HackerTrans
TopNewTrendsCommentsPastAskShowJobs

andrew-d

no profile record

comments

andrew-d
·hace 3 meses·discuss
Hi there, I work at Tailscale.

Part of the reason that we don't (currently) let you do this is that a hostname is a user-reported field, and can change over time; it's not a durable form of identity that you can write ACLs on. One could imagine, for example:

1. Creating an ACL rule that allows hostname "webserver" to hostname "db".

2. (time passes)

3. Hostname "webserver" is deleted/changed to "web"/etc.

4. Someone can now register a user device with the system hostname set to "webserver"

Should they be allowed to inherit the pre-existing ACL rule?

However, you can accomplish something very close to what you're asking for, I think, by defining a "host" in the policy file (https://tailscale.com/docs/reference/syntax/policy-file#host...) that points to a single Tailscale IP. Since we don't allow non-admins to change their Tailscale IP, this uniquely identifies a single device even if the hostname changes, and thus you can write a policy similar to:

  "hosts": {
    "myhost": "100.64.1.2",
  },
  "grants": [
    {
      "src": ["myhost"],
      "dst": ["tag:db"],
    },
  ]
andrew-d
·hace 3 años·discuss
As of about a month ago, you can self-host your own OIDC identity provider; for example, Ory Hydra is open-source.

https://tailscale.com/blog/custom-oidc/
andrew-d
·hace 3 años·discuss
As of about a month ago, you can also sign up to Tailscale with any OIDC-compatible identity provider, so if you don't want to use Gmail or Microsoft you can self-host your own!

https://tailscale.com/blog/custom-oidc/