Limit user permisssions with zfs command

[websmith]

Hi,

I am using democratic-csi to manage storage for my kubernetes cluster - and I finally got it working - which immediately got me worrying that if there is a bug in their code they are capable of destroying all my datasets & pools.

So I immediately unistalled the software.

So I wonder if its possible to allow certain users access to the zfs command, but only allow access to manipulate certain parts of the pool defined by a dataset?.

i.e. output from the zfs list (truncated)

Code:

fast/iocage/releases/12.2-RELEASE                            869M  6.51T       96K  /mnt/fast/iocage/releases/12.2-RELEASE
fast/iocage/releases/12.2-RELEASE/root                       869M  6.51T      869M  /mnt/fast/iocage/releases/12.2-RELEASE/root
fast/iocage/templates                                         96K  6.51T       96K  /mnt/fast/iocage/templates
fast/k8s                                                    1.08M  1.95T      108K  /mnt/fast/k8s

My hope is that I can limit my "k8s" user to only be able to manipulate the pool under the dataset "fast/k8s".

So if it tries to do a

Code:

zfs create fast/xxx
zfs destroy fast/whatever

It should fail, etc.

But if it tries to do:

Code:

zfs create fast/k8s/xyz
zfs destroy fast/k8s/xyz

It should succeed.

Basically give it full access to the pool under "fast/k8s" - but limit all other commands on the pool any other places.

I don't know if I am asking too much of ZFS/FreeBSD - but it would be awesome - because then I did not have to fear for my pool

Thanks in advance for any answers

P.S. I am using TrueNAS 12.2-RELEASE-p6

 

[Ericloewe]

ZFS is perfectly capable of that, with delegated permissions. How you'd manage that with that project I don't know.

Conceptually, if it has its own user, it can be given whatever permissions make sense for its own dataset(s).

This can be taken a step further with a jailed dataset. If democratic-csi is running within a jail, you can delegate a dataset to the jail and the jail's root user gets free rein over said dataset, but nothing above it.

 

[websmith]

ZFS is perfectly capable of that, with delegated permissions. How you'd manage that with that project I don't know.

Conceptually, if it has its own user, it can be given whatever permissions make sense for its own dataset(s).

This can be taken a step further with a jailed dataset. If democratic-csi is running within a jail, you can delegate a dataset to the jail and the jail's root user gets free rein over said dataset, but nothing above it.

Thanks - the maintainers of democratic-csi did write something about delegated permissions - and I have just tried it - it works perfectly to controlling permissions - but I don't think I can use it to solve my issue - since I can allow my k8s user to "own" and manage its own dataset, but since my k8s user cannot mount the dataset - it cannot be shared via nfs, which is what this project uses to expose the dataset to the k8s pod.

But thanks anyway for pointing me in the right direction.

 

[Ericloewe]

Can't it mount the dataset inside the jail? The NFS server would have to run inside the jail, but that's not the end of the world.

 

[websmith]

Can't it mount the dataset inside the jail? The NFS server would have to run inside the jail, but that's not the end of the world.

Yes - that is my idea as well - if the jail gets a delegated dataset with full control - run a NFS server inside the jail, then csi can do whatever inside that jail with full super user access, and if it mucks everything up, then it only affects the jail and the dataset that the jail got access to.

I think that is the "correct" way to do this, unless you want to delegate full access to an entire truenas installation - which many probably would do in a real production environment.

 

[websmith]

And thanks again I think I might have a decent solution.