I'm running a server process under SMF (Server Management Facility) on Joyent's Base64 1.8.1 SmartOS image.
For those not aqauinted with SmartOS, it is a cloud-based distribution of IllumOS with KVM. But essentially it is like Solaris and inherits from OpenSolaris. So even if you've not used SmartOS, I'm hoping to tap into some Solaris knowledge on ServerFault.
My issue is that I want an unprivileged user to be allowed to restart a service that they own. I have worked out how to do that by using RBAC and adding an authorisation to /etc/security/auth_attr
and associating that authorisation with my user.
I then added the following to my SMF manifest for the service:
<property_group name='general' type='framework'>
<!-- Allow to be restarted-->
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.my-server-process' />
<!-- Allow to be started and stopped -->
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.my-server-process' />
</property_group>
And this works well when imported. My unprivileged user is allowed to restart, start and stop its own server process (this is for automated code deployments).
However, if I export the SMF manifest, this configuration data is gone... all I see in that section is this:
<property_group name='general' type='framework'>
<property name='action_authorization' type='astring'/>
<property name='value_authorization' type='astring'/>
</property_group>
Does anybody know why this is happening? Is my syntax wrong, or am I simply using SMF incorrectly?