Re: [PATCH v2 04/31] qapi/qom: Add ObjectOptions for authz-*
On 2/24/21 7:52 AM, Kevin Wolf wrote:
This adds a QAPI schema for the properties of the authz-* objects.
Signed-off-by: Kevin Wolf <kwolf(a)redhat.com>
---
qapi/authz.json | 62 ++++++++++++++++++++++++++++
qapi/qom.json | 10 +++++
storage-daemon/qapi/qapi-schema.json | 1 +
3 files changed, 73 insertions(+)
diff --git a/qapi/authz.json b/qapi/authz.json
index 42afe752d1..99d49aa563 100644
--- a/qapi/authz.json
+++ b/qapi/authz.json
@@ -59,3 +59,65 @@
##
{ 'struct': 'QAuthZListRuleListHack',
'data': { 'unused': ['QAuthZListRule'] } }
This hack is no longer necessary...
+
+##
+# @AuthZListProperties:
+#
+# Properties for authz-list objects.
+#
+# @policy: Default policy to apply when no rule matches (default: deny)
+#
+# @rules: Authorization rules based on matching user
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListProperties',
+ 'data': { '*policy': 'QAuthZListPolicy',
+ '*rules': ['QAuthZListRule'] } }
...now that we have a real type using the same array and forcing the
QAPI generator to instantiate it.
Matches authz/list.c:qauthz_list_class_init().
+
+##
+# @AuthZListFileProperties:
+#
+# Properties for authz-listfile objects.
+#
+# @filename: File name to load the configuration from. The file must
+# contain valid JSON for AuthZListProperties.
+#
+# @refresh: If true, inotify is used to monitor the file, automatically
+# reloading changes. If an error occurs during reloading, all
+# authorizations will fail until the file is next successfully
+# loaded. (default: true if the binary was built with
+# CONFIG_INOTIFY1, false otherwise)
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZListFileProperties',
+ 'data': { 'filename': 'str',
+ '*refresh': 'bool' } }
Matches authz/listfile.c:qauthz_list_file_class_init().
+
+##
+# @AuthZPAMProperties:
+#
+# Properties for authz-pam objects.
+#
+# @service: PAM service name to use for authorization
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZPAMProperties',
+ 'data': { 'service': 'str' } }
Matches authz/pamacct.c:qauthz_pam_class_init().
+
+##
+# @AuthZSimpleProperties:
+#
+# Properties for authz-simple objects.
+#
+# @identity: Identifies the allowed user. Its format depends on the network
+# service that authorization object is associated with. For
+# authorizing based on TLS x509 certificates, the identity must be
+# the x509 distinguished name.
+#
+# Since: 4.0
+##
+{ 'struct': 'AuthZSimpleProperties',
+ 'data': { 'identity': 'str' } }
Matches authz/simple.c:qauthz_simple_class_init().
diff --git a/qapi/qom.json b/qapi/qom.json
index bf2ecb34be..30ed179bc1 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -4,6 +4,8 @@
# This work is licensed under the terms of the GNU GPL, version 2 or later.
# See the COPYING file in the top-level directory.
+{ 'include': 'authz.json' }
+
##
# = QEMU Object Model (QOM)
##
@@ -233,6 +235,10 @@
##
{ 'enum': 'ObjectType',
'data': [
+ 'authz-list',
+ 'authz-listfile',
+ 'authz-pam',
+ 'authz-simple',
'iothread'
] }
@@ -252,6 +258,10 @@
'id': 'str' },
'discriminator': 'qom-type',
'data': {
+ 'authz-list': 'AuthZListProperties',
+ 'authz-listfile': 'AuthZListFileProperties',
+ 'authz-pam': 'AuthZPAMProperties',
+ 'authz-simple': 'AuthZSimpleProperties',
'iothread': 'IothreadProperties'
} }
diff --git a/storage-daemon/qapi/qapi-schema.json b/storage-daemon/qapi/qapi-schema.json
index 28117c3aac..67749d1101 100644
--- a/storage-daemon/qapi/qapi-schema.json
+++ b/storage-daemon/qapi/qapi-schema.json
@@ -26,6 +26,7 @@
{ 'include': '../../qapi/crypto.json' }
{ 'include': '../../qapi/introspect.json' }
{ 'include': '../../qapi/job.json' }
+{ 'include': '../../qapi/authz.json' }
{ 'include': '../../qapi/qom.json' }
{ 'include': '../../qapi/sockets.json' }
{ 'include': '../../qapi/transaction.json' }
Once you delete the dead QAPI hack,
Reviewed-by: Eric Blake <eblake(a)redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org