Introduce a permission to destroy only snapshots, not datasets

[emtiu]

Currently, destroying datasets and destroying snapshots are both covered by the destroy permission.

As per this blogpost and this old bug report, it would be useful to be able to delegate the permission to destroy snapshots, but not datasets. This permissions might be called destroysnaps.

There's at least two use cases:

1. Consider an environment in which users might want to take snapshots, but not create or destroy any datsets (such as: there's one dataset per home directory for all users). Here, we might want to allow users to maintain snapshots on their own (in order to save space, or maintain a tidy set of snapshots). This is currently not possible without also granting the permission to destroy datasets, which is undesirable.
2. destroysnaps might bring more peace of mind to anxious users (like myself): We could allow ourselves to destroy snapshots as a normal user, but leave the destroying of datasets to root, avoiding the horror of being one typo away from accidentally destroying a dataset.

[crabique]

Agree, every time I'm recursively destroying snapshots I'm anxious if I forgot the @ somewhere, also could be useful for enforcing capabilities in multi-tenant filesystem scenarios.

It could also be a nice exempt from mount permission for destroying snapshots that are auto-mount only, the less permissions are required the better :)

[putnam]

This seems like a no-brainer and I'd really like to see this. Besides the risky command line stuff, there are lots of snapshot management tools where you really want to give them the least amount of permissions possible. There is a big difference between destroying a snap and a dataset.

[allanjude]

What about bookmarks? Is that implied by the snapshot permission? Or does it need its own?

[emtiu]

What about bookmarks? Is that implied by the snapshot permission? Or does it need its own?

Since users here are mainly concerned with the safety of preventing accidental datset destruction while allowing for simple maintenance tasks, I'd say bookmarks could be included under destroysnaps.

[parke]

Fwiw, the idea of adding granular permission for snapshot destruction was mentioned in @allanjude's talk at the OpenZFS Developer Summit 2022.

• Talk summary: Enabling Storage Multi-Tenancy With ZFS For Containers
• Slide number 11: Future Ideas - "Allow destroy snapshots only, not all children"
• YouTube video of the talk

[skirmess]

What about bookmarks? Is that implied by the snapshot permission? Or does it need its own?

They need their own as destroying bookmarks can destroy your backup procedure. You don't want users, or accidents, to prevent your backup from working.

[emtiu]

They need their own as destroying bookmarks can destroy your backup procedure. You don't want users, or accidents, to prevent your backup from working.

Good point. So destroysnaps and destroybookmarks should be separate.