris.smf.grant        # Grant all SMF auths
    solaris.smf.value.grant        # Grant all SMF value auths
    solaris.smf.value.cde.grant    # Grant all CDE service SMF
    solaris.smf.value.cde.login.grant # Grant just CDE login auth

I think it would be nice if we could have this same concept in ZFS.

It doesn't have to be the same syntax but the concept.  Which is what I 
think Bill is saying, separation of use from the ability to delegate to 
others.





We could have a special permission "allow", for example that would allow
this behavior.  When a normal user delegates to another user they would
be allowed to only hand out permissions they currently have.

For example:

# zfs allow joe create,destroy,allow <ds>

Now as joe

$ zfs allow betty create,destroy <ds>

Now assuming that joe has the following permissions:

   create,destroy


The following delegation attempt would fail

$ zfs allow betty create,destroy,snapshot <ds>

Since "joe" doesn't have "snapshot", he can't give it away.


  -Mark



_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss






















					Reply via email to