zfs redact should have a separate delegatable permissions · openzfs/zfs#10296

(0 评论) (0 反应) (0 负责人)C (9,908 star) (1,703 fork)batch import

Type: Featuregood first issue

描述

zfs redact currently uses the secpolicy_config, restricting its use to users who can modify the pool's config. There's no reason to restrict such a command so tightly; it should have a delegatable permission, like most other zfs ioctls.

贡献者指南

技术栈: c
领域: authenticationauthorization
议题类型: feature
难度: 4
预计时间: over 1 week
活动状态: stale
清晰度: clear
前置要求: Understanding of ZFS permission modelC programming experienceFamiliarity with ZFS ioctl interface
新手友好度: 15
研究方向: Examine how other ZFS ioctls define their own delegatable permissions, for example by searching for 'zfs secpolicy' or 'zfs deleg' in the codebase. Look at existing permissions like 'ZFS DELEG PERM DESTROY' or 'ZFS DELEG PERM SNAPSHOT' to understand the pattern. Then implement a new permission for 'zfs redact' following the same structure, modifying the relevant policy check in the redact ioctl handler.