|
FreeBSD ZFS
The Zettabyte File System
|
|
FreeBSD ZFS
The Zettabyte File System
|
DSL permissions. More...
#include <sys/dmu.h>#include <sys/dmu_objset.h>#include <sys/dmu_tx.h>#include <sys/dsl_dataset.h>#include <sys/dsl_dir.h>#include <sys/dsl_prop.h>#include <sys/dsl_synctask.h>#include <sys/dsl_deleg.h>#include <sys/spa.h>#include <sys/zap.h>#include <sys/fs/zfs.h>#include <sys/cred.h>#include <sys/sunddi.h>#include "zfs_deleg.h"
Go to the source code of this file.
Data Structures | |
| struct | perm_set |
| Routines for dsl_deleg_access() -- access checking. More... | |
Typedefs | |
| typedef struct perm_set | perm_set_t |
| Routines for dsl_deleg_access() -- access checking. | |
Functions | |
| int | dsl_deleg_can_allow (char *ddname, nvlist_t *nvp, cred_t *cr) |
| Validate that user is allowed to delegate specified permissions. | |
| int | dsl_deleg_can_unallow (char *ddname, nvlist_t *nvp, cred_t *cr) |
| Validate that user is allowed to unallow specified permissions. | |
| static void | dsl_deleg_set_sync (void *arg1, void *arg2, dmu_tx_t *tx) |
| static void | dsl_deleg_unset_sync (void *arg1, void *arg2, dmu_tx_t *tx) |
| int | dsl_deleg_set (const char *ddname, nvlist_t *nvp, boolean_t unset) |
| int | dsl_deleg_get (const char *ddname, nvlist_t **nvp) |
| Find all 'allow' permissions from a given point and then continue traversing up to the root. | |
| static int | perm_set_compare (const void *arg1, const void *arg2) |
| static int | dsl_check_access (objset_t *mos, uint64_t zapobj, char type, char checkflag, void *valp, const char *perm) |
| Determine whether a specified permission exists. | |
| static int | dsl_check_user_access (objset_t *mos, uint64_t zapobj, const char *perm, int checkflag, cred_t *cr) |
| check a specified user/group for a requested permission | |
| static int | dsl_load_sets (objset_t *mos, uint64_t zapobj, char type, char checkflag, void *valp, avl_tree_t *avl) |
| Iterate over the sets specified in the specified zapobj and load them into the permsets avl tree. | |
| static void | dsl_load_user_sets (objset_t *mos, uint64_t zapobj, avl_tree_t *avl, char checkflag, cred_t *cr) |
| Load all permissions user based on cred belongs to. | |
| int | dsl_deleg_access_impl (dsl_dataset_t *ds, boolean_t descendent, const char *perm, cred_t *cr) |
| Check if user has requested permission. | |
| int | dsl_deleg_access (const char *dsname, const char *perm, cred_t *cr) |
| static void | copy_create_perms (dsl_dir_t *dd, uint64_t pzapobj, boolean_t dosets, uint64_t uid, dmu_tx_t *tx) |
| void | dsl_deleg_set_create_perms (dsl_dir_t *sdd, dmu_tx_t *tx, cred_t *cr) |
| Set all create time permission on new dataset. | |
| int | dsl_deleg_destroy (objset_t *mos, uint64_t zapobj, dmu_tx_t *tx) |
| boolean_t | dsl_delegation_on (objset_t *os) |
DSL permissions.
DSL permissions are stored in a two level zap attribute mechanism. The first level identifies the "class" of entry. The class is identified by the first 2 letters of the attribute. The second letter "l" or "d" identifies whether it is a local or descendent permission. The first letter identifies the type of entry.
ul$<id> identifies permissions granted locally for this userid. ud$<id> identifies permissions granted on descendent datasets for this userid. Ul$<id> identifies permission sets granted locally for this userid. Ud$<id> identifies permission sets granted on descendent datasets for this userid. gl$<id> identifies permissions granted locally for this groupid. gd$<id> identifies permissions granted on descendent datasets for this groupid. Gl$<id> identifies permission sets granted locally for this groupid. Gd$<id> identifies permission sets granted on descendent datasets for this groupid. el$ identifies permissions granted locally for everyone. ed$ identifies permissions granted on descendent datasets for everyone. El$ identifies permission sets granted locally for everyone. Ed$ identifies permission sets granted to descendent datasets for everyone. c-$ identifies permission to create at dataset creation time. C-$ identifies permission sets to grant locally at dataset creation time. s-$<name> permissions defined in specified set <name> S-$<name> Sets defined in named set <name>
Each of the above entities points to another zap attribute that contains one attribute for each allowed permission, such as create, destroy,... All of the "upper" case class types will specify permission set names rather than permissions.
Basically it looks something like this: ul$12 -> ZAP OBJ -> permissions...
The ZAP OBJ is referred to as the jump object.
