ArbitCode
diff --git a/‎doc/mgr/smb.rst‎
Lines changed: 15 additions & 0 deletions b/‎doc/mgr/smb.rst‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎src/pybind/mgr/smb/enums.py‎
Lines changed: 23 additions & 0 deletions b/‎src/pybind/mgr/smb/enums.py‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎src/pybind/mgr/smb/handler.py‎
Lines changed: 40 additions & 0 deletions b/‎src/pybind/mgr/smb/handler.py‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎src/pybind/mgr/smb/resources.py‎
Lines changed: 22 additions & 0 deletions b/‎src/pybind/mgr/smb/resources.py‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/pybind/mgr/smb/tests/test_handler.py‎
Lines changed: 158 additions & 0 deletions b/‎src/pybind/mgr/smb/tests/test_handler.py‎
Lines changed: 158 additions & 0 deletions
@@ -480,6 +480,21 @@ cephfs
     provider
         Optional. One of ``samba-vfs`` or ``kcephfs`` (``kcephfs`` is not yet
         supported) . Selects how CephFS storage should be provided to the share
+restrict_access
+    Optional boolean, defaulting to false. If true the share will only permit
+    access by users explicitly listed in ``login_control``.
+login_control
+    Optional list of objects. Fields:
+
+    name
+        Required string. Name of the user or group.
+    category
+        Optional. One of ``user`` (default) or ``group``.
+    access
+        One of ``read`` (alias ``r``), ``read-write`` (alias ``rw``), ``none``,
+        or ``admin``. Specific access level to grant to the user or group when
+        logging into this share. The ``none`` value denies access to the share
+        regardless of the ``restrict_access`` value.
 custom_smb_share_options
     Optional mapping. Specify key-value pairs that will be directly added to
     the ``smb.conf`` (or equivalent) of a Samba server.  Do *not* use this
 
@@ -54,3 +54,26 @@ class ConfigNS(_StrEnum):
     SHARES = 'shares'
     USERS_AND_GROUPS = 'users_and_groups'
     JOIN_AUTHS = 'join_auths'
+
+
+class LoginCategory(_StrEnum):
+    USER = 'user'
+    GROUP = 'group'
+
+
+class LoginAccess(_StrEnum):
+    ADMIN = 'admin'
+    NONE = 'none'
+    READ_ONLY = 'read'
+    READ_ONLY_SHORT = 'r'
+    READ_WRITE = 'read-write'
+    READ_WRITE_SHORT = 'rw'
+
+    def expand(self) -> 'LoginAccess':
+        """Exapend abbreviated enum values into their full forms."""
+        # the extra LoginAccess(...) calls are to appease mypy
+        if self == self.READ_ONLY_SHORT:
+            return LoginAccess(self.READ_ONLY)
+        if self == self.READ_WRITE_SHORT:
+            return LoginAccess(self.READ_WRITE)
+        return self
@@ -25,6 +25,8 @@
     CephFSStorageProvider,
     Intent,
     JoinSourceType,
+    LoginAccess,
+    LoginCategory,
     State,
     UserGroupSourceType,
 )
@@ -992,6 +994,8 @@ def _generate_share(
             'x:ceph:id': f'{share.cluster_id}.{share.share_id}',
         }
     }
+    # extend share with user+group login access lists
+    _generate_share_login_control(share, cfg)
     # extend share with custom options
     custom_opts = share.cleaned_custom_smb_share_options
     if custom_opts:
@@ -1000,6 +1004,42 @@ def _generate_share(
     return cfg
 
