"no associated IPs for user"

Tailscale version: 1.14.0
Operating system & version : Ubuntu 2010

I’m evaluating tailscale for an IT company however I’m having some trouble getting basic things to work. Currently I’m running into a problem where I can’t even set the ACLs I want. I’ve added the ACL config I’m trying to use as well as the commands I’m using to register different machines. The issue is that the Tests fail with this error. In my setup I have two machines (VMs) “A” and “B”. I want to SSH from “A” to “B”. But I get an error when I try to save this config.

Error: test(s) failed
test(s) failed for user: hazmat@company.io

    no associated IPs for user (check spelling, or they may not have an approved machine)

I cannot tell if this is a problem with the config. A problem with the account type we’re using ( we are on the free plan for now). Or maybe an issue with how I attached the nodes.

{
  "Groups": {
    "group:labs-admin": ["hazmat@company.io"],
    "group:labs-proj-123": ["hazmat@company.io", "other@company.io"]
  },
  "ACLs": [
    { "Action": "accept", "Users": ["group:labs-admin"], "Ports": ["tag:labs:*"] },
    { "Action": "accept", "Users": ["group:labs-proj-123"], "Ports": ["tag:labs-proj-123:22,80,443"] }
  ],
  "TagOwners": {
	"tag:labs": ["group:labs-admin"],
    "tag:labs-proj-123": ["group:labs-admin"]
  },
  "Tests": [
    {
      "User": "hazmat@company.io",
	  "Allow": ["tag:labs-proj-123:22"],
    }
  ]
}

Machine “a” is registered with…

tailscale up --advertise-tags=tag:labs --operator hazmat --shields-up

Machine “b”, the one I want to reach over SSH (port 22) is…

tailscale up --advertise-tags=tag:labs,tag:labs-proj-123

Generally means that user hazmat has no devices associated with their account, so the ACL test can’t run an actual test. If all of the machines have been associated with Tags, then they are no longer associated with the user that created them.

If user hazmat logs in on another machine, not associated with a tag, the test should be able to run.

There is only one user (myself, e.g. hazmat) and I am the “Machine Owner” of every connected machine. Also looking up the “ACLs / Preview Rules” tab for my user shows the text

Cannot preview ACL rules for hazmat@company.io because they have no machines running Tailscale.

I think this feels like a bug?

If you send the Tailscale IP address or account name to support@tailscale.com, we can look into what is happening.

Following up: I think this is similar to another case reported, where all devices for a particular user had tags applied. Tags mean that the access is controlled by the tag, not the user who created the device, and so the ACL Test didn’t have any IPs associated with just the User in order to run the test.