Definition in file dsl_deleg.c.
| typedef struct perm_set perm_set_t |
Routines for dsl_deleg_access() -- access checking.
| static void copy_create_perms | ( | dsl_dir_t * | dd, |
| uint64_t | pzapobj, | ||
| boolean_t | dosets, | ||
| uint64_t | uid, | ||
| dmu_tx_t * | tx | ||
| ) | [static] |
Definition at line 660 of file dsl_deleg.c.
| static int dsl_check_access | ( | objset_t * | mos, |
| uint64_t | zapobj, | ||
| char | type, | ||
| char | checkflag, | ||
| void * | valp, | ||
| const char * | perm | ||
| ) | [static] |
Determine whether a specified permission exists.
First the base attribute has to be retrieved. i.e. ul$12 Once the base object has been retrieved the actual permission is lookup up in the zap object the base object points to.
Return 0 if permission exists, ENOENT if there is no whokey, EPERM if there is no perm in that jumpobj.
Definition at line 398 of file dsl_deleg.c.
| static int dsl_check_user_access | ( | objset_t * | mos, |
| uint64_t | zapobj, | ||
| const char * | perm, | ||
| int | checkflag, | ||
| cred_t * | cr | ||
| ) | [static] |
check a specified user/group for a requested permission
Definition at line 419 of file dsl_deleg.c.
| int dsl_deleg_access | ( | const char * | dsname, |
| const char * | perm, | ||
| cred_t * | cr | ||
| ) |
Definition at line 640 of file dsl_deleg.c.
| int dsl_deleg_access_impl | ( | dsl_dataset_t * | ds, |
| boolean_t | descendent, | ||
| const char * | perm, | ||
| cred_t * | cr | ||
| ) |
Check if user has requested permission.
If descendent is set, must have descendent perms.
Definition at line 534 of file dsl_deleg.c.
| int dsl_deleg_can_allow | ( | char * | ddname, |
| nvlist_t * | nvp, | ||
| cred_t * | cr | ||
| ) |
Validate that user is allowed to delegate specified permissions.
In order to delegate "create" you must have "create" and "allow".
Definition at line 95 of file dsl_deleg.c.
| int dsl_deleg_can_unallow | ( | char * | ddname, |
| nvlist_t * | nvp, | ||
| cred_t * | cr | ||
| ) |
Validate that user is allowed to unallow specified permissions.
They must have the 'allow' permission, and even then can only unallow perms for their uid.
Definition at line 128 of file dsl_deleg.c.
Definition at line 727 of file dsl_deleg.c.
| int dsl_deleg_get | ( | const char * | ddname, |
| nvlist_t ** | nvp | ||
| ) |
Find all 'allow' permissions from a given point and then continue traversing up to the root.
This function constructs an nvlist of nvlists. each setpoint is an nvlist composed of an nvlist of an nvlist of the individual * users/groups/everyone/create permissions.
The nvlist will look like this.
{ source fsname -> { whokeys { permissions,...}, ...}}
The fsname nvpairs will be arranged in a bottom up order. For example, if we have the following structure a/b/c then the nvpairs for the fsnames will be ordered a/b/c, a/b, a.
Definition at line 295 of file dsl_deleg.c.
| int dsl_deleg_set | ( | const char * | ddname, |
| nvlist_t * | nvp, | ||
| boolean_t | unset | ||
| ) |
Definition at line 249 of file dsl_deleg.c.
Set all create time permission on new dataset.
Definition at line 706 of file dsl_deleg.c.
| static void dsl_deleg_set_sync | ( | void * | arg1, |
| void * | arg2, | ||
| dmu_tx_t * | tx | ||
| ) | [static] |
Definition at line 154 of file dsl_deleg.c.
| static void dsl_deleg_unset_sync | ( | void * | arg1, |
| void * | arg2, | ||
| dmu_tx_t * | tx | ||
| ) | [static] |
Definition at line 196 of file dsl_deleg.c.
| boolean_t dsl_delegation_on | ( | objset_t * | os | ) |
Definition at line 747 of file dsl_deleg.c.
| static int dsl_load_sets | ( | objset_t * | mos, |
| uint64_t | zapobj, | ||
| char | type, | ||
| char | checkflag, | ||
| void * | valp, | ||
| avl_tree_t * | avl | ||
| ) | [static] |
Iterate over the sets specified in the specified zapobj and load them into the permsets avl tree.
Definition at line 463 of file dsl_deleg.c.
| static void dsl_load_user_sets | ( | objset_t * | mos, |
| uint64_t | zapobj, | ||
| avl_tree_t * | avl, | ||
| char | checkflag, | ||
| cred_t * | cr | ||
| ) | [static] |
Load all permissions user based on cred belongs to.
Definition at line 502 of file dsl_deleg.c.
| static int perm_set_compare | ( | const void * | arg1, |
| const void * | arg2 | ||
| ) | [static] |
Definition at line 375 of file dsl_deleg.c.
1.7.3