| Message ID | 20210224135255.253837-5-kwolf@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | qapi/qom: QAPIfy --object and object-add | expand |
On 2/24/21 7:52 AM, Kevin Wolf wrote: > This adds a QAPI schema for the properties of the authz-* objects. > > Signed-off-by: Kevin Wolf <kwolf@redhat.com> > --- > qapi/authz.json | 62 ++++++++++++++++++++++++++++ > qapi/qom.json | 10 +++++ > storage-daemon/qapi/qapi-schema.json | 1 + > 3 files changed, 73 insertions(+) > > diff --git a/qapi/authz.json b/qapi/authz.json > index 42afe752d1..99d49aa563 100644 > --- a/qapi/authz.json > +++ b/qapi/authz.json > @@ -59,3 +59,65 @@ > ## > { 'struct': 'QAuthZListRuleListHack', > 'data': { 'unused': ['QAuthZListRule'] } } This hack is no longer necessary... > + > +## > +# @AuthZListProperties: > +# > +# Properties for authz-list objects. > +# > +# @policy: Default policy to apply when no rule matches (default: deny) > +# > +# @rules: Authorization rules based on matching user > +# > +# Since: 4.0 > +## > +{ 'struct': 'AuthZListProperties', > + 'data': { '*policy': 'QAuthZListPolicy', > + '*rules': ['QAuthZListRule'] } } ...now that we have a real type using the same array and forcing the QAPI generator to instantiate it. Matches authz/list.c:qauthz_list_class_init(). > + > +## > +# @AuthZListFileProperties: > +# > +# Properties for authz-listfile objects. > +# > +# @filename: File name to load the configuration from. The file must > +# contain valid JSON for AuthZListProperties. > +# > +# @refresh: If true, inotify is used to monitor the file, automatically > +# reloading changes. If an error occurs during reloading, all > +# authorizations will fail until the file is next successfully > +# loaded. (default: true if the binary was built with > +# CONFIG_INOTIFY1, false otherwise) > +# > +# Since: 4.0 > +## > +{ 'struct': 'AuthZListFileProperties', > + 'data': { 'filename': 'str', > + '*refresh': 'bool' } } Matches authz/listfile.c:qauthz_list_file_class_init(). > + > +## > +# @AuthZPAMProperties: > +# > +# Properties for authz-pam objects. > +# > +# @service: PAM service name to use for authorization > +# > +# Since: 4.0 > +## > +{ 'struct': 'AuthZPAMProperties', > + 'data': { 'service': 'str' } } Matches authz/pamacct.c:qauthz_pam_class_init(). > + > +## > +# @AuthZSimpleProperties: > +# > +# Properties for authz-simple objects. > +# > +# @identity: Identifies the allowed user. Its format depends on the network > +# service that authorization object is associated with. For > +# authorizing based on TLS x509 certificates, the identity must be > +# the x509 distinguished name. > +# > +# Since: 4.0 > +## > +{ 'struct': 'AuthZSimpleProperties', > + 'data': { 'identity': 'str' } } Matches authz/simple.c:qauthz_simple_class_init(). > diff --git a/qapi/qom.json b/qapi/qom.json > index bf2ecb34be..30ed179bc1 100644 > --- a/qapi/qom.json > +++ b/qapi/qom.json > @@ -4,6 +4,8 @@ > # This work is licensed under the terms of the GNU GPL, version 2 or later. > # See the COPYING file in the top-level directory. > > +{ 'include': 'authz.json' } > + > ## > # = QEMU Object Model (QOM) > ## > @@ -233,6 +235,10 @@ > ## > { 'enum': 'ObjectType', > 'data': [ > + 'authz-list', > + 'authz-listfile', > + 'authz-pam', > + 'authz-simple', > 'iothread' > ] } > > @@ -252,6 +258,10 @@ > 'id': 'str' }, > 'discriminator': 'qom-type', > 'data': { > + 'authz-list': 'AuthZListProperties', > + 'authz-listfile': 'AuthZListFileProperties', > + 'authz-pam': 'AuthZPAMProperties', > + 'authz-simple': 'AuthZSimpleProperties', > 'iothread': 'IothreadProperties' > } } > > diff --git a/storage-daemon/qapi/qapi-schema.json b/storage-daemon/qapi/qapi-schema.json > index 28117c3aac..67749d1101 100644 > --- a/storage-daemon/qapi/qapi-schema.json > +++ b/storage-daemon/qapi/qapi-schema.json > @@ -26,6 +26,7 @@ > { 'include': '../../qapi/crypto.json' } > { 'include': '../../qapi/introspect.json' } > { 'include': '../../qapi/job.json' } > +{ 'include': '../../qapi/authz.json' } > { 'include': '../../qapi/qom.json' } > { 'include': '../../qapi/sockets.json' } > { 'include': '../../qapi/transaction.json' } > Once you delete the dead QAPI hack, Reviewed-by: Eric Blake <eblake@redhat.com>
