xref: /openbmc/qemu/qapi/authz.json (revision 0d70c5aa1bbfb0f5099d53d6e084337a8246cc0c) 
1# -*- Mode: Python -*-
2# vim: filetype=python
3
4##
5# ******************
6# User authorization
7# ******************
8##
9
10##
11# @QAuthZListPolicy:
12#
13# The authorization policy result
14#
15# @deny: deny access
16#
17# @allow: allow access
18#
19# Since: 4.0
20##
21{ 'enum': 'QAuthZListPolicy',
22  'prefix': 'QAUTHZ_LIST_POLICY',
23  'data': ['deny', 'allow']}
24
25##
26# @QAuthZListFormat:
27#
28# The authorization policy match format
29#
30# @exact: an exact string match
31#
32# @glob: string with ? and * shell wildcard support
33#
34# Since: 4.0
35##
36{ 'enum': 'QAuthZListFormat',
37  'prefix': 'QAUTHZ_LIST_FORMAT',
38  'data': ['exact', 'glob']}
39
40##
41# @QAuthZListRule:
42#
43# A single authorization rule.
44#
45# @match: a string or glob to match against a user identity
46#
47# @policy: the result to return if @match evaluates to true
48#
49# @format: the format of the @match rule (default 'exact')
50#
51# Since: 4.0
52##
53{ 'struct': 'QAuthZListRule',
54  'data': {'match': 'str',
55           'policy': 'QAuthZListPolicy',
56           '*format': 'QAuthZListFormat'}}
57
58##
59# @AuthZListProperties:
60#
61# Properties for authz-list objects.
62#
63# @policy: Default policy to apply when no rule matches (default:
64#     deny)
65#
66# @rules: Authorization rules based on matching user
67#
68# Since: 4.0
69##
70{ 'struct': 'AuthZListProperties',
71  'data': { '*policy': 'QAuthZListPolicy',
72            '*rules': ['QAuthZListRule'] } }
73
74##
75# @AuthZListFileProperties:
76#
77# Properties for authz-listfile objects.
78#
79# @filename: File name to load the configuration from.  The file must
80#     contain valid JSON for `AuthZListProperties`.
81#
82# @refresh: If true, inotify is used to monitor the file,
83#     automatically reloading changes.  If an error occurs during
84#     reloading, all authorizations will fail until the file is next
85#     successfully loaded.  (default: true if the binary was built
86#     with CONFIG_INOTIFY1, false otherwise)
87#
88# Since: 4.0
89##
90{ 'struct': 'AuthZListFileProperties',
91  'data': { 'filename': 'str',
92            '*refresh': 'bool' } }
93
94##
95# @AuthZPAMProperties:
96#
97# Properties for authz-pam objects.
98#
99# @service: PAM service name to use for authorization
100#
101# Since: 4.0
102##
103{ 'struct': 'AuthZPAMProperties',
104  'data': { 'service': 'str' } }
105
106##
107# @AuthZSimpleProperties:
108#
109# Properties for authz-simple objects.
110#
111# @identity: Identifies the allowed user.  Its format depends on the
112#     network service that authorization object is associated with.
113#     For authorizing based on TLS x509 certificates, the identity
114#     must be the x509 distinguished name.
115#
116# Since: 4.0
117##
118{ 'struct': 'AuthZSimpleProperties',
119  'data': { 'identity': 'str' } }
120