I’ve got an odd configuration problem that suddenly (?) started happening.
I have some ACLs configured like this:
{
"acls": [
{
"action": "accept",
"src": ["tag:home"],
"dst": ["tag:full:*", "tag:home:*", "tag:server:*", "tag:dmz:*"],
},
...
Further down, I define a group like this:
...
"groups": {
"group:all_access": ["me@my_auth_provider"],
},
"tagOwners": {
"tag:home": ["group:all_access"],
...
},
...
I used to be able to access all machines from my laptop, but I noticed this morning that this was no longer the case, without me changing anything.
If I add the all_access
group to the acls like this, I can access everything:
{
"acls": [
{
"action": "accept",
"src": ["tag:home", "group:all_access"],
"dst": ["tag:full:*", "tag:home:*", "tag:server:*", "tag:dmz:*"],
},
...
But this has me confused:
- Obviously the first thing is; how / what changed? I remember a few weeks ago the Tailscale client on my machine wasn’t logged in any more, and I think it re-authed. I guess that would explain that?
- Does the fixed ACL above mean that any machine I add (by authenticating it with
me@my_auth_provider
) and don’t attach a tag to, can access any other machine by default?
The answer to 2 seems to be; yes
I think what happened was that the machine I’m trying to access from got booted off somehow (expired key?), then I re-added it, and it was missing any tags at all, which meant it had no access to anything.
So instead of my above solution of adding the tag owner everywhere, I’ve just tagged this machine appropriately (with tag:full
), and it’s all working as before again … I think
Possibly the point you’re missing is that being a tag owner doesn’t mean that tag’s ACL applies to you - it means you can add nodes (machines) to that tag. Only once the node is tagged does the ACL apply (in your ‘before’ situation)
.
Q1: I’d say your laptop was tagged ‘home’ previously and now isn’t. If not, there’s something you’ve not mentioned that’s affecting it. You added the group to the ACL, and now the nodes you’ve authenticated can access the tags listed as dst.
Q2: Yes, but isn’t that what you want?
This is what I think happened, yup, thanks
I’ve undone my changes and tagged my main machine with full
, which means it can access everything now, as before.
I’m not sure why my machine machine got unauthed, but think it was down to key expiry? I’ve disabled expiry on all machines now, but are there any serious security implications to that? I understand it’s best practice to rotate secrets often, but is it that much of a security risk really? i.e. If someone was in a position to gain access to any of the keys over a long period, doesn’t that imply a more serious security issue in the first place?