From: John Mulligan <jmulligan@redhat.com>
Date: Mon, 22 Sep 2025 18:49:31 +0000 (-0400)
Subject: mgr/smb: generate smb.conf hosts allow & hosts deny values
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=be1ee044d0a78a5b7d9705b86a70c8fe7a07e9e0;p=ceph.git

mgr/smb: generate smb.conf hosts allow & hosts deny values

Using the Share resource hosts_access parameter generate
smb.conf-equivalent configuration for the 'hosts allow' and 'hosts deny'
configuration parms. Note that currently we automatically set hosts deny
to all if *any* hosts allow is set to avoid the possibly surprising
result of explicitly setting hosts to allow and then having the share
continue to allow hosts not explicitly listed.

If needed, in the future we could allow the user to override the
default deny - but I'm trying to keep it real simple for now.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
---

diff --git a/src/pybind/mgr/smb/handler.py b/src/pybind/mgr/smb/handler.py
index ce6795fe7aaa..51189a74e343 100644
--- a/src/pybind/mgr/smb/handler.py
+++ b/src/pybind/mgr/smb/handler.py
@@ -22,6 +22,7 @@ from . import config_store, external, resources
 from .enums import (
     AuthMode,
     CephFSStorageProvider,
+    HostAccess,
     JoinSourceType,
     LoginAccess,
     LoginCategory,
@@ -734,6 +735,7 @@ def _generate_share(
         cfg['options'][f'{ceph_vfs}:proxy'] = proxy_val
     # extend share with user+group login access lists
     _generate_share_login_control(share, cfg)
+    _generate_share_hosts_access(share, cfg)
     # extend share with custom options
     custom_opts = share.cleaned_custom_smb_share_options
     if custom_opts:
@@ -778,6 +780,30 @@ def _generate_share_login_control(
         cfg['options']['admin users'] = ' '.join(admin_users)
 
 
+def _generate_share_hosts_access(
+    share: resources.Share, cfg: Simplified
+) -> None:
+    if not share.hosts_access:
+        return
+    default_access = HostAccess.ALLOW
+    hosts_allow: List[str] = []
+    hosts_deny: List[str] = []
+    for entry in share.hosts_access:
+        if entry.access is HostAccess.DENY:
+            hosts_deny.append(entry.normalized_value)
+        elif entry.access is HostAccess.ALLOW:
+            hosts_allow.append(entry.normalized_value)
+            default_access = HostAccess.DENY
+        else:
+            raise ValueError(f'invalid access type: {entry.access!r}')
+    if default_access is HostAccess.DENY:
+        hosts_deny.append('ALL')
+    if hosts_allow:
+        cfg['options']['hosts allow'] = ', '.join(hosts_allow)
+    if hosts_deny:
+        cfg['options']['hosts deny'] = ', '.join(hosts_deny)
+
+
 def _generate_config(
     cluster: resources.Cluster,
     shares: Iterable[resources.Share],