Can't ACL—nothing matches my user except wildcard

ACL (Access Control Lists)
1

Hi there, new user, so I’m probably just making an obvious error.

I’m trying to write ACLs, but I can’t figure out how to get my username to match in the src field.

None of these are working:

{
  // https://tailscale.com/kb/1018/acls/#groups
  "groups": [
    {"group:bennett": ["bennettp123@github"]},
  ],

  // https://tailscale.com/kb/1068/acl-tags/
  "tagOwners": {
    "tag:server": ["group:bennett"],
  },
  
  "acls": [
    //https://tailscale.com/kb/1018/acls/#users
    { "src": ["bennettp123@github"], "dst": ["tag:webserver:443,80"], "proto": "tcp", "action": "accept" },

    // https://tailscale.com/kb/1192/acl-samples/#remote-access-to-corp-devices-recommended-initial-acl
    { "src": ["autogroup:members"], "dst": ["tag:webserver:443,80"], "proto": "tcp", "action": "accept" },

    // https://tailscale.com/kb/1192/acl-samples/#remote-access-to-production-environment
    { "src": ["group:bennett"], "dst": ["tag:webserver:443,80"], "proto": "tcp", "action": "accept" },

    // https://tailscale.com/kb/1192/acl-samples/#allow-all-default-acl
    { "src": ["*"], "dst": ["tag:webserver:443,80"], "proto": "tcp", "action": "accept" },
  ]

The last one (default acl) actually shows up in preview rules—none of the others show up. However, when I run tailscale status, it doesn’t list anything tagged “webserver”.

Usually when I’m struggling to get something work, it helps to write tests. The test below returns an error

{
  "tests": [{
    "src": "bennettp123@github",
    "accept": [
      "webserver:80",
      "webserver:443",
    ],
  }],
}

Error: test(s) failed
test(s) failed for user: bennettp123@github
[acl test error]: user is invalid

The “user is invalid” error is what makes me think it’s a problem with the user, and not the ACLs themselves.

Any idea what I’m doing wrong?

2

On closer inspection, none of my nodes were able to see each other in tailscale status

I fixed it by reverting to the default allow-all acl—and then completely uninstall and reinstall all nodes.

Can anyone see what might be so broken about this policy?

// This tailnet's ACLs are maintained in https://github.com/synopses/gitops-tailscale

{
  // Declare static groups of users beyond those in the identity service.
  "groups": {
    // this doesn't work
    "group:bennett": ["bennettp123@github"],
  },

  // Declare convenient hostname aliases to use in place of IP addresses.
  //"hosts": {
  //  "example-host-1": "100.100.100.100",
  //},

  // ACL definitions
  "tagOwners": {
    "tag:server":    ["group:bennett"],
    "tag:dnsserver": ["group:bennett"],
    "tag:webserver": ["group:bennett"],
  },

  // Access control lists.
  "acls": [
    // WORKAROUND: none of the rules below are working, so add the initial default allow here
    { "action": "accept", "src": ["*"], "dst": ["*:*"] },

    // allow DNS
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:dnsserver:53", "192.168.5.3/32:53", "<public-ipv6-prefix>:5::3/128:53"],
      "proto":  "udp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:dnsserver:53", "192.168.5.3/32:53", "<public-ipv6-prefix>:5::3/128:53"],
      "proto":  "udp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:dnsserver:53", "192.168.5.3/32:53", "<public-ipv6-prefix>:5::3/128:53"],
      "proto":  "tcp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:dnsserver:53", "192.168.5.3/32:53", "<public-ipv6-prefix>:5::3/128:53"],
      "proto":  "tcp",
    },

    // allow access to web servers
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:webserver:443,80"],
      "proto":  "tcp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:webserver:443,80"],
      "proto":  "tcp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:webserver:443,80"],
      "proto":  "udp",
    },
    {
      "action": "accept",
      "src":    ["autogroup:members"],
      "dst":    ["tag:webserver:443,80"],
      "proto":  "udp",
    },

    // allow ssh
    {
      "action": "accept",
      "src":    ["group:bennett"],
      "dst":    ["tag:server:22"],
      "proto":  "tcp",
    },
    {
      "action": "accept",
      "src":    ["group:bennett"],
      "dst":    ["tag:server:22"],
      "proto":  "udp",
    },
  ],

  // these tests are completely broken
  //"tests": [
  //  {
  //    // this doesn't work
  //    "src": "bennettp123@github",
  //    "accept": [
  //      "homebridge:443",
  //      "homebridge:80",
  //      "192.168.5.3:53",
  //      "<public-ipv6-prefix>:5::3:53",
  //    ],
  //  }
  //],

  // SSH settings
  "ssh": [
    // Allow all users to SSH into their own devices in check mode.
    // Comment this section out if you want to define specific restrictions.
    {
      "action": "check",
      "src":    ["autogroup:members"],
      "dst":    ["autogroup:self"],
      "users":  ["autogroup:nonroot", "root"],
    },
  ],
}
3

Got it working. It seems adding "proto": "tcp" or "proto": "udp" causes the rules to be ignored.

Since all my rules contained "proto": "tcp" or "proto": "udp", they were all being ignored.

1 Like
4

Huh, I haven’t yet used “proto” for my ACL’s and looking at the documentation one would think it should work, so your findings are definitely good to know and to keep an eye out for.
Thanks for sharing!

1 Like
5

It may not matter, but in the example I found, the proto keyword goes before dst, not after.

{
      "action": "accept",
      "src": ["group:employees"],
      "proto": "tcp",
      "dst": ["tag:webapps:80"],
    },