search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
22.13k stars 1.23k forks source link

ACLs don't properly handle users #1475

Open 6ixfalls opened 1 year ago

6ixfalls commented 1 year ago

Bug description

While trying to use ACLs to separate users, clients, and servers, ACLs sometimes don't apply at all although the syntax is right, if using a username in the dst field of the ACL. A "fix" I found was to create a group for every single user, which obviously isn't ideal, but fixes the issue that the permission doesn't apply at all.

Environment

To Reproduce

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}

user1 can see & connect to all of user1's devices, while user2 has no devices to connect to, although with numerous tailscale clients. To "fix", simply add a group that only contains that user, and use it in replacement of user2. Ex:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["group:user2"], "dst": ["group:user2:*"] }
  ],
  "groups": {
    "group:user2": [
      "user2"
    ]
  }
}

The first rule seems to work fine no matter what. (self to self)

coolrazor007 commented 1 year ago

I don't know if this is relevant but I'm having a similar problem. User1 nodes can't access User2 nodes devices when using groups and tags. Here's my ACL which I thought would work (also verified the tags on the nodes):

{ "groups": { "group:admin": ["user1"], "group:user2": ["user2"] }, "tagOwners": { "tag:user2": ["group:admin"], "tag:user1": ["group:admin"] }, "acls": [ { "action": "accept", "src": [ "group:admin" ], "dst": ["tag:user1:*"] }, { "action": "accept", "src": [ "group:admin", "group:user2" ], "dst": ["tag:user2:*"] } ] }

cristihcd commented 1 year ago

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
leeaash commented 1 year ago

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
  • user1 can see all user1 machines
  • user2 can see all user2 machines
  • user1 cannot see user2 machines

you can try to add some tag on user, then it won't work

mastier commented 12 months ago

I confirm I see the same issue.

github-actions[bot] commented 8 months ago

This issue is stale because it has been open for 90 days with no activity.

6ixfalls commented 8 months ago

Still an issue, unsure if fixed in new beta

github-actions[bot] commented 5 months ago

This issue is stale because it has been open for 90 days with no activity.

6ixfalls commented 5 months ago

Still an issue, unsure if fixed in new beta

Snuupy commented 4 months ago

tested beta9, tags broken

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 90 days with no activity.