 
+def _generate_share_login_control(
+    share: resources.Share, cfg: Simplified
+) -> None:
+    valid_users: List[str] = []
+    invalid_users: List[str] = []
+    read_list: List[str] = []
+    write_list: List[str] = []
+    admin_users: List[str] = []
+    for entry in share.login_control or []:
+        if entry.category == LoginCategory.GROUP:
+            name = f'@{entry.name}'
+        else:
+            name = entry.name
+        if entry.access == LoginAccess.NONE:
+            invalid_users.append(name)
+            continue
+        elif entry.access == LoginAccess.ADMIN:
+            admin_users.append(name)
+        elif entry.access == LoginAccess.READ_ONLY:
+            read_list.append(name)
+        elif entry.access == LoginAccess.READ_WRITE:
+            write_list.append(name)
+        if share.restrict_access:
+            valid_users.append(name)
+    if valid_users:
+        cfg['options']['valid users'] = ' '.join(valid_users)
+    if invalid_users:
+        cfg['options']['invalid users'] = ' '.join(invalid_users)
+    if read_list:
+        cfg['options']['read list'] = ' '.join(read_list)
+    if write_list:
+        cfg['options']['write list'] = ' '.join(write_list)
+    if admin_users:
+        cfg['options']['admin users'] = ' '.join(admin_users)
+
+
 def _generate_config(
     cluster: resources.Cluster,
     shares: Iterable[resources.Share],
 
@@ -12,6 +12,8 @@
     CephFSStorageProvider,
     Intent,
     JoinSourceType,
+    LoginAccess,
+    LoginCategory,
     UserGroupSourceType,
 )
 from .proto import Self, Simplified, checked
@@ -99,6 +101,19 @@ def _customize_resource(rc: resourcelib.Resource) -> resourcelib.Resource:
         return rc
 
 
+@resourcelib.component()
+class LoginAccessEntry(_RBase):
+    name: str
+    category: LoginCategory = LoginCategory.USER
+    access: LoginAccess = LoginAccess.READ_ONLY
+
+    def __post_init__(self) -> None:
+        self.access = self.access.expand()
+
+    def validate(self) -> None:
+        validation.check_access_name(self.name)
+
+
 @resourcelib.resource('ceph.smb.share')
 class RemovedShare(_RBase):
     """Represents a share that has / will be removed."""
@@ -135,6 +150,8 @@ class Share(_RBase):
     browseable: bool = True
     cephfs: Optional[CephFSStorage] = None
     custom_smb_share_options: Optional[Dict[str, str]] = None
+    login_control: Optional[List[LoginAccessEntry]] = None
+    restrict_access: bool = False
 
     def __post_init__(self) -> None:
         # if name is not given explicitly, take it from the share_id
@@ -155,6 +172,10 @@ def validate(self) -> None:
         if self.cephfs is None:
             raise ValueError('a cephfs configuration is required')
         validation.check_custom_options(self.custom_smb_share_options)
+        if self.restrict_access and not self.login_control:
+            raise ValueError(
+                'a share with restricted access must define at least one login_control entry'
+            )
 
     @property
     def checked_cephfs(self) -> CephFSStorage:
@@ -163,6 +184,7 @@ def checked_cephfs(self) -> CephFSStorage:
 
     @resourcelib.customize
     def _customize_resource(rc: resourcelib.Resource) -> resourcelib.Resource:
+        rc.restrict_access.quiet = True
         rc.on_condition(_present)
         rc.on_construction_error(InvalidResourceError.wrap)
         return rc
 
@@ -372,6 +372,164 @@ def test_generate_config_ad(thandler):
     assert cfg['globals']['foo']['options']['realm'] == 'dom1.example.com'
 
