qapi/authz.json

   1 # -*- Mode: Python -*-
   2 # vim: filetype=python
   3
   4 ##
   5 # = User authorization
   6 ##
   7
   8 ##
   9 # @QAuthZListPolicy:
  10 #
  11 # The authorization policy result
  12 #
  13 # @deny: deny access
  14 #
  15 # @allow: allow access
  16 #
  17 # Since: 4.0
  18 ##
  19 { 'enum': 'QAuthZListPolicy',
  20   'prefix': 'QAUTHZ_LIST_POLICY',
  21   'data': ['deny', 'allow']}
  22
  23 ##
  24 # @QAuthZListFormat:
  25 #
  26 # The authorization policy match format
  27 #
  28 # @exact: an exact string match
  29 #
  30 # @glob: string with ? and * shell wildcard support
  31 #
  32 # Since: 4.0
  33 ##
  34 { 'enum': 'QAuthZListFormat',
  35   'prefix': 'QAUTHZ_LIST_FORMAT',
  36   'data': ['exact', 'glob']}
  37
  38 ##
  39 # @QAuthZListRule:
  40 #
  41 # A single authorization rule.
  42 #
  43 # @match: a string or glob to match against a user identity
  44 #
  45 # @policy: the result to return if @match evaluates to true
  46 #
  47 # @format: the format of the @match rule (default 'exact')
  48 #
  49 # Since: 4.0
  50 ##
  51 { 'struct': 'QAuthZListRule',
  52   'data': {'match': 'str',
  53            'policy': 'QAuthZListPolicy',
  54            '*format': 'QAuthZListFormat'}}
  55
  56 ##
  57 # @AuthZListProperties:
  58 #
  59 # Properties for authz-list objects.
  60 #
  61 # @policy: Default policy to apply when no rule matches (default:
  62 #     deny)
  63 #
  64 # @rules: Authorization rules based on matching user
  65 #
  66 # Since: 4.0
  67 ##
  68 { 'struct': 'AuthZListProperties',
  69   'data': { '*policy': 'QAuthZListPolicy',
  70             '*rules': ['QAuthZListRule'] } }
  71
  72 ##
  73 # @AuthZListFileProperties:
  74 #
  75 # Properties for authz-listfile objects.
  76 #
  77 # @filename: File name to load the configuration from.  The file must
  78 #     contain valid JSON for AuthZListProperties.
  79 #
  80 # @refresh: If true, inotify is used to monitor the file,
  81 #     automatically reloading changes.  If an error occurs during
  82 #     reloading, all authorizations will fail until the file is next
  83 #     successfully loaded.  (default: true if the binary was built
  84 #     with CONFIG_INOTIFY1, false otherwise)
  85 #
  86 # Since: 4.0
  87 ##
  88 { 'struct': 'AuthZListFileProperties',
  89   'data': { 'filename': 'str',
  90             '*refresh': 'bool' } }
  91
  92 ##
  93 # @AuthZPAMProperties:
  94 #
  95 # Properties for authz-pam objects.
  96 #
  97 # @service: PAM service name to use for authorization
  98 #
  99 # Since: 4.0
 100 ##
 101 { 'struct': 'AuthZPAMProperties',
 102   'data': { 'service': 'str' } }
 103
 104 ##
 105 # @AuthZSimpleProperties:
 106 #
 107 # Properties for authz-simple objects.
 108 #
 109 # @identity: Identifies the allowed user.  Its format depends on the
 110 #     network service that authorization object is associated with.
 111 #     For authorizing based on TLS x509 certificates, the identity
 112 #     must be the x509 distinguished name.
 113 #
 114 # Since: 4.0
 115 ##
 116 { 'struct': 'AuthZSimpleProperties',
 117   'data': { 'identity': 'str' } }