[Solved] Group to Relay tags

lucazz · April 15, 2022, 5:04pm

Hello there everyone,

I have a set of relay nodes that I’ve deployed with two tags:

The actual relay id
engineering

I’ve also created a user group called engineering and added a few users to it.

I’m trying to write an ACL that would allow all users from that engineering group to access all routes published by nodes with the engineering tag.

Here’s what I’ve tried so far:

 {
  "groups": {
    "group:sre": [ 
      "me@example.com",
      "someoneelse@example.com"
    ],
    "group:engineering": [ 
      "foo@example.com",
      "bar@example.com",
    ],
  },
  "acls": [
    { 
      "action": "accept", 
      "src": ["group:engineering"], 
      "dst": [
        "tag:engineering:*"
      ] 
    },
    { 
      "action": "accept", 
      "src": ["group:sre"], 
      "dst": [
        "*:*",
      ] 
    },
  ],
  "tagOwners": {
    "tag:dev": ["group:sre"],
    "tag:qa": ["group:sre"],
    "tag:prod": ["group:sre"],
    "tag:engineering": ["group:engineering"]
  }
}

Users on the sre group are able to access all the routes, as shown in the ACL, but users on the engineering group, can’t access nodes tagged with engineering.

What am I missing here?

DGentry · April 15, 2022, 5:18pm

The devices tagged engineering are subnet routers? You have to allow access to the subnets:

  "acls": [
    { 
      "action": "accept", 
      "src": ["group:engineering"], 
      "dst": [
        "tag:engineering:*", "10.1.0.0/16:*"
      ] 
    },

(or whatever subnet is being advertised).

SRE can access the subnets because *:* expands to all IP addresses.

lucazz · April 15, 2022, 5:20pm

Ohhh, I see.

Let me try that, then
So in theory I don’t need to tag hosts w/ engineering at all to give other groups access to the subnets they’re publishing routes for, right?

DGentry · April 15, 2022, 5:33pm

You don’t need to tag the subnet routers in order to allow access to the subnets.

You may find it advantageous to tag the subnet routers for other reasons:

the subnet router itself won’t automatically get the access of the User who created it (who is likely an administrator with access to nearly everything)
the subnet router won’t be deleted if the human who set it up leaves

lucazz · April 15, 2022, 5:45pm

Got it, thank you for the prompt response and super valuable input!

cheers,

Topic		Replies	Views
Help with ACLs and Subnet Routers ACL (Access Control Lists)	1	976	December 16, 2022
Setting ACL rules on Exit Nodes ACL (Access Control Lists)	5	3118	September 22, 2021
AND and OR in ACLs ACL (Access Control Lists)	4	675	February 7, 2022
Can tags be used on hosts behind a Subnet Router?	1	967	November 24, 2021
Using ACL to separate multiple networks with same subnet advertisements ACL (Access Control Lists)	0	526	June 12, 2023

[Solved] Group to Relay tags

Related Topics