Darren J Moffat wrote:
Bill La Forge wrote:
I like to think of delegation as being a bit different than granting
permision--in fact, as a special permission that may include counts.
For example, you might delegate to a manager the ability to grant
select permissions. You may want to limit the number of users the
manager may grant these permissions to and perhaps allow that manager
to further delegate one more degree removed to project managers.
Delegation then has two counts associated with it--the total number of
users to which a permission may be granted and the depth of delegation
permitted (often 0). Very handy when working accross trust domains, as
may be the case when a resource is for open source or involves
multiple departments.
We have this concept in Solaris RBAC.
For example the authorisation for SMF solaris.smf.value.cde.login allows
you to change properties of the SMF service that starts dtlogin. It
does not allow you to give that authorisation to anyone else. The RBAC
authorisations are hierarchical so solaris.smf.value.cde would also
allow you to do that but still not to give it to others.
To give out to others you need the special "grant" authorisation, which
in this example would be one of the following:
solaris.grant # Grant all Solaris auths
solaris.smf.grant # Grant all SMF auths
solaris.smf.value.grant # Grant all SMF value auths
solaris.smf.value.cde.grant # Grant all CDE service SMF
solaris.smf.value.cde.login.grant # Grant just CDE login auth
I think it would be nice if we could have this same concept in ZFS.
It doesn't have to be the same syntax but the concept. Which is what I
think Bill is saying, separation of use from the ability to delegate to
others.
We could have a special permission "allow", for example that would allow
this behavior. When a normal user delegates to another user they would
be allowed to only hand out permissions they currently have.
For example:
# zfs allow joe create,destroy,allow <ds>
Now as joe
$ zfs allow betty create,destroy <ds>
Now assuming that joe has the following permissions:
create,destroy
The following delegation attempt would fail
$ zfs allow betty create,destroy,snapshot <ds>
Since "joe" doesn't have "snapshot", he can't give it away.
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss