| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 1 | # -*- Mode: Python -*- |
| Andrea Bolognani | f7160f3 | 2020-07-29 20:50:24 +0200 | [diff] [blame] | 2 | # vim: filetype=python |
| Markus Armbruster | a1d12a2 | 2020-11-02 09:15:50 +0100 | [diff] [blame] | 3 | |
| 4 | ## |
| 5 | # = User authorization |
| 6 | ## |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 7 | |
| 8 | ## |
| 9 | # @QAuthZListPolicy: |
| 10 | # |
| 11 | # The authorization policy result |
| 12 | # |
| 13 | # @deny: deny access |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 14 | # |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 15 | # @allow: allow access |
| 16 | # |
| 17 | # Since: 4.0 |
| 18 | ## |
| 19 | { 'enum': 'QAuthZListPolicy', |
| 20 | 'prefix': 'QAUTHZ_LIST_POLICY', |
| 21 | 'data': ['deny', 'allow']} |
| 22 | |
| 23 | ## |
| 24 | # @QAuthZListFormat: |
| 25 | # |
| 26 | # The authorization policy match format |
| 27 | # |
| 28 | # @exact: an exact string match |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 29 | # |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 30 | # @glob: string with ? and * shell wildcard support |
| 31 | # |
| 32 | # Since: 4.0 |
| 33 | ## |
| 34 | { 'enum': 'QAuthZListFormat', |
| 35 | 'prefix': 'QAUTHZ_LIST_FORMAT', |
| 36 | 'data': ['exact', 'glob']} |
| 37 | |
| 38 | ## |
| 39 | # @QAuthZListRule: |
| 40 | # |
| 41 | # A single authorization rule. |
| 42 | # |
| 43 | # @match: a string or glob to match against a user identity |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 44 | # |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 45 | # @policy: the result to return if @match evaluates to true |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 46 | # |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 47 | # @format: the format of the @match rule (default 'exact') |
| 48 | # |
| 49 | # Since: 4.0 |
| 50 | ## |
| 51 | { 'struct': 'QAuthZListRule', |
| 52 | 'data': {'match': 'str', |
| 53 | 'policy': 'QAuthZListPolicy', |
| 54 | '*format': 'QAuthZListFormat'}} |
| 55 | |
| 56 | ## |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 57 | # @AuthZListProperties: |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 58 | # |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 59 | # Properties for authz-list objects. |
| 60 | # |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 61 | # @policy: Default policy to apply when no rule matches (default: |
| 62 | # deny) |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 63 | # |
| 64 | # @rules: Authorization rules based on matching user |
| Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 65 | # |
| 66 | # Since: 4.0 |
| 67 | ## |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 68 | { 'struct': 'AuthZListProperties', |
| 69 | 'data': { '*policy': 'QAuthZListPolicy', |
| 70 | '*rules': ['QAuthZListRule'] } } |
| 71 | |
| 72 | ## |
| 73 | # @AuthZListFileProperties: |
| 74 | # |
| 75 | # Properties for authz-listfile objects. |
| 76 | # |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 77 | # @filename: File name to load the configuration from. The file must |
| 78 | # contain valid JSON for AuthZListProperties. |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 79 | # |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 80 | # @refresh: If true, inotify is used to monitor the file, |
| 81 | # automatically reloading changes. If an error occurs during |
| 82 | # reloading, all authorizations will fail until the file is next |
| 83 | # successfully loaded. (default: true if the binary was built |
| 84 | # with CONFIG_INOTIFY1, false otherwise) |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 85 | # |
| 86 | # Since: 4.0 |
| 87 | ## |
| 88 | { 'struct': 'AuthZListFileProperties', |
| 89 | 'data': { 'filename': 'str', |
| 90 | '*refresh': 'bool' } } |
| 91 | |
| 92 | ## |
| 93 | # @AuthZPAMProperties: |
| 94 | # |
| 95 | # Properties for authz-pam objects. |
| 96 | # |
| 97 | # @service: PAM service name to use for authorization |
| 98 | # |
| 99 | # Since: 4.0 |
| 100 | ## |
| 101 | { 'struct': 'AuthZPAMProperties', |
| 102 | 'data': { 'service': 'str' } } |
| 103 | |
| 104 | ## |
| 105 | # @AuthZSimpleProperties: |
| 106 | # |
| 107 | # Properties for authz-simple objects. |
| 108 | # |
| Markus Armbruster | a937b6a | 2023-04-28 12:54:29 +0200 | [diff] [blame] | 109 | # @identity: Identifies the allowed user. Its format depends on the |
| 110 | # network service that authorization object is associated with. |
| 111 | # For authorizing based on TLS x509 certificates, the identity |
| 112 | # must be the x509 distinguished name. |
| Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 113 | # |
| 114 | # Since: 4.0 |
| 115 | ## |
| 116 | { 'struct': 'AuthZSimpleProperties', |
| 117 | 'data': { 'identity': 'str' } } |
