|
|
|
|
@ -402,20 +402,20 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
|
|
|
|
|
|
|
|
|
|
// Example/default ACLs for unrestricted connections.
|
|
|
|
|
{
|
|
|
|
|
"Tests": [],
|
|
|
|
|
"tests": [],
|
|
|
|
|
// Declare static groups of users beyond those in the identity service.
|
|
|
|
|
"Groups": {
|
|
|
|
|
"groups": {
|
|
|
|
|
"group:example": [
|
|
|
|
|
"user1@example.com",
|
|
|
|
|
"user2@example.com"
|
|
|
|
|
],
|
|
|
|
|
},
|
|
|
|
|
// Declare convenient hostname aliases to use in place of IP addresses.
|
|
|
|
|
"Hosts": {
|
|
|
|
|
"hosts": {
|
|
|
|
|
"example-host-1": "100.100.100.100",
|
|
|
|
|
},
|
|
|
|
|
// Access control lists.
|
|
|
|
|
"ACLs": [
|
|
|
|
|
"acls": [
|
|
|
|
|
// Match absolutely everything. Comment out this section if you want
|
|
|
|
|
// to define specific ACL restrictions.
|
|
|
|
|
{
|
|
|
|
|
@ -494,14 +494,14 @@ A special value `ts-default` will ensure that ACL will be set only if current AC
|
|
|
|
|
The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
|
|
|
|
|
An ACL policy may contain the following top-level properties:
|
|
|
|
|
|
|
|
|
|
* `Groups` - Static groups of users which can be used for ACL rules.
|
|
|
|
|
* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
|
|
|
|
|
* `ACLs` - Access control lists.
|
|
|
|
|
* `TagOwners` - Defines who is allowed to use which tags.
|
|
|
|
|
* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.
|
|
|
|
|
* `AutoApprovers` - Defines which users can advertise routes or exit nodes without further approval.
|
|
|
|
|
* `SSH` - Configures access policy for Tailscale SSH.
|
|
|
|
|
* `NodeAttrs` - Defines which devices can use certain features.
|
|
|
|
|
* `groups` - Static groups of users which can be used for ACL rules.
|
|
|
|
|
* `hosts` - Hostname aliases to use in place of IP addresses or subnets.
|
|
|
|
|
* `acls` - Access control lists.
|
|
|
|
|
* `tagOwners` - Defines who is allowed to use which tags.
|
|
|
|
|
* `tests` - Run on ACL updates to check correct functionality of defined ACLs.
|
|
|
|
|
* `autoApprovers` - Defines which users can advertise routes or exit nodes without further approval.
|
|
|
|
|
* `ssh` - Configures access policy for Tailscale SSH.
|
|
|
|
|
* `nodeAttrs` - Defines which devices can use certain features.
|
|
|
|
|
|
|
|
|
|
See https://tailscale.com/kb/1018/acls for more information on those properties.
|
|
|
|
|
|
|
|
|
|
@ -514,22 +514,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
|
|
|
|
|
--data-binary '// Example/default ACLs for unrestricted connections.
|
|
|
|
|
{
|
|
|
|
|
// Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
|
|
|
|
|
"Tests": [
|
|
|
|
|
// {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
|
|
|
|
|
"tests": [
|
|
|
|
|
// {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
|
|
|
|
|
],
|
|
|
|
|
// Declare static groups of users beyond those in the identity service.
|
|
|
|
|
"Groups": {
|
|
|
|
|
"groups": {
|
|
|
|
|
"group:example": [ "user1@example.com", "user2@example.com" ],
|
|
|
|
|
},
|
|
|
|
|
// Declare convenient hostname aliases to use in place of IP addresses.
|
|
|
|
|
"Hosts": {
|
|
|
|
|
"hosts": {
|
|
|
|
|
"example-host-1": "100.100.100.100",
|
|
|
|
|
},
|
|
|
|
|
// Access control lists.
|
|
|
|
|
"ACLs": [
|
|
|
|
|
"acls": [
|
|
|
|
|
// Match absolutely everything. Comment out this section if you want
|
|
|
|
|
// to define specific ACL restrictions.
|
|
|
|
|
{ "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
|
|
|
|
|
{ "action": "accept", "users": ["*"], "ports": ["*:*"] },
|
|
|
|
|
]
|
|
|
|
|
}'
|
|
|
|
|
```
|
|
|
|
|
@ -539,22 +539,22 @@ Response:
|
|
|
|
|
// Example/default ACLs for unrestricted connections.
|
|
|
|
|
{
|
|
|
|
|
// Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
|
|
|
|
|
"Tests": [
|
|
|
|
|
// {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
|
|
|
|
|
"tests": [
|
|
|
|
|
// {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
|
|
|
|
|
],
|
|
|
|
|
// Declare static groups of users beyond those in the identity service.
|
|
|
|
|
"Groups": {
|
|
|
|
|
"groups": {
|
|
|
|
|
"group:example": [ "user1@example.com", "user2@example.com" ],
|
|
|
|
|
},
|
|
|
|
|
// Declare convenient hostname aliases to use in place of IP addresses.
|
|
|
|
|
"Hosts": {
|
|
|
|
|
"hosts": {
|
|
|
|
|
"example-host-1": "100.100.100.100",
|
|
|
|
|
},
|
|
|
|
|
// Access control lists.
|
|
|
|
|
"ACLs": [
|
|
|
|
|
"acls": [
|
|
|
|
|
// Match absolutely everything. Comment out this section if you want
|
|
|
|
|
// to define specific ACL restrictions.
|
|
|
|
|
{ "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
|
|
|
|
|
{ "action": "accept", "users": ["*"], "ports": ["*:*"] },
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
@ -597,22 +597,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo
|
|
|
|
|
--data-binary '// Example/default ACLs for unrestricted connections.
|
|
|
|
|
{
|
|
|
|
|
// Declare tests to check functionality of ACL rules. User must be a valid user with registered machines.
|
|
|
|
|
"Tests": [
|
|
|
|
|
// {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]},
|
|
|
|
|
"tests": [
|
|
|
|
|
// {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]},
|
|
|
|
|
],
|
|
|
|
|
// Declare static groups of users beyond those in the identity service.
|
|
|
|
|
"Groups": {
|
|
|
|
|
"groups": {
|
|
|
|
|
"group:example": [ "user1@example.com", "user2@example.com" ],
|
|
|
|
|
},
|
|
|
|
|
// Declare convenient hostname aliases to use in place of IP addresses.
|
|
|
|
|
"Hosts": {
|
|
|
|
|
"hosts": {
|
|
|
|
|
"example-host-1": "100.100.100.100",
|
|
|
|
|
},
|
|
|
|
|
// Access control lists.
|
|
|
|
|
"ACLs": [
|
|
|
|
|
"acls": [
|
|
|
|
|
// Match absolutely everything. Comment out this section if you want
|
|
|
|
|
// to define specific ACL restrictions.
|
|
|
|
|
{ "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
|
|
|
|
|
{ "action": "accept", "users": ["*"], "ports": ["*:*"] },
|
|
|
|
|
]
|
|
|
|
|
}'
|
|
|
|
|
```
|
|
|
|
|
@ -648,7 +648,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
|
|
|
|
|
-u "tskey-yourapikey123:" \
|
|
|
|
|
--data-binary '
|
|
|
|
|
[
|
|
|
|
|
{"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}
|
|
|
|
|
{"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]}
|
|
|
|
|
]'
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
@ -659,10 +659,10 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
|
|
|
|
|
-u "tskey-yourapikey123:" \
|
|
|
|
|
--data-binary '
|
|
|
|
|
{
|
|
|
|
|
"ACLs": [
|
|
|
|
|
{ "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
|
|
|
|
|
"acls": [
|
|
|
|
|
{ "action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
|
|
|
|
|
],
|
|
|
|
|
"Tests", [
|
|
|
|
|
"tests", [
|
|
|
|
|
{"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
|
|
|
|
|
],
|
|
|
|
|
}'
|
|
|
|
|
|
Anton Tolchanov
2 years ago
committed by