Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 1 | # -*- Mode: Python -*- |
Andrea Bolognani | f7160f3 | 2020-07-29 20:50:24 +0200 | [diff] [blame] | 2 | # vim: filetype=python |
Markus Armbruster | a1d12a2 | 2020-11-02 09:15:50 +0100 | [diff] [blame] | 3 | |
| 4 | ## |
| 5 | # = User authorization |
| 6 | ## |
Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 7 | |
| 8 | ## |
| 9 | # @QAuthZListPolicy: |
| 10 | # |
| 11 | # The authorization policy result |
| 12 | # |
| 13 | # @deny: deny access |
| 14 | # @allow: allow access |
| 15 | # |
| 16 | # Since: 4.0 |
| 17 | ## |
| 18 | { 'enum': 'QAuthZListPolicy', |
| 19 | 'prefix': 'QAUTHZ_LIST_POLICY', |
| 20 | 'data': ['deny', 'allow']} |
| 21 | |
| 22 | ## |
| 23 | # @QAuthZListFormat: |
| 24 | # |
| 25 | # The authorization policy match format |
| 26 | # |
| 27 | # @exact: an exact string match |
| 28 | # @glob: string with ? and * shell wildcard support |
| 29 | # |
| 30 | # Since: 4.0 |
| 31 | ## |
| 32 | { 'enum': 'QAuthZListFormat', |
| 33 | 'prefix': 'QAUTHZ_LIST_FORMAT', |
| 34 | 'data': ['exact', 'glob']} |
| 35 | |
| 36 | ## |
| 37 | # @QAuthZListRule: |
| 38 | # |
| 39 | # A single authorization rule. |
| 40 | # |
| 41 | # @match: a string or glob to match against a user identity |
| 42 | # @policy: the result to return if @match evaluates to true |
| 43 | # @format: the format of the @match rule (default 'exact') |
| 44 | # |
| 45 | # Since: 4.0 |
| 46 | ## |
| 47 | { 'struct': 'QAuthZListRule', |
| 48 | 'data': {'match': 'str', |
| 49 | 'policy': 'QAuthZListPolicy', |
| 50 | '*format': 'QAuthZListFormat'}} |
| 51 | |
| 52 | ## |
Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 53 | # @AuthZListProperties: |
Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 54 | # |
Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 55 | # Properties for authz-list objects. |
| 56 | # |
| 57 | # @policy: Default policy to apply when no rule matches (default: deny) |
| 58 | # |
| 59 | # @rules: Authorization rules based on matching user |
Daniel P. Berrange | c8c9988 | 2015-10-21 14:54:59 +0100 | [diff] [blame] | 60 | # |
| 61 | # Since: 4.0 |
| 62 | ## |
Kevin Wolf | 8825587 | 2020-10-20 12:47:58 +0200 | [diff] [blame] | 63 | { 'struct': 'AuthZListProperties', |
| 64 | 'data': { '*policy': 'QAuthZListPolicy', |
| 65 | '*rules': ['QAuthZListRule'] } } |
| 66 | |
| 67 | ## |
| 68 | # @AuthZListFileProperties: |
| 69 | # |
| 70 | # Properties for authz-listfile objects. |
| 71 | # |
| 72 | # @filename: File name to load the configuration from. The file must |
| 73 | # contain valid JSON for AuthZListProperties. |
| 74 | # |
| 75 | # @refresh: If true, inotify is used to monitor the file, automatically |
| 76 | # reloading changes. If an error occurs during reloading, all |
| 77 | # authorizations will fail until the file is next successfully |
| 78 | # loaded. (default: true if the binary was built with |
| 79 | # CONFIG_INOTIFY1, false otherwise) |
| 80 | # |
| 81 | # Since: 4.0 |
| 82 | ## |
| 83 | { 'struct': 'AuthZListFileProperties', |
| 84 | 'data': { 'filename': 'str', |
| 85 | '*refresh': 'bool' } } |
| 86 | |
| 87 | ## |
| 88 | # @AuthZPAMProperties: |
| 89 | # |
| 90 | # Properties for authz-pam objects. |
| 91 | # |
| 92 | # @service: PAM service name to use for authorization |
| 93 | # |
| 94 | # Since: 4.0 |
| 95 | ## |
| 96 | { 'struct': 'AuthZPAMProperties', |
| 97 | 'data': { 'service': 'str' } } |
| 98 | |
| 99 | ## |
| 100 | # @AuthZSimpleProperties: |
| 101 | # |
| 102 | # Properties for authz-simple objects. |
| 103 | # |
| 104 | # @identity: Identifies the allowed user. Its format depends on the network |
| 105 | # service that authorization object is associated with. For |
| 106 | # authorizing based on TLS x509 certificates, the identity must be |
| 107 | # the x509 distinguished name. |
| 108 | # |
| 109 | # Since: 4.0 |
| 110 | ## |
| 111 | { 'struct': 'AuthZSimpleProperties', |
| 112 | 'data': { 'identity': 'str' } } |