diff options
| author | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-02-12 07:48:33 -0500 |
|---|---|---|
| committer | Chris St. Pierre <chris.a.st.pierre@gmail.com> | 2013-02-12 09:18:38 -0500 |
| commit | 5363e6d9a53146333da0d109aae170befc1b9481 (patch) | |
| tree | 22f1180360c6844f3ca1f77a7cee59a01c05ad9b /schemas | |
| parent | d0cb9264234851ad65ec8502a56c3afefd39fbad (diff) | |
| download | bcfg2-5363e6d9a53146333da0d109aae170befc1b9481.tar.gz bcfg2-5363e6d9a53146333da0d109aae170befc1b9481.tar.bz2 bcfg2-5363e6d9a53146333da0d109aae170befc1b9481.zip | |
Added client ACLs:
* IP and CIDR-based ACLs
* Metadata (group/hostname)-based ACLs
* Documentation
* Unit tests
Diffstat (limited to 'schemas')
| -rw-r--r-- | schemas/acl-ip.xsd | 56 | ||||
| -rw-r--r-- | schemas/acl-metadata.xsd | 79 |
2 files changed, 135 insertions, 0 deletions
diff --git a/schemas/acl-ip.xsd b/schemas/acl-ip.xsd new file mode 100644 index 000000000..1d6106c05 --- /dev/null +++ b/schemas/acl-ip.xsd @@ -0,0 +1,56 @@ +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xml:lang="en"> + <xsd:annotation> + <xsd:documentation> + Schema for IP-based client ACLs: + :ref:`server-plugins-misc-acl` ``ip.xml`` + </xsd:documentation> + </xsd:annotation> + + <xsd:complexType name="IPACLType"> + <xsd:attribute type="xsd:string" name="method" use="required"> + <xsd:annotation> + <xsd:documentation> + The name of the XML-RPC method to allow or deny. Limited + wildcards are supported. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attribute type="xsd:string" name="address"> + <xsd:annotation> + <xsd:documentation> + The IP address to match against. This is an exact match + unless :xml:attribute:`IPACLType:netmask` is defined. If + this is not defined, all addresses match the given rule. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attribute type="xsd:string" name="netmask"> + <xsd:annotation> + <xsd:documentation> + If this is defined, then it is combined with + :xml:attribute:`IPACLType:address` to produce a CIDR range, + which is used for matching instead of exact matching based + only on IP address. This can be either an integer netmask + (e.g., ``netmask="24"``) or a dotted-quad (e.g., + ``netmask="255.255.255.0"``). + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + </xsd:complexType> + + <xsd:complexType name="IPACLContainerType"> + <xsd:annotation> + <xsd:documentation> + Top-level tag for describing metadata-based client ACLs. + </xsd:documentation> + </xsd:annotation> + <xsd:choice minOccurs="1" maxOccurs="unbounded"> + <xsd:element name="Allow" type="IPACLType"/> + <xsd:element name="Deny" type="IPACLType"/> + <xsd:element name="Defer" type="IPACLType"/> + <xsd:element name="ACL" type="IPACLContainerType"/> + </xsd:choice> + </xsd:complexType> + + <xsd:element name="ACL" type="IPACLContainerType"/> +</xsd:schema> diff --git a/schemas/acl-metadata.xsd b/schemas/acl-metadata.xsd new file mode 100644 index 000000000..7d996fb87 --- /dev/null +++ b/schemas/acl-metadata.xsd @@ -0,0 +1,79 @@ +<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" + xmlns:py="http://genshi.edgewall.org/" xml:lang="en"> + <xsd:annotation> + <xsd:documentation> + Schema for metadata-based client ACLs: + :ref:`server-plugins-misc-acl` ``metadata.xml`` + </xsd:documentation> + </xsd:annotation> + + <xsd:import namespace="http://genshi.edgewall.org/" + schemaLocation="genshi.xsd"/> + + <xsd:complexType name="MetadataACLGroupType"> + <xsd:annotation> + <xsd:documentation> + An **MetadataACLGroupType** is a tag used to provide logic. + Child entries of a MetadataACLGroupType tag only apply to + machines that match the condition specified -- either + membership in a group, or a matching client name. + :xml:attribute:`MetadataACLGroupType:negate` can be set to + negate the sense of the match. + </xsd:documentation> + </xsd:annotation> + <xsd:group ref="MetadataACLElements"/> + <xsd:attribute name='name' type='xsd:string'> + <xsd:annotation> + <xsd:documentation> + The name of the client or group to match on. Child entries + will only apply to this client or group (unless + :xml:attribute:`MetadataACLGroupType:negate` is set). + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attribute name='negate' type='xsd:boolean'> + <xsd:annotation> + <xsd:documentation> + Negate the sense of the match, so that child entries only + apply to a client if it is not a member of the given group + or does not have the given name. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attributeGroup ref="py:genshiAttrs"/> + </xsd:complexType> + + <xsd:complexType name="MetadataACLType"> + <xsd:attribute type="xsd:string" name="method" use="required"> + <xsd:annotation> + <xsd:documentation> + The name of the XML-RPC method to allow or deny. Limited + wildcards are supported. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + <xsd:attributeGroup ref="py:genshiAttrs"/> + </xsd:complexType> + + <xsd:complexType name="MetadataACLContainerType"> + <xsd:annotation> + <xsd:documentation> + Top-level tag for describing metadata-based client ACLs. + </xsd:documentation> + </xsd:annotation> + <xsd:group ref="MetadataACLElements"/> + </xsd:complexType> + + <xsd:group name="MetadataACLElements"> + <xsd:choice minOccurs="1" maxOccurs="unbounded"> + <xsd:group ref="py:genshiElements"/> + <xsd:element name="Allow" type="MetadataACLType"/> + <xsd:element name="Deny" type="MetadataACLType"/> + <xsd:element name="Group" type="MetadataACLGroupType"/> + <xsd:element name="Client" type="MetadataACLGroupType"/> + <xsd:element name="ACL" type="MetadataACLContainerType"/> + </xsd:choice> + </xsd:group> + + <xsd:element name="ACL" type="MetadataACLContainerType"/> +</xsd:schema> |