xref: /openbmc/qemu/qapi/authz.json (revision 764a6ee9)
1# -*- Mode: Python -*-
2# vim: filetype=python
3
4##
5# = User authorization
6##
7
8##
9# @QAuthZListPolicy:
10#
11# The authorization policy result
12#
13# @deny: deny access
14#
15# @allow: allow access
16#
17# Since: 4.0
18##
19{ 'enum': 'QAuthZListPolicy',
20  'prefix': 'QAUTHZ_LIST_POLICY',
21  'data': ['deny', 'allow']}
22
23##
24# @QAuthZListFormat:
25#
26# The authorization policy match format
27#
28# @exact: an exact string match
29#
30# @glob: string with ? and * shell wildcard support
31#
32# Since: 4.0
33##
34{ 'enum': 'QAuthZListFormat',
35  'prefix': 'QAUTHZ_LIST_FORMAT',
36  'data': ['exact', 'glob']}
37
38##
39# @QAuthZListRule:
40#
41# A single authorization rule.
42#
43# @match: a string or glob to match against a user identity
44#
45# @policy: the result to return if @match evaluates to true
46#
47# @format: the format of the @match rule (default 'exact')
48#
49# Since: 4.0
50##
51{ 'struct': 'QAuthZListRule',
52  'data': {'match': 'str',
53           'policy': 'QAuthZListPolicy',
54           '*format': 'QAuthZListFormat'}}
55
56##
57# @AuthZListProperties:
58#
59# Properties for authz-list objects.
60#
61# @policy: Default policy to apply when no rule matches (default:
62#     deny)
63#
64# @rules: Authorization rules based on matching user
65#
66# Since: 4.0
67##
68{ 'struct': 'AuthZListProperties',
69  'data': { '*policy': 'QAuthZListPolicy',
70            '*rules': ['QAuthZListRule'] } }
71
72##
73# @AuthZListFileProperties:
74#
75# Properties for authz-listfile objects.
76#
77# @filename: File name to load the configuration from.  The file must
78#     contain valid JSON for AuthZListProperties.
79#
80# @refresh: If true, inotify is used to monitor the file,
81#     automatically reloading changes.  If an error occurs during
82#     reloading, all authorizations will fail until the file is next
83#     successfully loaded.  (default: true if the binary was built
84#     with CONFIG_INOTIFY1, false otherwise)
85#
86# Since: 4.0
87##
88{ 'struct': 'AuthZListFileProperties',
89  'data': { 'filename': 'str',
90            '*refresh': 'bool' } }
91
92##
93# @AuthZPAMProperties:
94#
95# Properties for authz-pam objects.
96#
97# @service: PAM service name to use for authorization
98#
99# Since: 4.0
100##
101{ 'struct': 'AuthZPAMProperties',
102  'data': { 'service': 'str' } }
103
104##
105# @AuthZSimpleProperties:
106#
107# Properties for authz-simple objects.
108#
109# @identity: Identifies the allowed user.  Its format depends on the
110#     network service that authorization object is associated with.
111#     For authorizing based on TLS x509 certificates, the identity
112#     must be the x509 distinguished name.
113#
114# Since: 4.0
115##
116{ 'struct': 'AuthZSimpleProperties',
117  'data': { 'identity': 'str' } }
118