aboutsummaryrefslogtreecommitdiff
path: root/qapi/authz.json
blob: 7fc6e3032ea63bbcb0ebc6b9a0f3a7f3581e7310 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# -*- Mode: Python -*-
# vim: filetype=python

##
# = User authorization
##

##
# @QAuthZListPolicy:
#
# The authorization policy result
#
# @deny: deny access
#
# @allow: allow access
#
# Since: 4.0
##
{ 'enum': 'QAuthZListPolicy',
  'prefix': 'QAUTHZ_LIST_POLICY',
  'data': ['deny', 'allow']}

##
# @QAuthZListFormat:
#
# The authorization policy match format
#
# @exact: an exact string match
#
# @glob: string with ? and * shell wildcard support
#
# Since: 4.0
##
{ 'enum': 'QAuthZListFormat',
  'prefix': 'QAUTHZ_LIST_FORMAT',
  'data': ['exact', 'glob']}

##
# @QAuthZListRule:
#
# A single authorization rule.
#
# @match: a string or glob to match against a user identity
#
# @policy: the result to return if @match evaluates to true
#
# @format: the format of the @match rule (default 'exact')
#
# Since: 4.0
##
{ 'struct': 'QAuthZListRule',
  'data': {'match': 'str',
           'policy': 'QAuthZListPolicy',
           '*format': 'QAuthZListFormat'}}

##
# @AuthZListProperties:
#
# Properties for authz-list objects.
#
# @policy: Default policy to apply when no rule matches (default:
#     deny)
#
# @rules: Authorization rules based on matching user
#
# Since: 4.0
##
{ 'struct': 'AuthZListProperties',
  'data': { '*policy': 'QAuthZListPolicy',
            '*rules': ['QAuthZListRule'] } }

##
# @AuthZListFileProperties:
#
# Properties for authz-listfile objects.
#
# @filename: File name to load the configuration from.  The file must
#     contain valid JSON for AuthZListProperties.
#
# @refresh: If true, inotify is used to monitor the file,
#     automatically reloading changes.  If an error occurs during
#     reloading, all authorizations will fail until the file is next
#     successfully loaded.  (default: true if the binary was built
#     with CONFIG_INOTIFY1, false otherwise)
#
# Since: 4.0
##
{ 'struct': 'AuthZListFileProperties',
  'data': { 'filename': 'str',
            '*refresh': 'bool' } }

##
# @AuthZPAMProperties:
#
# Properties for authz-pam objects.
#
# @service: PAM service name to use for authorization
#
# Since: 4.0
##
{ 'struct': 'AuthZPAMProperties',
  'data': { 'service': 'str' } }

##
# @AuthZSimpleProperties:
#
# Properties for authz-simple objects.
#
# @identity: Identifies the allowed user.  Its format depends on the
#     network service that authorization object is associated with.
#     For authorizing based on TLS x509 certificates, the identity
#     must be the x509 distinguished name.
#
# Since: 4.0
##
{ 'struct': 'AuthZSimpleProperties',
  'data': { 'identity': 'str' } }