qemu/qapi/authz.json
Kevin Wolf 8825587b53 qapi/qom: Add ObjectOptions for authz-*
This adds a QAPI schema for the properties of the authz-* objects.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Acked-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2021-03-19 10:17:13 +01:00

113 lines
2.5 KiB
Python

# -*- Mode: Python -*-
# vim: filetype=python
##
# = User authorization
##
##
# @QAuthZListPolicy:
#
# The authorization policy result
#
# @deny: deny access
# @allow: allow access
#
# Since: 4.0
##
{ 'enum': 'QAuthZListPolicy',
'prefix': 'QAUTHZ_LIST_POLICY',
'data': ['deny', 'allow']}
##
# @QAuthZListFormat:
#
# The authorization policy match format
#
# @exact: an exact string match
# @glob: string with ? and * shell wildcard support
#
# Since: 4.0
##
{ 'enum': 'QAuthZListFormat',
'prefix': 'QAUTHZ_LIST_FORMAT',
'data': ['exact', 'glob']}
##
# @QAuthZListRule:
#
# A single authorization rule.
#
# @match: a string or glob to match against a user identity
# @policy: the result to return if @match evaluates to true
# @format: the format of the @match rule (default 'exact')
#
# Since: 4.0
##
{ 'struct': 'QAuthZListRule',
'data': {'match': 'str',
'policy': 'QAuthZListPolicy',
'*format': 'QAuthZListFormat'}}
##
# @AuthZListProperties:
#
# Properties for authz-list objects.
#
# @policy: Default policy to apply when no rule matches (default: deny)
#
# @rules: Authorization rules based on matching user
#
# Since: 4.0
##
{ 'struct': 'AuthZListProperties',
'data': { '*policy': 'QAuthZListPolicy',
'*rules': ['QAuthZListRule'] } }
##
# @AuthZListFileProperties:
#
# Properties for authz-listfile objects.
#
# @filename: File name to load the configuration from. The file must
# contain valid JSON for AuthZListProperties.
#
# @refresh: If true, inotify is used to monitor the file, automatically
# reloading changes. If an error occurs during reloading, all
# authorizations will fail until the file is next successfully
# loaded. (default: true if the binary was built with
# CONFIG_INOTIFY1, false otherwise)
#
# Since: 4.0
##
{ 'struct': 'AuthZListFileProperties',
'data': { 'filename': 'str',
'*refresh': 'bool' } }
##
# @AuthZPAMProperties:
#
# Properties for authz-pam objects.
#
# @service: PAM service name to use for authorization
#
# Since: 4.0
##
{ 'struct': 'AuthZPAMProperties',
'data': { 'service': 'str' } }
##
# @AuthZSimpleProperties:
#
# Properties for authz-simple objects.
#
# @identity: Identifies the allowed user. Its format depends on the network
# service that authorization object is associated with. For
# authorizing based on TLS x509 certificates, the identity must be
# the x509 distinguished name.
#
# Since: 4.0
##
{ 'struct': 'AuthZSimpleProperties',
'data': { 'identity': 'str' } }