[Solved] Group to Relay tags

Hello there everyone,

I have a set of relay nodes that I’ve deployed with two tags:

  • The actual relay id
  • engineering

I’ve also created a user group called engineering and added a few users to it.

I’m trying to write an ACL that would allow all users from that engineering group to access all routes published by nodes with the engineering tag.

Here’s what I’ve tried so far:

 {
  "groups": {
    "group:sre": [ 
      "me@example.com",
      "someoneelse@example.com"
    ],
    "group:engineering": [ 
      "foo@example.com",
      "bar@example.com",
    ],
  },
  "acls": [
    { 
      "action": "accept", 
      "src": ["group:engineering"], 
      "dst": [
        "tag:engineering:*"
      ] 
    },
    { 
      "action": "accept", 
      "src": ["group:sre"], 
      "dst": [
        "*:*",
      ] 
    },
  ],
  "tagOwners": {
    "tag:dev": ["group:sre"],
    "tag:qa": ["group:sre"],
    "tag:prod": ["group:sre"],
    "tag:engineering": ["group:engineering"]
  }
}

Users on the sre group are able to access all the routes, as shown in the ACL, but users on the engineering group, can’t access nodes tagged with engineering.

What am I missing here? :thinking:

The devices tagged engineering are subnet routers? You have to allow access to the subnets:

  "acls": [
    { 
      "action": "accept", 
      "src": ["group:engineering"], 
      "dst": [
        "tag:engineering:*", "10.1.0.0/16:*"
      ] 
    },

(or whatever subnet is being advertised).

SRE can access the subnets because *:* expands to all IP addresses.

1 Like

Ohhh, I see.

Let me try that, then
So in theory I don’t need to tag hosts w/ engineering at all to give other groups access to the subnets they’re publishing routes for, right?

You don’t need to tag the subnet routers in order to allow access to the subnets.

You may find it advantageous to tag the subnet routers for other reasons:

  • the subnet router itself won’t automatically get the access of the User who created it (who is likely an administrator with access to nearly everything)
  • the subnet router won’t be deleted if the human who set it up leaves
1 Like