tailscale icon indicating copy to clipboard operation
tailscale copied to clipboard
verified publisher icon tailscale

FR: Allow AND in ACLs

Open sopeters opened this issue 3 years ago • 0 comments

What are you trying to do?

Say we have 2 environments (staging and production) and each environment contains 2 hosts (HostA and HostB). They all get deployed via pipelines so tags are applied for function and environment. I will tag each of the hosts with the following environment tag and function/host tag,

Staging

  • Host A - tag:staging tag:HostA
  • Host B - tag:staging tag:HostB

Production

  • Host A - tag:production tag:HostA
  • Host B - tag:production tag:HostB

I now want to ensure that a user/group has only access to a specific host in one environment, e.g HostA only in staging. Currently this is not possible since all ACL rules allowing access to any one of the tags on a node, access will be granted

How should we solve this?

Having ACLs where you can specify an AND rule so you can ensure more complex access can be configured

What is the impact of not solving this?

No response

Anything else?

I received the response to use a different host specific tag for the hosts. This is a workaround but makes things more complex

sopeters avatar Aug 04 '22 01:08 sopeters

related: https://github.com/tailscale/tailscale/issues/5108

DentonGentry avatar Aug 28 '22 05:08 DentonGentry