search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
23.44k stars 1.28k forks source link

ACLs don't properly handle users #1475

Open 6ixfalls opened 1 year ago

6ixfalls commented 1 year ago

Bug description

While trying to use ACLs to separate users, clients, and servers, ACLs sometimes don't apply at all although the syntax is right, if using a username in the dst field of the ACL. A "fix" I found was to create a group for every single user, which obviously isn't ideal, but fixes the issue that the permission doesn't apply at all.

Environment

To Reproduce

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}

user1 can see & connect to all of user1's devices, while user2 has no devices to connect to, although with numerous tailscale clients. To "fix", simply add a group that only contains that user, and use it in replacement of user2. Ex:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["group:user2"], "dst": ["group:user2:*"] }
  ],
  "groups": {
    "group:user2": [
      "user2"
    ]
  }
}

The first rule seems to work fine no matter what. (self to self)

coolrazor007 commented 1 year ago

I don't know if this is relevant but I'm having a similar problem. User1 nodes can't access User2 nodes devices when using groups and tags. Here's my ACL which I thought would work (also verified the tags on the nodes):

{ "groups": { "group:admin": ["user1"], "group:user2": ["user2"] }, "tagOwners": { "tag:user2": ["group:admin"], "tag:user1": ["group:admin"] }, "acls": [ { "action": "accept", "src": [ "group:admin" ], "dst": ["tag:user1:*"] }, { "action": "accept", "src": [ "group:admin", "group:user2" ], "dst": ["tag:user2:*"] } ] }

cristihcd commented 1 year ago

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
leeaash commented 1 year ago

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
  • user1 can see all user1 machines
  • user2 can see all user2 machines
  • user1 cannot see user2 machines

you can try to add some tag on user, then it won't work

mastier commented 1 year ago

I confirm I see the same issue.

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 90 days with no activity.

6ixfalls commented 10 months ago

Still an issue, unsure if fixed in new beta

github-actions[bot] commented 7 months ago

This issue is stale because it has been open for 90 days with no activity.

6ixfalls commented 7 months ago

Still an issue, unsure if fixed in new beta

Snuupy commented 6 months ago

tested beta9, tags broken

github-actions[bot] commented 3 months ago

This issue is stale because it has been open for 90 days with no activity.