headscale/tests/acls/acl_policy_1.hujson

128 lines
3.6 KiB
Text
Raw Normal View History

2021-07-03 03:55:32 -06:00
{
// Declare static groups of users beyond those in the identity service.
"groups": {
2021-07-03 03:55:32 -06:00
"group:example": [
"user1@example.com",
"user2@example.com",
],
2021-07-03 09:31:08 -06:00
"group:example2": [
"user1@example.com",
"user2@example.com",
],
2021-07-03 03:55:32 -06:00
},
// Declare hostname aliases to use in place of IP addresses or subnets.
"hosts": {
2021-07-03 03:55:32 -06:00
"example-host-1": "100.100.100.100",
"example-host-2": "100.100.101.100/24",
},
// Define who is allowed to use which tags.
"tagOwners": {
2021-07-03 03:55:32 -06:00
// Everyone in the montreal-admins or global-admins group are
// allowed to tag servers as montreal-webserver.
"tag:montreal-webserver": [
2021-07-04 05:01:41 -06:00
"group:example",
2021-07-03 03:55:32 -06:00
],
// Only a few admins are allowed to create API servers.
2021-07-04 05:01:41 -06:00
"tag:production": [
"group:example",
2021-07-03 03:55:32 -06:00
"president@example.com",
],
},
// Access control lists.
"acls": [
2021-07-03 03:55:32 -06:00
// Engineering users, plus the president, can access port 22 (ssh)
// and port 3389 (remote desktop protocol) on all servers, and all
// ports on git-server or ci-server.
{
"action": "accept",
"protocol": "tcp",
"src": [
2021-07-03 09:31:08 -06:00
"group:example2",
2021-07-04 05:01:41 -06:00
"192.168.1.0/24"
2021-07-03 03:55:32 -06:00
],
"dst": [
2021-07-03 03:55:32 -06:00
"*:22,3389",
"git-server:*",
"ci-server:*"
],
},
// Allow engineer users to access any port on a device tagged with
// tag:production.
{
"action": "accept",
"src": [
2021-07-03 09:31:08 -06:00
"group:example"
2021-07-03 03:55:32 -06:00
],
"dst": [
2021-07-03 03:55:32 -06:00
"tag:production:*"
],
},
// Allow servers in the my-subnet host and 192.168.1.0/24 to access hosts
// on both networks.
{
"action": "accept",
"src": [
2021-07-04 05:01:41 -06:00
"example-host-2",
2021-07-03 03:55:32 -06:00
],
"dst": [
2021-07-03 09:31:08 -06:00
"example-host-1:*",
2021-07-03 03:55:32 -06:00
"192.168.1.0/24:*"
],
},
// Allow every user of your network to access anything on the network.
// Comment out this section if you want to define specific ACL
// restrictions above.
{
"action": "accept",
"src": [
2021-07-03 03:55:32 -06:00
"*"
],
"dst": [
2021-07-03 03:55:32 -06:00
"*:*"
],
},
// All users in Montreal are allowed to access the Montreal web
// servers.
{
"action": "accept",
"src": [
2021-07-03 09:31:08 -06:00
"example-host-1"
2021-07-03 03:55:32 -06:00
],
"dst": [
2021-07-03 03:55:32 -06:00
"tag:montreal-webserver:80,443"
],
},
// Montreal web servers are allowed to make outgoing connections to
// the API servers, but only on https port 443.
// In contrast, this doesn't grant API servers the right to initiate
// any connections.
{
"action": "accept",
"src": [
2021-07-03 03:55:32 -06:00
"tag:montreal-webserver"
],
"dst": [
2021-07-03 03:55:32 -06:00
"tag:api-server:443"
],
},
],
// Declare tests to check functionality of ACL rules
"tests": [
2021-07-03 03:55:32 -06:00
{
"src": "user1@example.com",
"accept": [
2021-07-03 03:55:32 -06:00
"example-host-1:22",
"example-host-2:80"
],
"deny": [
2021-07-03 03:55:32 -06:00
"exapmle-host-2:100"
],
},
{
"src": "user2@example.com",
"accept": [
2021-07-03 03:55:32 -06:00
"100.60.3.4:22"
],
},
],
}