xref: /openbmc/qemu/qapi/authz.json (revision 096b778f)
1# -*- Mode: Python -*-
2# vim: filetype=python
3
4##
5# = User authorization
6##
7
8##
9# @QAuthZListPolicy:
10#
11# The authorization policy result
12#
13# @deny: deny access
14# @allow: allow access
15#
16# Since: 4.0
17##
18{ 'enum': 'QAuthZListPolicy',
19  'prefix': 'QAUTHZ_LIST_POLICY',
20  'data': ['deny', 'allow']}
21
22##
23# @QAuthZListFormat:
24#
25# The authorization policy match format
26#
27# @exact: an exact string match
28# @glob: string with ? and * shell wildcard support
29#
30# Since: 4.0
31##
32{ 'enum': 'QAuthZListFormat',
33  'prefix': 'QAUTHZ_LIST_FORMAT',
34  'data': ['exact', 'glob']}
35
36##
37# @QAuthZListRule:
38#
39# A single authorization rule.
40#
41# @match: a string or glob to match against a user identity
42# @policy: the result to return if @match evaluates to true
43# @format: the format of the @match rule (default 'exact')
44#
45# Since: 4.0
46##
47{ 'struct': 'QAuthZListRule',
48  'data': {'match': 'str',
49           'policy': 'QAuthZListPolicy',
50           '*format': 'QAuthZListFormat'}}
51
52##
53# @AuthZListProperties:
54#
55# Properties for authz-list objects.
56#
57# @policy: Default policy to apply when no rule matches (default: deny)
58#
59# @rules: Authorization rules based on matching user
60#
61# Since: 4.0
62##
63{ 'struct': 'AuthZListProperties',
64  'data': { '*policy': 'QAuthZListPolicy',
65            '*rules': ['QAuthZListRule'] } }
66
67##
68# @AuthZListFileProperties:
69#
70# Properties for authz-listfile objects.
71#
72# @filename: File name to load the configuration from. The file must
73#            contain valid JSON for AuthZListProperties.
74#
75# @refresh: If true, inotify is used to monitor the file, automatically
76#           reloading changes. If an error occurs during reloading, all
77#           authorizations will fail until the file is next successfully
78#           loaded. (default: true if the binary was built with
79#           CONFIG_INOTIFY1, false otherwise)
80#
81# Since: 4.0
82##
83{ 'struct': 'AuthZListFileProperties',
84  'data': { 'filename': 'str',
85            '*refresh': 'bool' } }
86
87##
88# @AuthZPAMProperties:
89#
90# Properties for authz-pam objects.
91#
92# @service: PAM service name to use for authorization
93#
94# Since: 4.0
95##
96{ 'struct': 'AuthZPAMProperties',
97  'data': { 'service': 'str' } }
98
99##
100# @AuthZSimpleProperties:
101#
102# Properties for authz-simple objects.
103#
104# @identity: Identifies the allowed user. Its format depends on the network
105#            service that authorization object is associated with. For
106#            authorizing based on TLS x509 certificates, the identity must be
107#            the x509 distinguished name.
108#
109# Since: 4.0
110##
111{ 'struct': 'AuthZSimpleProperties',
112  'data': { 'identity': 'str' } }
113