RBAC: Improve documentation and allow for more customization

[frelars]

Nice project, I'm testing v0.2.1, 2 questions;

1. It is not clear to me how we can allow multiple mtls users. From guide we create an admin-config by not specifing name when doing "wmctl pki gen-config ..". When I try to create a different config by specifying "--name user" and running "wmctl connect --config user.yaml" I get following error

time=2023-08-19T16:55:31.811+02:00 level=ERROR msg="error in storage subscription, retrying in 3 seconds" component=passthrough-raft error="rpc error: code = PermissionDenied desc = not allowed"

2. Is it possible to join node to cluster using a specific IP, and fail if IP is already assigned to different node? From doc I see --bootstrap.ipv4-network for network CIDR, but nothing for nodes

[tinyzimmer]

1. You can issue as many certificates as you like, there should be nothing holding you back there. The gen-config is for the admin API and not really intended for connections. It does need the ability to generate for more users, but I won't be able to address that in the near term.

2. IPAM is a plugin, and you can specify static addresses if you'd like. But the joining node can't request the IP they want. See the static-addresses example: https://github.com/webmeshproj/webmesh/tree/main/examples/static-addresses. There is also the meshdns which allows resolving the IPs so you don't have to remember them.

[tinyzimmer]

Ah another thing worth mentioning, is since you are not running in insecure mode - you need to create RBAC rules for other nodes. The error above is likely because the node is not allowed to GET PUBSUB resources. I have some updates I need to make to the CLI for those new permissions.

[tinyzimmer]

Good find. RBAC in general needs a makeover - but this project is starting to suffer from me going broke and not finding any funding yet. I probably need to expose ways to allow secure negotiation, but without RBAC. Or perhaps a way to only enable a subset of the RBAC rules.

With v0.2.2 you'll be able to create the proper rule with the CLI.

wmctl put role my-role-name --verb get --resource pubsub

But pubsub is pretty much required if you are not a raft member (which is another RBAC permission). So a lot of that needs some streamlining.

[tinyzimmer]

The next release will come with an additional bootstrap flag --bootstrap.disable-rbac. This will disable the RBAC system while still leaving TLS and other authentication methods enabled.

I'm not sure if this is a good way to run the network, but it will make things easier for people just wanting to play around as the project continues to mature.

[frelars]

I am looking for a simple wireguard vpc solution for connecting <10 nodes I fully trust without hassel. Today I would use SSH tunnels/rev-tunnelse to accomplish this. For bigger network with complex requirements there are lots of options (netmaker, headscale, zerotier, etc), but I don't think the tooling for small networks are good.

If I could join clients to a webmesh network using a preshared secret it would be very close to what I want. If I also could assign network CIDR and node-ips it would be perfect.

[tinyzimmer]

You can assign network CIDR at bootstrap. And Node IPS per the static allocations as described in my comment above.

There is a proof-of-concept solution called "campfire" that uses pre-shared keys and a specialized TURN server for peer discovery. It's still in its infancy and not fully hardened. But you can see an example of it here. https://github.com/webmeshproj/webmesh/tree/main/examples/campfire-network

[frelars]

Thanks, will take a look. What I tried to say in previous comment was that making things simple (disable RBAC) could be what sets this project apart from other wg-mesh-projects. I don't think I'm alone in looking for tinc but wireguard.

[tinyzimmer]

Ah gotcha. Well I just tagged that too, so v0.2.4 will let you disable that.