From: John Mulligan <jmulligan@redhat.com>
Date: Mon, 22 Sep 2025 18:44:30 +0000 (-0400)
Subject: mgr/smb: add a new hosts_access field to the Share resource
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7e5fea1b25d27069cdb73ef655ab9e46ffeb10f3;p=ceph.git

mgr/smb: add a new hosts_access field to the Share resource

This access list can be used to allow or deny access to hosts by
IP address or network (IP/prefixlen-style). It partially borrows
from the previous work to do ip address binds.
The structure would look something like the following:
```
  hosts_access:
    - address: 192.168.7.200
      access: allow
    - address: 192.168.7.202
      access: allow
    - network: 10.10.220.0/24
      access: allow
```
or
```
  hosts_access:
    - access: deny
      network: 10.10.220.0/24
``

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---

diff --git a/src/pybind/mgr/smb/resources.py b/src/pybind/mgr/smb/resources.py
index 4fe7ad6b4d68..c43655b6cb87 100644
--- a/src/pybind/mgr/smb/resources.py
+++ b/src/pybind/mgr/smb/resources.py
@@ -13,12 +13,14 @@ from ceph.deployment.service_spec import (
     SMBClusterPublicIPSpec,
     SpecValidationError,
 )
+from ceph.smb.network import to_network
 from object_format import ErrorResponseBase
 
 from . import resourcelib, validation
 from .enums import (
     AuthMode,
     CephFSStorageProvider,
+    HostAccess,
     Intent,
     JoinSourceType,
     LoginAccess,
@@ -189,6 +191,30 @@ class LoginAccessEntry(_RBase):
         validation.check_access_name(self.name)
 
 
+@resourcelib.component()
+class HostAccessEntry(_RBase):
+    access: HostAccess
+    address: str = ''
+    network: str = ''
+
+    def validate(self) -> None:
+        # to_network raises ValueError if values are invalid
+        to_network(network=self.network, address=self.address)
+
+    @property
+    def normalized_value(self) -> str:
+        if self.address:
+            return self.address
+        # normalize network string
+        return str(to_network(network=self.network))
+
+    @resourcelib.customize
+    def _customize_resource(rc: resourcelib.Resource) -> resourcelib.Resource:
+        rc.address.quiet = True
+        rc.network.quiet = True
+        return rc
+
+
 @resourcelib.resource('ceph.smb.share')
 class RemovedShare(_RBase):
     """Represents a share that has / will be removed."""
@@ -229,6 +255,7 @@ class Share(_RBase):
     custom_smb_share_options: Optional[Dict[str, str]] = None
     login_control: Optional[List[LoginAccessEntry]] = None
     restrict_access: bool = False
+    hosts_access: Optional[List[HostAccessEntry]] = None
 
     def __post_init__(self) -> None:
         # if name is not given explicitly, take it from the share_id