-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implements apis for managing headscale policy #1792
Conversation
4331948
to
a536ecb
Compare
a536ecb
to
0b3660c
Compare
I might have some free time this evening to do a review |
I've attached a screen recording to the PR in case someone wishes to see how the APIs work. |
0b3660c
to
6099d3b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall it looks good - I've left some inline comments. One open question is whether to support reading the current ACL via the new APIs/CLI commands even if the policy is backed by a file (for convenience)?
Enabled it. 👍🏼 Now it will work for both modes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this looks reasonable, some comments and questions and to larger things:
I am tempted to use this opportunity to change the general phrasing from ACL to Policy through out the code, particularly since we are changing the config, adding commands etc.
I think the base format for the policy should be HuJSON, it is a bit more flexible format that allows preserving comments. This probably means using string/byte for the database and not the JSON type, but we dont really use it (or will use SQL to look up in the JSON) so that should not be a problem.
As part of this, I am willing to discuss dropping the YAML support to just streamline what we support.
Thanks for the review. This sounds like a good idea. I wrote this implementation to quickly demonstrate the APIs and commands that we can use as a reference to discuss the feature further. Keeping the base format as I am also okay with keeping the default mode as Let me update this PR with the suggestions and put it our for a second round of review. |
Hi @pallabpain. Have you had a chance to update the PR yet? |
I haven't had the chance to update the PR, yet. I have some untested changes locally that I should be able to work on this weekend. I may change the request-response structure based on the newer comments. |
Maybe, we should create 2 new tables to store groups and tags. And sometimes, we just want to update groups or tags. So I'm thinking about how to update ACL groups automatically, e.g. AD/LDAP or extract from OIDC (OIDC may be a problem because it can only get groups when users authenticate) |
@pallabpain there has been quite some changes, do you think that you might have time to pick this up again? |
Sure. I'll review the recent changes and update the pull request. I'll try and get a working version ready soon. |
Hi, all this pull request is still active? I ask because I plan to create ui editor in package https://github.com/tale/headplane for update acl, and that api endpoint will be great opportunity. |
As someone who develops a web UI for Headscale I don't think that the default should be db mode, atleast not yet. I don't understand the security standpoint here, if someone is able to get into a machine where the policy file is stored they can view your config which will contain much more sensitive information (ie. database credentials, secret keys, OIDC credentials, etc). On the web UI end, I'd expect API requests to the ACL endpoints to just return status 403 or something if file mode is enabled. It's very easy to handle the status code and inform users on a web UI that they need to change their config. |
Sounds like a good idea to implement. However, if we get and set the entire policy file contents, it keeps things simple instead of exposing APIs to do specific things on the policy. This shall also keep |
I would prefer keeping it simple and doing the whole thing now. Further extensions can be discussed later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is more or less there, a couple of small things.
I would also like to see a CLI integration test to validate the roundtrip:
- Load new ACL
- Read it out and compare
- Check that changes have a applied (if possible since we dont have hotreloading)
Thanks for the review. I'll implement the suggestions and write the tests. |
Great, I think it would be great to try to get this into 0.23.0, I am looking to release a beta soonish so let me know if looking at this work before that is feasible, if not, there is no problem pushing it for later. |
4fa6322
to
f4758c9
Compare
@kradalby I've addressed the comments. I should be able to write the tests this week. But when is v0.23.0 planned for? Is there a due date or a cut-off date that you're looking at? Please take a look at this comment as well: #1792 (comment) |
Sounds good, no hard cutoff, I'm on holiday for two weeks, so staying a bit offline, if you make the test I'll pop in and review and we can do an alpha. |
I'm back, and I would love to cut a beta this week, do you think it would be feasible to push some tests before midweek~ so we have time for a review cycle? I'll do a re-review of the code now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some small nits regarding giving users good feedback of the changes.
4bd34d9
to
3cb05c5
Compare
No problem, I'm available to take a stab at the integration tests now if you have not started. Maybe I could get it in shape to merge today. |
@pallabpain I ended up working on another bug today, let me know if you will not have time to look at the integration tests and I'll have a look next week. |
I managed to find some time to look into the integration tests, tonight. While I understood how I'd go about implementing the tests, I may have to spend some time to figure out the right way to configure the headscale instance with the right policy mode. 😅 |
Sounds good, have a look at the hsic.With options, there you can configure things, use environment variables instead of file. |
@kradalby I have implemented a simple test that sets a policy, reads it back and then verifies the content. I had to expose Please take a look. |
I think that looks great, what would be great is a test in the ACLs that do something like:
I can have a look at that tomorrow if you do not have time to take a stab at it, let me know. |
28f2b1d
to
edd36f3
Compare
I've added the test as described, but I found a bug I dont know if is new or old, when a new policy is set, the nodes reload, but one of the nodes gets a packet filter that is wide open ":", the node belonging to user1, which should get an empty filter. I will continue investigating. |
Ok, I found the bug, it likely hasnt been discovered since most people never reloaded ACLs without restarting the server. If you set the packetfilter in tailcfg to an empty slice, it will marshall to I wonder if there is a way to get around this without copy and maintain a copy of the whole tailcfg 🤔 . |
Thanks for adding the tests and resolving the issue. I can clean up the commits once the tests pass. |
Thank you, I think the last commit should resolve it, not sure why, but we can leave it for now. |
Sounds good. ✅ Let me clean up the commits, then. |
This commit start using PacketFilters for newer nodes and adds a hack to prevent nodes receiving an empty packet filter to ignore it. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit introduces APIs for managing the headscale policy. Until now, the support was limited to file based policy and users could only update the file and reload headscale in order to apply the changes in the policy. With the new APIs, the users of headscale and now manage the policy programatically and will not require to restart headscale. The commit also implements the CLI commands to get and set the policy. BREAKING CHANGE: headscale no longer supports YAML policy files and the only supported format is HuJSON.
4f69b1a
to
f79a2f3
Compare
@kradalby I have cleaned up the commits. Should be good to merge now. Please take a look. 🙇🏼 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!, lots of work, but we got there, I think a lot of people will appreciate this feature!
Description
Headscale currently lacks APIs for managing ACLs.
The only way to manage ACLs is by loading them
from a file, and any changes to the policy
require reloading the Headscale process. This
limitation makes it difficult to integrate
Headscale with other systems via APIs, as
there is no ACL management available.
This commit introduces two APIs allowing you to set the policy.
APIs
Set ACL Policy
Payload (Not JSON, so convert to string before invoking the API.)
Get ACL Policy
Response
CLI
Resolves