-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No support for "autogroup:" in ACL rules #657
Comments
Support for |
As i am currently also testing this: for correct headcale acls see: given: my result:
autogroup:internet expands to 1 rule per node who provides the route 0/0 go serverside autogroup. lets not have this feature with bash scaping and cron. |
For For For
For IPv6, the list of disallowed networks could be :
These 2 lists have been built based on https://en.wikipedia.org/wiki/Reserved_IP_addresses Is this the best way to handle outgoing traffic ? |
I disagree on the federation. the oidc section has allowed domains, allowed users and a domain hint. if we have a list of member domains the oidc system (i.e. keycloak ) cloud provide access for a defined list of joinable domains and headscale could distinguish them according to the list of member domains, the rest would default to being shared access. the user federation on keycloak implies the consumption of ldap or AD, besides also providing the ability to derive login grants from multiple identity providers to one source, in my case headscale. have skipped the part where i connect my google account, because its already implemented in the adroid client, so i know it works, but it strongly seems to me that headscale does not care about multiple origins providing oidc scopes (address, email, phone, profile, ...) it accepts the 4 default values defined in config.yml. keyclaok should be able to do the federation. if headscale is able to provide autogroup:shared and autogroup:member by definition of a member domain list for use with full [email protected] list we approach feature parity with tailscale ACLs by having a more powerful (less text) definition of access rules. headscale already provides a great feature set for identity aware distributed firewalling towards zero trust by deriving its namespaces from oidc. distinguishing the domains in the namespaces by shared/member list is a premium feature and it should be fairly easy. please consider. |
I guess that we have different views on federation. For me it means merging 2 different instances of headscale. I have this definition because currently an headscale network is the equivalent of a tailnet. You cannot have 2 different sets of ACL's on a single headscale instance. Although I'm not ok with the definition of the federation and do not fully understand what you mean because I don't know keycloak (and oidc) well, I can see something interesting. If I understand what you mean (@mirkosemler) the Improving on this we could also use the OIDC groups to be mapped in the ACL's in order to reduce the “text definition” and have dynamic configuration base on the authentication provider. This is something that I would like very much, it's quite painful to edit the ACL's each time we want to add (or remove) someone to a team. |
currently, we cloud not use api to update acl rules online, so i thought |
What I'm looking for is "src: group:devs; dst: autogroup:self", where in this case "autogroup:self" means "the same user (used to be namespace) as the src". Meaning: Users in group "devs" are connecting to their own boxes. IOW, If have have alice, bob, and charlie in devs, the rule would match src=alice;dst=alice, src=bob;dst=bob, etc... |
TL;DR: I propose a definition of "autogroup:self" and ask for review of proposed solution. @kradalby and @juanfont are likely reviewers. I've taken a look at the code, and I think it's becoming a little clearer for me. Aside: After some research I believe that "autogroup:members" is the equivalent of a group with all users in it, but with all tagged nodes removed. I'm not dealing with that here however. BUT, I do believe it means that headscale needs to not consider tagged nodes a member of any group. I believe headscale does this as well. First, we need to define what "autogroup:self:ports" means in the dst. I'm going to propose, after a shockingly large amount of time thinking it over, that it follows these rules:
Yes, this could lead to some nonsensical rules, in particular if a host is listed in the source. Note: It doesn't look like subnets can be listed in the source. That seems reasonable. A reasonable question is: Does this match tailscale's definition? I have no idea, I can't find it well documented. Do we have to match their implementation? Not necessarily. It's hard to match it when I can't find it documented. We could take a stab at it and fix it when discrepancies are found, though that would break some users. We could call it something else ("autogroup:reflect"? "autogroup:reverseuno"?). The only examples I've seen are of it being used with "autogroup:members", so I have no idea if it's usable with anything else. I believe, to implement "autogroup:self", this is what needs to happen:
To clarify:
|
autogroup:internet will be good to have. I don't see a way to "deny" traffic. Tried both action "action": "reject" and "action": "deny" but syntax does not support it. The problem this creates is similar to use case described here: I want to give access to exit nodes for internet to some users without exposing internal IPs. In regular firewall I will do something like: rule1: deny traffic to RFC1918 private IPs for tag: family but since rule1 is not possible, I am using following as workaround:
The list of IPs is certainly long and ugly. Plus don't see it supporting IPv6 in this syntax. |
@anuragbhatia Thank you for that! Your dest has "64.0.0.0/2:*" which includes 100.64.X.X. This gave access to all my nodes as I kept the default range (100.64.0.0). I changed mine to exclude this range and that fixed the problem.
I used the following commands to exclude some popular internal ranges.
|
Amazing. GOAT status for both of you. |
Hey, thanks for the effort! As I am understanding their output can be used in place of How to I instruct |
Ah, I understood the structure of the command. Here an explanation for all those that come after me: Starting with From 223.255.255.255 forward all IPs are reserved. |
This issue is stale because it has been open for 90 days with no activity. |
how's this coming? |
Additionally to the The current workaround to specify the accepted user names manually. |
Updates juanfont#657 Updates juanfont#1786 Signed-off-by: Kristoffer Dalby <[email protected]>
Any plans to have Edit: Here the source of the snipped I've provided: https://tailscale.com/kb/1192/acl-samples#starter-plan-acl |
jst fyi, autogroup:nonroot is still not supported in 0.23.0-beta1 |
I added acl autogroup self and autogroup member into headscale. main...vinhjaxt:headscale:main My manual test just works |
@vinhjaxt could you submit a PR for it please? 🙏 |
@vinhjaxt would you please submit a PR to the upstream repo with the patch you mentioned? I bet many of us would benefit from it without a need to build a custom image ourselves :-) |
While I have not looked too closely at @vinhjaxt code, we are positive to accepting it, but it will require rigorous testing. |
Bug description
The 2 recent beta releases for 0.16.0 reference the tailscale ACL documentation here, however headscale doesn't support the autogroup:members and autogroup:self functionality referenced there. I would guess it additionally doesn't support the autogroup:internet or autogroup:shared functionality, but I havent tested those
To Reproduce
Attempt to use similar rules to those in the example policy file in the tailscale's ACL documentation or use the recommended initial ACL from tailscale's ACL samples
Observe that headscale constantly logs:
WRN No IPs found with the alias autogroup:members
WRN No IPs found with the alias autogroup:self
And also that with the recommended initial ACL, no devices can see or access each other
Context info
The text was updated successfully, but these errors were encountered: