Tag Owner Not Owner of Tagged Machines

1

I have a tag:

...
	"tagOwners": {
		"tag:home":   ["xxx@github"]
        }
...

As soon as I attach this tag (home) to a machine, it disappears from the user xxx@github’s machine list.

This is reflected in the fact that the following ACL does not grant access, whilst I believe it should:

...
	"acls": [
		{
			"action": "accept",
			"src":    ["xxx@github"],
			"dst":    ["*:*"],
		},
	]
...

It only works when src is set to tag:home.

The documentation has an example which suggests this should work (I have also tried it this way, with the user in a group):

...
  "acls": [
    {
      "action": "accept",
      "src": ["tag:webserver", "group:sre"],
      "dst": ["tag:database:*"]
    }
...
2

Hmm, never mind. Looks like the only thing tagOwners is used for is the permission to tag a machine. The following seems to do what I need:

{
	"acls": [
		{
			"action": "accept",
			"src":    ["tag:home"],
			"dst":    ["*:*"],
		},
		{
			"action": "accept",
			"src":    ["tag:server"],
			"dst":    ["tag:server:*"],
		},
	],

	"groups": {
		"group:admins": ["xxx@github"],
	},

	"tagOwners": {
		"tag:home":   ["group:admins"],
		"tag:server": ["group:admins"],
	},
}

With this, machines tagged server can access each other only, and machines tagged home can access all machines.

I say “seems to do what I want” because there was a moment there where it looked like any machine on the internet could access machines tagged with server, though it was likely PEBCAK (more testing before I’m calm about this).