qapi/authz.json

   1 # -*- Mode: Python -*-
   2 # vim: filetype=python
   3
   4 ##
   5 # = User authorization
   6 ##
   7
   8 ##
   9 # @QAuthZListPolicy:
  10 #
  11 # The authorization policy result
  12 #
  13 # @deny: deny access
  14 # @allow: allow access
  15 #
  16 # Since: 4.0
  17 ##
  18 { 'enum': 'QAuthZListPolicy',
  19   'prefix': 'QAUTHZ_LIST_POLICY',
  20   'data': ['deny', 'allow']}
  21
  22 ##
  23 # @QAuthZListFormat:
  24 #
  25 # The authorization policy match format
  26 #
  27 # @exact: an exact string match
  28 # @glob: string with ? and * shell wildcard support
  29 #
  30 # Since: 4.0
  31 ##
  32 { 'enum': 'QAuthZListFormat',
  33   'prefix': 'QAUTHZ_LIST_FORMAT',
  34   'data': ['exact', 'glob']}
  35
  36 ##
  37 # @QAuthZListRule:
  38 #
  39 # A single authorization rule.
  40 #
  41 # @match: a string or glob to match against a user identity
  42 # @policy: the result to return if @match evaluates to true
  43 # @format: the format of the @match rule (default 'exact')
  44 #
  45 # Since: 4.0
  46 ##
  47 { 'struct': 'QAuthZListRule',
  48   'data': {'match': 'str',
  49            'policy': 'QAuthZListPolicy',
  50            '*format': 'QAuthZListFormat'}}
  51
  52 ##
  53 # @AuthZListProperties:
  54 #
  55 # Properties for authz-list objects.
  56 #
  57 # @policy: Default policy to apply when no rule matches (default: deny)
  58 #
  59 # @rules: Authorization rules based on matching user
  60 #
  61 # Since: 4.0
  62 ##
  63 { 'struct': 'AuthZListProperties',
  64   'data': { '*policy': 'QAuthZListPolicy',
  65             '*rules': ['QAuthZListRule'] } }
  66
  67 ##
  68 # @AuthZListFileProperties:
  69 #
  70 # Properties for authz-listfile objects.
  71 #
  72 # @filename: File name to load the configuration from. The file must
  73 #            contain valid JSON for AuthZListProperties.
  74 #
  75 # @refresh: If true, inotify is used to monitor the file, automatically
  76 #           reloading changes. If an error occurs during reloading, all
  77 #           authorizations will fail until the file is next successfully
  78 #           loaded. (default: true if the binary was built with
  79 #           CONFIG_INOTIFY1, false otherwise)
  80 #
  81 # Since: 4.0
  82 ##
  83 { 'struct': 'AuthZListFileProperties',
  84   'data': { 'filename': 'str',
  85             '*refresh': 'bool' } }
  86
  87 ##
  88 # @AuthZPAMProperties:
  89 #
  90 # Properties for authz-pam objects.
  91 #
  92 # @service: PAM service name to use for authorization
  93 #
  94 # Since: 4.0
  95 ##
  96 { 'struct': 'AuthZPAMProperties',
  97   'data': { 'service': 'str' } }
  98
  99 ##
 100 # @AuthZSimpleProperties:
 101 #
 102 # Properties for authz-simple objects.
 103 #
 104 # @identity: Identifies the allowed user. Its format depends on the network
 105 #            service that authorization object is associated with. For
 106 #            authorizing based on TLS x509 certificates, the identity must be
 107 #            the x509 distinguished name.
 108 #
 109 # Since: 4.0
 110 ##
 111 { 'struct': 'AuthZSimpleProperties',
 112   'data': { 'identity': 'str' } }