]>
Commit | Line | Data |
---|---|---|
c8c99887 | 1 | # -*- Mode: Python -*- |
f7160f32 | 2 | # vim: filetype=python |
a1d12a21 MA |
3 | |
4 | ## | |
5 | # = User authorization | |
6 | ## | |
c8c99887 DB |
7 | |
8 | ## | |
9 | # @QAuthZListPolicy: | |
10 | # | |
11 | # The authorization policy result | |
12 | # | |
13 | # @deny: deny access | |
a937b6aa | 14 | # |
c8c99887 DB |
15 | # @allow: allow access |
16 | # | |
17 | # Since: 4.0 | |
18 | ## | |
19 | { 'enum': 'QAuthZListPolicy', | |
20 | 'prefix': 'QAUTHZ_LIST_POLICY', | |
21 | 'data': ['deny', 'allow']} | |
22 | ||
23 | ## | |
24 | # @QAuthZListFormat: | |
25 | # | |
26 | # The authorization policy match format | |
27 | # | |
28 | # @exact: an exact string match | |
a937b6aa | 29 | # |
c8c99887 DB |
30 | # @glob: string with ? and * shell wildcard support |
31 | # | |
32 | # Since: 4.0 | |
33 | ## | |
34 | { 'enum': 'QAuthZListFormat', | |
35 | 'prefix': 'QAUTHZ_LIST_FORMAT', | |
36 | 'data': ['exact', 'glob']} | |
37 | ||
38 | ## | |
39 | # @QAuthZListRule: | |
40 | # | |
41 | # A single authorization rule. | |
42 | # | |
43 | # @match: a string or glob to match against a user identity | |
a937b6aa | 44 | # |
c8c99887 | 45 | # @policy: the result to return if @match evaluates to true |
a937b6aa | 46 | # |
c8c99887 DB |
47 | # @format: the format of the @match rule (default 'exact') |
48 | # | |
49 | # Since: 4.0 | |
50 | ## | |
51 | { 'struct': 'QAuthZListRule', | |
52 | 'data': {'match': 'str', | |
53 | 'policy': 'QAuthZListPolicy', | |
54 | '*format': 'QAuthZListFormat'}} | |
55 | ||
56 | ## | |
8825587b | 57 | # @AuthZListProperties: |
c8c99887 | 58 | # |
8825587b KW |
59 | # Properties for authz-list objects. |
60 | # | |
a937b6aa MA |
61 | # @policy: Default policy to apply when no rule matches (default: |
62 | # deny) | |
8825587b KW |
63 | # |
64 | # @rules: Authorization rules based on matching user | |
65 | # | |
66 | # Since: 4.0 | |
67 | ## | |
68 | { 'struct': 'AuthZListProperties', | |
69 | 'data': { '*policy': 'QAuthZListPolicy', | |
70 | '*rules': ['QAuthZListRule'] } } | |
71 | ||
72 | ## | |
73 | # @AuthZListFileProperties: | |
74 | # | |
75 | # Properties for authz-listfile objects. | |
76 | # | |
a937b6aa MA |
77 | # @filename: File name to load the configuration from. The file must |
78 | # contain valid JSON for AuthZListProperties. | |
8825587b | 79 | # |
a937b6aa MA |
80 | # @refresh: If true, inotify is used to monitor the file, |
81 | # automatically reloading changes. If an error occurs during | |
82 | # reloading, all authorizations will fail until the file is next | |
83 | # successfully loaded. (default: true if the binary was built | |
84 | # with CONFIG_INOTIFY1, false otherwise) | |
8825587b KW |
85 | # |
86 | # Since: 4.0 | |
87 | ## | |
88 | { 'struct': 'AuthZListFileProperties', | |
89 | 'data': { 'filename': 'str', | |
90 | '*refresh': 'bool' } } | |
91 | ||
92 | ## | |
93 | # @AuthZPAMProperties: | |
94 | # | |
95 | # Properties for authz-pam objects. | |
96 | # | |
97 | # @service: PAM service name to use for authorization | |
98 | # | |
99 | # Since: 4.0 | |
100 | ## | |
101 | { 'struct': 'AuthZPAMProperties', | |
102 | 'data': { 'service': 'str' } } | |
103 | ||
104 | ## | |
105 | # @AuthZSimpleProperties: | |
106 | # | |
107 | # Properties for authz-simple objects. | |
108 | # | |
a937b6aa MA |
109 | # @identity: Identifies the allowed user. Its format depends on the |
110 | # network service that authorization object is associated with. | |
111 | # For authorizing based on TLS x509 certificates, the identity | |
112 | # must be the x509 distinguished name. | |
c8c99887 DB |
113 | # |
114 | # Since: 4.0 | |
115 | ## | |
8825587b KW |
116 | { 'struct': 'AuthZSimpleProperties', |
117 | 'data': { 'identity': 'str' } } |