aboutsummaryrefslogtreecommitdiff
path: root/qapi/authz.json
diff options
context:
space:
mode:
authorKevin Wolf <kwolf@redhat.com>2020-10-20 12:47:58 +0200
committerKevin Wolf <kwolf@redhat.com>2021-03-19 10:17:13 +0100
commit8825587b53c62f40375a2f63dfefd3adc6988eb1 (patch)
tree68f349337d78ee7b9a1f296a319ed22204199a66 /qapi/authz.json
parent2273b2410f876111ed97b5d2cd93d7f04b045432 (diff)
qapi/qom: Add ObjectOptions for authz-*
This adds a QAPI schema for the properties of the authz-* objects. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Acked-by: Peter Krempa <pkrempa@redhat.com> Acked-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
Diffstat (limited to 'qapi/authz.json')
-rw-r--r--qapi/authz.json61
1 files changed, 56 insertions, 5 deletions
diff --git a/qapi/authz.json b/qapi/authz.json
index 42afe752d1..51845e37cc 100644
--- a/qapi/authz.json
+++ b/qapi/authz.json
@@ -50,12 +50,63 @@
'*format': 'QAuthZListFormat'}}
##
-# @QAuthZListRuleListHack:
+# @AuthZListProperties:
#
-# Not exposed via QMP; hack to generate QAuthZListRuleList
-# for use internally by the code.
+# Properties for authz-list objects.
+#
+# @policy: Default policy to apply when no rule matches (default: deny)
+#
+# @rules: Authorization rules based on matching user
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListProperties',
+ 'data': { '*policy': 'QAuthZListPolicy',
+ '*rules': ['QAuthZListRule'] } }
+
+##
+# @AuthZListFileProperties:
+#
+# Properties for authz-listfile objects.
+#
+# @filename: File name to load the configuration from. The file must
+# contain valid JSON for AuthZListProperties.
+#
+# @refresh: If true, inotify is used to monitor the file, automatically
+# reloading changes. If an error occurs during reloading, all
+# authorizations will fail until the file is next successfully
+# loaded. (default: true if the binary was built with
+# CONFIG_INOTIFY1, false otherwise)
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListFileProperties',
+ 'data': { 'filename': 'str',
+ '*refresh': 'bool' } }
+
+##
+# @AuthZPAMProperties:
+#
+# Properties for authz-pam objects.
+#
+# @service: PAM service name to use for authorization
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZPAMProperties',
+ 'data': { 'service': 'str' } }
+
+##
+# @AuthZSimpleProperties:
+#
+# Properties for authz-simple objects.
+#
+# @identity: Identifies the allowed user. Its format depends on the network
+# service that authorization object is associated with. For
+# authorizing based on TLS x509 certificates, the identity must be
+# the x509 distinguished name.
#
# Since: 4.0
##
-{ 'struct': 'QAuthZListRuleListHack',
- 'data': { 'unused': ['QAuthZListRule'] } }
+{ 'struct': 'AuthZSimpleProperties',
+ 'data': { 'identity': 'str' } }