 
+def test_generate_config_with_login_control(thandler):
+    thandler.internal_store.overwrite(
+        {
+            'clusters.foo': {
+                'resource_type': 'ceph.smb.cluster',
+                'cluster_id': 'foo',
+                'auth_mode': 'active-directory',
+                'intent': 'present',
+                'domain_settings': {
+                    'realm': 'dom1.example.com',
+                    'join_sources': [
+                        {
+                            'source_type': 'resource',
+                            'ref': 'foo1',
+                        }
+                    ],
+                },
+            },
+            'join_auths.foo1': {
+                'resource_type': 'ceph.smb.join.auth',
+                'auth_id': 'foo1',
+                'intent': 'present',
+                'auth': {
+                    'username': 'testadmin',
+                    'password': 'Passw0rd',
+                },
+            },
+            'shares.foo.s1': {
+                'resource_type': 'ceph.smb.share',
+                'cluster_id': 'foo',
+                'share_id': 's1',
+                'intent': 'present',
+                'name': 'Ess One',
+                'readonly': False,
+                'browseable': True,
+                'cephfs': {
+                    'volume': 'cephfs',
+                    'path': '/',
+                    'provider': 'samba-vfs',
+                },
+                'login_control': [
+                    {
+                        'name': 'dom1\\alan',
+                        'category': 'user',
+                        'access': 'read',
+                    },
+                    {
+                        'name': 'dom1\\betsy',
+                        'category': 'user',
+                        'access': 'read-write',
+                    },
+                    {
+                        'name': 'dom1\\chuck',
+                        'category': 'user',
+                        'access': 'admin',
+                    },
+                    {
+                        'name': 'dom1\\ducky',
+                        'category': 'user',
+                        'access': 'none',
+                    },
+                    {
+                        'name': 'dom1\\eggbert',
+                        'category': 'user',
+                        'access': 'read',
+                    },
+                    {
+                        'name': 'dom1\\guards',
+                        'category': 'group',
+                        'access': 'read-write',
+                    },
+                ],
+            },
+        }
+    )
+
+    cfg = thandler.generate_config('foo')
+    assert cfg
+    assert cfg['shares']['Ess One']['options']
+    shopts = cfg['shares']['Ess One']['options']
+    assert shopts['invalid users'] == 'dom1\\ducky'
+    assert shopts['read list'] == 'dom1\\alan dom1\\eggbert'
+    assert shopts['write list'] == 'dom1\\betsy @dom1\\guards'
+    assert shopts['admin users'] == 'dom1\\chuck'
+
+
+def test_generate_config_with_login_control_restricted(thandler):
+    thandler.internal_store.overwrite(
+        {
+            'clusters.foo': {
+                'resource_type': 'ceph.smb.cluster',
+                'cluster_id': 'foo',
+                'auth_mode': 'active-directory',
+                'intent': 'present',
+                'domain_settings': {
+                    'realm': 'dom1.example.com',
+                    'join_sources': [
+                        {
+                            'source_type': 'resource',
+                            'ref': 'foo1',
+                        }
+                    ],
+                },
+            },
+            'join_auths.foo1': {
+                'resource_type': 'ceph.smb.join.auth',
+                'auth_id': 'foo1',
+                'intent': 'present',
+                'auth': {
+                    'username': 'testadmin',
+                    'password': 'Passw0rd',
+                },
+            },
+            'shares.foo.s1': {
+                'resource_type': 'ceph.smb.share',
+                'cluster_id': 'foo',
+                'share_id': 's1',
+                'intent': 'present',
+                'name': 'Ess One',
+                'readonly': False,
+                'browseable': True,
+                'cephfs': {
+                    'volume': 'cephfs',
+                    'path': '/',
+                    'provider': 'samba-vfs',
+                },
+                'restrict_access': True,
+                'login_control': [
+                    {
+                        'name': 'dom1\\alan',
+                        'category': 'user',
+                        'access': 'read',
+                    },
+                    {
+                        'name': 'dom1\\betsy',
+                        'category': 'user',
+                        'access': 'read-write',
+                    },
+                    {
+                        'name': 'dom1\\chuck',
+                        'category': 'user',
+                        'access': 'none',
+                    },
+                ],
+            },
+        }
+    )
+
+    cfg = thandler.generate_config('foo')
+    assert cfg
+    assert cfg['shares']['Ess One']['options']
+    shopts = cfg['shares']['Ess One']['options']
+    assert shopts['invalid users'] == 'dom1\\chuck'
+    assert shopts['valid users'] == 'dom1\\alan dom1\\betsy'
+    assert shopts['read list'] == 'dom1\\alan'
+    assert shopts['write list'] == 'dom1\\betsy'
+
+
 def test_error_result():
     share = smb.resources.Share(
         cluster_id='foo',