1c8c99887SDaniel P. Berrange# -*- Mode: Python -*- 2f7160f32SAndrea Bolognani# vim: filetype=python 3a1d12a21SMarkus Armbruster 4a1d12a21SMarkus Armbruster## 5a1d12a21SMarkus Armbruster# = User authorization 6a1d12a21SMarkus Armbruster## 7c8c99887SDaniel P. Berrange 8c8c99887SDaniel P. Berrange## 9c8c99887SDaniel P. Berrange# @QAuthZListPolicy: 10c8c99887SDaniel P. Berrange# 11c8c99887SDaniel P. Berrange# The authorization policy result 12c8c99887SDaniel P. Berrange# 13c8c99887SDaniel P. Berrange# @deny: deny access 14*a937b6aaSMarkus Armbruster# 15c8c99887SDaniel P. Berrange# @allow: allow access 16c8c99887SDaniel P. Berrange# 17c8c99887SDaniel P. Berrange# Since: 4.0 18c8c99887SDaniel P. Berrange## 19c8c99887SDaniel P. Berrange{ 'enum': 'QAuthZListPolicy', 20c8c99887SDaniel P. Berrange 'prefix': 'QAUTHZ_LIST_POLICY', 21c8c99887SDaniel P. Berrange 'data': ['deny', 'allow']} 22c8c99887SDaniel P. Berrange 23c8c99887SDaniel P. Berrange## 24c8c99887SDaniel P. Berrange# @QAuthZListFormat: 25c8c99887SDaniel P. Berrange# 26c8c99887SDaniel P. Berrange# The authorization policy match format 27c8c99887SDaniel P. Berrange# 28c8c99887SDaniel P. Berrange# @exact: an exact string match 29*a937b6aaSMarkus Armbruster# 30c8c99887SDaniel P. Berrange# @glob: string with ? and * shell wildcard support 31c8c99887SDaniel P. Berrange# 32c8c99887SDaniel P. Berrange# Since: 4.0 33c8c99887SDaniel P. Berrange## 34c8c99887SDaniel P. Berrange{ 'enum': 'QAuthZListFormat', 35c8c99887SDaniel P. Berrange 'prefix': 'QAUTHZ_LIST_FORMAT', 36c8c99887SDaniel P. Berrange 'data': ['exact', 'glob']} 37c8c99887SDaniel P. Berrange 38c8c99887SDaniel P. Berrange## 39c8c99887SDaniel P. Berrange# @QAuthZListRule: 40c8c99887SDaniel P. Berrange# 41c8c99887SDaniel P. Berrange# A single authorization rule. 42c8c99887SDaniel P. Berrange# 43c8c99887SDaniel P. Berrange# @match: a string or glob to match against a user identity 44*a937b6aaSMarkus Armbruster# 45c8c99887SDaniel P. Berrange# @policy: the result to return if @match evaluates to true 46*a937b6aaSMarkus Armbruster# 47c8c99887SDaniel P. Berrange# @format: the format of the @match rule (default 'exact') 48c8c99887SDaniel P. Berrange# 49c8c99887SDaniel P. Berrange# Since: 4.0 50c8c99887SDaniel P. Berrange## 51c8c99887SDaniel P. Berrange{ 'struct': 'QAuthZListRule', 52c8c99887SDaniel P. Berrange 'data': {'match': 'str', 53c8c99887SDaniel P. Berrange 'policy': 'QAuthZListPolicy', 54c8c99887SDaniel P. Berrange '*format': 'QAuthZListFormat'}} 55c8c99887SDaniel P. Berrange 56c8c99887SDaniel P. Berrange## 578825587bSKevin Wolf# @AuthZListProperties: 58c8c99887SDaniel P. Berrange# 598825587bSKevin Wolf# Properties for authz-list objects. 608825587bSKevin Wolf# 61*a937b6aaSMarkus Armbruster# @policy: Default policy to apply when no rule matches (default: 62*a937b6aaSMarkus Armbruster# deny) 638825587bSKevin Wolf# 648825587bSKevin Wolf# @rules: Authorization rules based on matching user 65c8c99887SDaniel P. Berrange# 66c8c99887SDaniel P. Berrange# Since: 4.0 67c8c99887SDaniel P. Berrange## 688825587bSKevin Wolf{ 'struct': 'AuthZListProperties', 698825587bSKevin Wolf 'data': { '*policy': 'QAuthZListPolicy', 708825587bSKevin Wolf '*rules': ['QAuthZListRule'] } } 718825587bSKevin Wolf 728825587bSKevin Wolf## 738825587bSKevin Wolf# @AuthZListFileProperties: 748825587bSKevin Wolf# 758825587bSKevin Wolf# Properties for authz-listfile objects. 768825587bSKevin Wolf# 778825587bSKevin Wolf# @filename: File name to load the configuration from. The file must 788825587bSKevin Wolf# contain valid JSON for AuthZListProperties. 798825587bSKevin Wolf# 80*a937b6aaSMarkus Armbruster# @refresh: If true, inotify is used to monitor the file, 81*a937b6aaSMarkus Armbruster# automatically reloading changes. If an error occurs during 82*a937b6aaSMarkus Armbruster# reloading, all authorizations will fail until the file is next 83*a937b6aaSMarkus Armbruster# successfully loaded. (default: true if the binary was built 84*a937b6aaSMarkus Armbruster# with CONFIG_INOTIFY1, false otherwise) 858825587bSKevin Wolf# 868825587bSKevin Wolf# Since: 4.0 878825587bSKevin Wolf## 888825587bSKevin Wolf{ 'struct': 'AuthZListFileProperties', 898825587bSKevin Wolf 'data': { 'filename': 'str', 908825587bSKevin Wolf '*refresh': 'bool' } } 918825587bSKevin Wolf 928825587bSKevin Wolf## 938825587bSKevin Wolf# @AuthZPAMProperties: 948825587bSKevin Wolf# 958825587bSKevin Wolf# Properties for authz-pam objects. 968825587bSKevin Wolf# 978825587bSKevin Wolf# @service: PAM service name to use for authorization 988825587bSKevin Wolf# 998825587bSKevin Wolf# Since: 4.0 1008825587bSKevin Wolf## 1018825587bSKevin Wolf{ 'struct': 'AuthZPAMProperties', 1028825587bSKevin Wolf 'data': { 'service': 'str' } } 1038825587bSKevin Wolf 1048825587bSKevin Wolf## 1058825587bSKevin Wolf# @AuthZSimpleProperties: 1068825587bSKevin Wolf# 1078825587bSKevin Wolf# Properties for authz-simple objects. 1088825587bSKevin Wolf# 109*a937b6aaSMarkus Armbruster# @identity: Identifies the allowed user. Its format depends on the 110*a937b6aaSMarkus Armbruster# network service that authorization object is associated with. 111*a937b6aaSMarkus Armbruster# For authorizing based on TLS x509 certificates, the identity 112*a937b6aaSMarkus Armbruster# must be the x509 distinguished name. 1138825587bSKevin Wolf# 1148825587bSKevin Wolf# Since: 4.0 1158825587bSKevin Wolf## 1168825587bSKevin Wolf{ 'struct': 'AuthZSimpleProperties', 1178825587bSKevin Wolf 'data': { 'identity': 'str' } } 118