[mirror_qemu.git] / qapi / authz.json

# -*- Mode: Python -*-
# vim: filetype=python

##
# = User authorization
##

##
# @QAuthZListPolicy:
#
# The authorization policy result
#
# @deny: deny access
#
# @allow: allow access
#
# Since: 4.0
##
{ 'enum': 'QAuthZListPolicy',
  'prefix': 'QAUTHZ_LIST_POLICY',
  'data': ['deny', 'allow']}

##
# @QAuthZListFormat:
#
# The authorization policy match format
#
# @exact: an exact string match
#
# @glob: string with ? and * shell wildcard support
#
# Since: 4.0
##
{ 'enum': 'QAuthZListFormat',
  'prefix': 'QAUTHZ_LIST_FORMAT',
  'data': ['exact', 'glob']}

##
# @QAuthZListRule:
#
# A single authorization rule.
#
# @match: a string or glob to match against a user identity
#
# @policy: the result to return if @match evaluates to true
#
# @format: the format of the @match rule (default 'exact')
#
# Since: 4.0
##
{ 'struct': 'QAuthZListRule',
  'data': {'match': 'str',
           'policy': 'QAuthZListPolicy',
           '*format': 'QAuthZListFormat'}}

##
# @AuthZListProperties:
#
# Properties for authz-list objects.
#
# @policy: Default policy to apply when no rule matches (default:
#     deny)
#
# @rules: Authorization rules based on matching user
#
# Since: 4.0
##
{ 'struct': 'AuthZListProperties',
  'data': { '*policy': 'QAuthZListPolicy',
            '*rules': ['QAuthZListRule'] } }

##
# @AuthZListFileProperties:
#
# Properties for authz-listfile objects.
#
# @filename: File name to load the configuration from.  The file must
#     contain valid JSON for AuthZListProperties.
#
# @refresh: If true, inotify is used to monitor the file,
#     automatically reloading changes.  If an error occurs during
#     reloading, all authorizations will fail until the file is next
#     successfully loaded.  (default: true if the binary was built
#     with CONFIG_INOTIFY1, false otherwise)
#
# Since: 4.0
##
{ 'struct': 'AuthZListFileProperties',
  'data': { 'filename': 'str',
            '*refresh': 'bool' } }

##
# @AuthZPAMProperties:
#
# Properties for authz-pam objects.
#
# @service: PAM service name to use for authorization
#
# Since: 4.0
##
{ 'struct': 'AuthZPAMProperties',
  'data': { 'service': 'str' } }

##
# @AuthZSimpleProperties:
#
# Properties for authz-simple objects.
#
# @identity: Identifies the allowed user.  Its format depends on the
#     network service that authorization object is associated with.
#     For authorizing based on TLS x509 certificates, the identity
#     must be the x509 distinguished name.
#
# Since: 4.0
##
{ 'struct': 'AuthZSimpleProperties',
  'data': { 'identity': 'str' } }
Commit	Line	Data
c8c99887	1	# -- Mode: Python --
f7160f32	2	# vim: filetype=python
a1d12a21 MA	3
	4	##
	5	# = User authorization
	6	##
c8c99887 DB	7
	8	##
	9	# @QAuthZListPolicy:
	10	#
	11	# The authorization policy result
	12	#
	13	# @deny: deny access
a937b6aa	14	#
c8c99887 DB	15	# @allow: allow access
	16	#
	17	# Since: 4.0
	18	##
	19	{ 'enum': 'QAuthZListPolicy',
	20	'prefix': 'QAUTHZ_LIST_POLICY',
	21	'data': ['deny', 'allow']}
	22
	23	##
	24	# @QAuthZListFormat:
	25	#
	26	# The authorization policy match format
	27	#
	28	# @exact: an exact string match
a937b6aa	29	#
c8c99887 DB	30	# @glob: string with ? and * shell wildcard support
	31	#
	32	# Since: 4.0
	33	##
	34	{ 'enum': 'QAuthZListFormat',
	35	'prefix': 'QAUTHZ_LIST_FORMAT',
	36	'data': ['exact', 'glob']}
	37
	38	##
	39	# @QAuthZListRule:
	40	#
	41	# A single authorization rule.
	42	#
	43	# @match: a string or glob to match against a user identity
a937b6aa	44	#
c8c99887	45	# @policy: the result to return if @match evaluates to true
a937b6aa	46	#
c8c99887 DB	47	# @format: the format of the @match rule (default 'exact')
	48	#
	49	# Since: 4.0
	50	##
	51	{ 'struct': 'QAuthZListRule',
	52	'data': {'match': 'str',
	53	'policy': 'QAuthZListPolicy',
	54	'*format': 'QAuthZListFormat'}}
	55
	56	##
8825587b	57	# @AuthZListProperties:
c8c99887	58	#
8825587b KW	59	# Properties for authz-list objects.
8825587b KW	60	#
a937b6aa MA	61	# @policy: Default policy to apply when no rule matches (default:
a937b6aa MA	62	# deny)
8825587b KW	63	#
	64	# @rules: Authorization rules based on matching user
	65	#
	66	# Since: 4.0
	67	##
	68	{ 'struct': 'AuthZListProperties',
	69	'data': { '*policy': 'QAuthZListPolicy',
	70	'*rules': ['QAuthZListRule'] } }
	71
	72	##
	73	# @AuthZListFileProperties:
	74	#
	75	# Properties for authz-listfile objects.
	76	#
a937b6aa MA	77	# @filename: File name to load the configuration from. The file must
a937b6aa MA	78	# contain valid JSON for AuthZListProperties.
8825587b	79	#
a937b6aa MA	80	# @refresh: If true, inotify is used to monitor the file,
	81	# automatically reloading changes. If an error occurs during
	82	# reloading, all authorizations will fail until the file is next
	83	# successfully loaded. (default: true if the binary was built
	84	# with CONFIG_INOTIFY1, false otherwise)
8825587b KW	85	#
	86	# Since: 4.0
	87	##
	88	{ 'struct': 'AuthZListFileProperties',
	89	'data': { 'filename': 'str',
	90	'*refresh': 'bool' } }
	91
	92	##
	93	# @AuthZPAMProperties:
	94	#
	95	# Properties for authz-pam objects.
	96	#
	97	# @service: PAM service name to use for authorization
	98	#
	99	# Since: 4.0
	100	##
	101	{ 'struct': 'AuthZPAMProperties',
	102	'data': { 'service': 'str' } }
	103
	104	##
	105	# @AuthZSimpleProperties:
	106	#
	107	# Properties for authz-simple objects.
	108	#
a937b6aa MA	109	# @identity: Identifies the allowed user. Its format depends on the
	110	# network service that authorization object is associated with.
	111	# For authorizing based on TLS x509 certificates, the identity
	112	# must be the x509 distinguished name.
c8c99887 DB	113	#
	114	# Since: 4.0
	115	##
8825587b KW	116	{ 'struct': 'AuthZSimpleProperties',
8825587b KW	117	'data': { 'identity': 'str' } }