[Newbie] User/Group Permissions Setup for Database Storage Dataset - Need Advice to Get This Right the First Time


Jan 14, 2024

I'm setting up backing storage for a MariaDB instance, and want to plan ahead and also organize things so I can have a reserved space to deploy Postgres or SQLlite or whatever other database storage later. I'm not sure how to set up the users and groups to do what I want, and could really use some advice. Details below.

I have a Dataset structure like this on my SSD pool (the description indicates that sync writes are enabled so I can do some A/B performance testing with sync/async modes later--I'm sure I'll end up leaving sync off, but I'm curious to see the difference in actual use).

I've set up a group for database users.

Right now, I have two users in the database-users group that I'm going to associate with shares that access these datasets: Debbie Bass and Maria Dubois (naming my fake users is half the fun). I plan on these users having only NFS access.
  • Debbie Bass: The master database user. I want her to automatically have read/write access to every share in "DatabaseFS" and all its children, including children who don't exist yet.
  • Maria Dubois: The MariaDB user. I want her to have full read/write permissions on the MariaDB-FS dataset.
Questions. I haven't set up any permissions or shares yet. Before I do that, I wanted to make sure I understood a couple of things.
  • ACL vs. Permissions re: Recursion and Traversal.
    • The tutorials I learned how to set up permissions with use the ACL method ("restricted" preset) to allow for additional granularity if needed. I feel like I have a pretty good understanding of the ACL mechanics and want the additional granularity in case I need it later, so using ACLs seems ideal.
    • However, I've noticed that without ACLs enabled, I have the option to make permissions settings "recursive" and "traverse" when setting permissions, but with the ACL enabled, I only see "recursive" and the traverse option goes away.
    • I assume that's because with ACLs I can be granular enough that recursion doesn't make sense, but I'm just guessing. Is there something else I need to be aware of here?
  • Group and User Permissions for "Database Superuser" and Specific DB-FS users?
    • As I explained above, I want to be able to mount "DatabaseFS" as an NFS share when using the "Debbie Bass" credentials, and have read/write access to everything in DatabaseFS and all child datasets. I'm not sure when this will be useful, but it might be needed later, and in any case it seems like something I should know how to do.
    • Likewise, I want database users associated with specific types of databases to only be able to NFS mount the dataset(s) associated with that database engine.
    • What's the easiest way to set this up, using Debbie and Maria as examples? Is there a specific tutorial I can look at that covers this?
Thanks in advance for any advice. :)