headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

ACLs don't properly handle users

Open 6ixfalls opened this issue 1 year ago • 10 comments

Bug description

While trying to use ACLs to separate users, clients, and servers, ACLs sometimes don't apply at all although the syntax is right, if using a username in the dst field of the ACL. A "fix" I found was to create a group for every single user, which obviously isn't ideal, but fixes the issue that the permission doesn't apply at all.

Environment

  • OS: Linux - Docker container
  • Headscale version: v0.22.3
  • Tailscale version: Mixed - 1.36.2, 1.42.0
  • [x] Headscale is behind a (reverse) proxy
  • [x] Headscale runs in a container I doubt this applies, I'm able to reproduce this by spinning up a new instance.

To Reproduce

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}

user1 can see & connect to all of user1's devices, while user2 has no devices to connect to, although with numerous tailscale clients. To "fix", simply add a group that only contains that user, and use it in replacement of user2. Ex:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["group:user2"], "dst": ["group:user2:*"] }
  ],
  "groups": {
    "group:user2": [
      "user2"
    ]
  }
}

The first rule seems to work fine no matter what. (self to self)

6ixfalls avatar May 26 '23 04:05 6ixfalls

I don't know if this is relevant but I'm having a similar problem. User1 nodes can't access User2 nodes devices when using groups and tags. Here's my ACL which I thought would work (also verified the tags on the nodes):

{ "groups": { "group:admin": ["user1"], "group:user2": ["user2"] }, "tagOwners": { "tag:user2": ["group:admin"], "tag:user1": ["group:admin"] }, "acls": [ { "action": "accept", "src": [ "group:admin" ], "dst": ["tag:user1:*"] }, { "action": "accept", "src": [ "group:admin", "group:user2" ], "dst": ["tag:user2:*"] } ] }

coolrazor007 avatar Jun 28 '23 19:06 coolrazor007

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
  • user1 can see all user1 machines
  • user2 can see all user2 machines
  • user1 cannot see user2 machines

cristihcd avatar Jul 26 '23 15:07 cristihcd

testing the following acl with headscale v0.22.3, tailscale v1.46.0 (linux), it seems to work:

{
  "acls": [
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }
  ]
}
  • user1 can see all user1 machines
  • user2 can see all user2 machines
  • user1 cannot see user2 machines

you can try to add some tag on user, then it won't work

leeaash avatar Aug 04 '23 03:08 leeaash

I confirm I see the same issue.

mastier avatar Sep 15 '23 20:09 mastier

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Dec 24 '23 01:12 github-actions[bot]

Still an issue, unsure if fixed in new beta

6ixfalls avatar Dec 24 '23 02:12 6ixfalls

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Mar 25 '24 01:03 github-actions[bot]

Still an issue, unsure if fixed in new beta

6ixfalls avatar Mar 25 '24 01:03 6ixfalls

tested beta9, tags broken

Snuupy avatar Apr 22 '24 10:04 Snuupy

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Jul 22 '24 01:07 github-actions[bot]