diff --git a/qapi/authz.json b/qapi/authz.json index 42afe752d1..99d49aa563 100644 --- a/qapi/authz.json +++ b/qapi/authz.json @@ -59,3 +59,65 @@ ## { 'struct': 'QAuthZListRuleListHack', 'data': { 'unused': ['QAuthZListRule'] } } + +## +# @AuthZListProperties: +# +# Properties for authz-list objects. +# +# @policy: Default policy to apply when no rule matches (default: deny) +# +# @rules: Authorization rules based on matching user +# +# Since: 4.0 +## +{ 'struct': 'AuthZListProperties', + 'data': { '*policy': 'QAuthZListPolicy', + '*rules': ['QAuthZListRule'] } } + +## +# @AuthZListFileProperties: +# +# Properties for authz-listfile objects. +# +# @filename: File name to load the configuration from. The file must +# contain valid JSON for AuthZListProperties. +# +# @refresh: If true, inotify is used to monitor the file, automatically +# reloading changes. If an error occurs during reloading, all +# authorizations will fail until the file is next successfully +# loaded. (default: true if the binary was built with +# CONFIG_INOTIFY1, false otherwise) +# +# Since: 4.0 +## +{ 'struct': 'AuthZListFileProperties', + 'data': { 'filename': 'str', + '*refresh': 'bool' } } + +## +# @AuthZPAMProperties: +# +# Properties for authz-pam objects. +# +# @service: PAM service name to use for authorization +# +# Since: 4.0 +## +{ 'struct': 'AuthZPAMProperties', + 'data': { 'service': 'str' } } + +## +# @AuthZSimpleProperties: +# +# Properties for authz-simple objects. +# +# @identity: Identifies the allowed user. Its format depends on the network +# service that authorization object is associated with. For +# authorizing based on TLS x509 certificates, the identity must be +# the x509 distinguished name. +# +# Since: 4.0 +## +{ 'struct': 'AuthZSimpleProperties', + 'data': { 'identity': 'str' } } diff --git a/qapi/qom.json b/qapi/qom.json index bf2ecb34be..30ed179bc1 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -4,6 +4,8 @@ # This work is licensed under the terms of the GNU GPL, version 2 or later. # See the COPYING file in the top-level directory. +{ 'include': 'authz.json' } + ## # = QEMU Object Model (QOM) ## @@ -233,6 +235,10 @@ ## { 'enum': 'ObjectType', 'data': [ + 'authz-list', + 'authz-listfile', + 'authz-pam', + 'authz-simple', 'iothread' ] } @@ -252,6 +258,10 @@ 'id': 'str' }, 'discriminator': 'qom-type', 'data': { + 'authz-list': 'AuthZListProperties', + 'authz-listfile': 'AuthZListFileProperties', + 'authz-pam': 'AuthZPAMProperties', + 'authz-simple': 'AuthZSimpleProperties', 'iothread': 'IothreadProperties' } } diff --git a/storage-daemon/qapi/qapi-schema.json b/storage-daemon/qapi/qapi-schema.json index 28117c3aac..67749d1101 100644 --- a/storage-daemon/qapi/qapi-schema.json +++ b/storage-daemon/qapi/qapi-schema.json @@ -26,6 +26,7 @@ { 'include': '../../qapi/crypto.json' } { 'include': '../../qapi/introspect.json' } { 'include': '../../qapi/job.json' } +{ 'include': '../../qapi/authz.json' } { 'include': '../../qapi/qom.json' } { 'include': '../../qapi/sockets.json' } { 'include': '../../qapi/transaction.json' }
This adds a QAPI schema for the properties of the authz-* objects. Signed-off-by: Kevin Wolf <kwolf@redhat.com> --- qapi/authz.json | 62 ++++++++++++++++++++++++++++ qapi/qom.json | 10 +++++ storage-daemon/qapi/qapi-schema.json | 1 + 3 files changed, 73 insertions(+)