tailscale icon indicating copy to clipboard operation
tailscale copied to clipboard

Published 20 hours ago verified publisher icon tailscale

FR: Make autogroup:self apply to tagged devices

Open mayakacz opened this issue 2 years ago • 3 comments

What are you trying to do?

More easily write an ACL to allow a device to talk to other devices with the same tag

How should we solve this?

Expand the use of autogroup:self to also apply to tagged devices. Note that this would be a breaking change from how autogroup:self works today.

What is the impact of not solving this?

Today, you can write an ACL that would allow this, for each tag, e.g., src:tag:talking-to-self and dst:tag:talking-to-self:*.

Anything else?

Not sure this makes sense. I could want to write an ACL that allows a user to access their own devices, and to access some servers, but not want the servers to connect to each other. So this might require additional configuration beyond just being included in autogroup:self.

See previous discussion in https://github.com/tailscale/tailscale/issues/1447

mayakacz avatar Mar 11 '22 16:03 mayakacz

I'd rather not expand the definition. I think that'd just be more confusing.

Plus I don't think we even can, as that'd retroactively permit stuff that wasn't permitted before.

If you're using tags, I think you should be explicit about what's allowed.

And "self" kinda implies a human.

bradfitz avatar Mar 11 '22 17:03 bradfitz

I'd rather not expand the definition. I think that'd just be more confusing.

We are in agreement. Just tracking this from the other issue. Will close if no specific requests come up.

mayakacz avatar Mar 11 '22 18:03 mayakacz

Edit: Ignore below, as I was wrong about the current behavior of autogroup:self. Even though the machines can see each other, the connection is denied correctly so the ACL is working.

Hi, I am currently having the issue that autogroup:self on tagged devices actually seems to give them access to the user that generated their access keys' devices if they are using:

    // All employees can access their own devices
    { "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },

The suggested behavior that autogroup:self should resolve to one of their own tags seems to make a lot more sense, otherwise the server can act like a bastion server to break into someones' (whoever generated the access key) own phone or workstation, even if those personal items are not tagged and there is no rule for that tag to access those devices. See #4626.

kvanbere avatar May 06 '22 02:05 kvanbere