# -*- Mode: Python -*-
-#
-# QAPI authz definitions
+# vim: filetype=python
+
+##
+# = User authorization
+##
##
# @QAuthZListPolicy:
# The authorization policy result
#
# @deny: deny access
+#
# @allow: allow access
#
# Since: 4.0
# The authorization policy match format
#
# @exact: an exact string match
+#
# @glob: string with ? and * shell wildcard support
#
# Since: 4.0
# A single authorization rule.
#
# @match: a string or glob to match against a user identity
+#
# @policy: the result to return if @match evaluates to true
+#
# @format: the format of the @match rule (default 'exact')
#
# Since: 4.0
'*format': 'QAuthZListFormat'}}
##
-# @QAuthZListRuleListHack:
+# @AuthZListProperties:
+#
+# Properties for authz-list objects.
+#
+# @policy: Default policy to apply when no rule matches (default:
+# deny)
+#
+# @rules: Authorization rules based on matching user
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListProperties',
+ 'data': { '*policy': 'QAuthZListPolicy',
+ '*rules': ['QAuthZListRule'] } }
+
+##
+# @AuthZListFileProperties:
+#
+# Properties for authz-listfile objects.
+#
+# @filename: File name to load the configuration from. The file must
+# contain valid JSON for AuthZListProperties.
+#
+# @refresh: If true, inotify is used to monitor the file,
+# automatically reloading changes. If an error occurs during
+# reloading, all authorizations will fail until the file is next
+# successfully loaded. (default: true if the binary was built
+# with CONFIG_INOTIFY1, false otherwise)
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListFileProperties',
+ 'data': { 'filename': 'str',
+ '*refresh': 'bool' } }
+
+##
+# @AuthZPAMProperties:
+#
+# Properties for authz-pam objects.
+#
+# @service: PAM service name to use for authorization
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZPAMProperties',
+ 'data': { 'service': 'str' } }
+
+##
+# @AuthZSimpleProperties:
+#
+# Properties for authz-simple objects.
#
-# Not exposed via QMP; hack to generate QAuthZListRuleList
-# for use internally by the code.
+# @identity: Identifies the allowed user. Its format depends on the
+# network service that authorization object is associated with.
+# For authorizing based on TLS x509 certificates, the identity
+# must be the x509 distinguished name.
#
# Since: 4.0
##
-{ 'struct': 'QAuthZListRuleListHack',
- 'data': { 'unused': ['QAuthZListRule'] } }
+{ 'struct': 'AuthZSimpleProperties',
+ 'data': { 'identity': 'str' } }