Update internal docs to the new syntax
This commit is contained in:
parent
39f03b86c8
commit
c47354bdc3
1 changed files with 20 additions and 20 deletions
40
docs/acls.md
40
docs/acls.md
|
@ -33,7 +33,7 @@ Note: Namespaces will be created automatically when users authenticate with the
|
||||||
Headscale server.
|
Headscale server.
|
||||||
|
|
||||||
ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
|
ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
|
||||||
or Yaml. Check the [test ACLs](../tests/acls) for further information.
|
or YAML. Check the [test ACLs](../tests/acls) for further information.
|
||||||
|
|
||||||
When registering the servers we will need to add the flag
|
When registering the servers we will need to add the flag
|
||||||
`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
|
`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
|
||||||
|
@ -83,8 +83,8 @@ Here are the ACL's to implement the same permissions as above:
|
||||||
// boss have access to all servers
|
// boss have access to all servers
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["group:boss"],
|
"src": ["group:boss"],
|
||||||
"ports": [
|
"dst": [
|
||||||
"tag:prod-databases:*",
|
"tag:prod-databases:*",
|
||||||
"tag:prod-app-servers:*",
|
"tag:prod-app-servers:*",
|
||||||
"tag:internal:*",
|
"tag:internal:*",
|
||||||
|
@ -96,8 +96,8 @@ Here are the ACL's to implement the same permissions as above:
|
||||||
// admin have only access to administrative ports of the servers
|
// admin have only access to administrative ports of the servers
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["group:admin"],
|
"src": ["group:admin"],
|
||||||
"ports": [
|
"dst": [
|
||||||
"tag:prod-databases:22",
|
"tag:prod-databases:22",
|
||||||
"tag:prod-app-servers:22",
|
"tag:prod-app-servers:22",
|
||||||
"tag:internal:22",
|
"tag:internal:22",
|
||||||
|
@ -110,8 +110,8 @@ Here are the ACL's to implement the same permissions as above:
|
||||||
// they can only view the applications servers in prod and have no access to databases servers in production
|
// they can only view the applications servers in prod and have no access to databases servers in production
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["group:dev"],
|
"src": ["group:dev"],
|
||||||
"ports": [
|
"dst": [
|
||||||
"tag:dev-databases:*",
|
"tag:dev-databases:*",
|
||||||
"tag:dev-app-servers:*",
|
"tag:dev-app-servers:*",
|
||||||
"tag:prod-app-servers:80,443"
|
"tag:prod-app-servers:80,443"
|
||||||
|
@ -124,37 +124,37 @@ Here are the ACL's to implement the same permissions as above:
|
||||||
// https://github.com/juanfont/headscale/issues/502
|
// https://github.com/juanfont/headscale/issues/502
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["group:dev"],
|
"src": ["group:dev"],
|
||||||
"ports": ["10.20.0.0/16:443,5432", "router.internal:0"]
|
"dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
|
||||||
},
|
},
|
||||||
|
|
||||||
// servers should be able to talk to database. Database should not be able to initiate connections to
|
// servers should be able to talk to database. Database should not be able to initiate connections to
|
||||||
// applications servers
|
// applications servers
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["tag:dev-app-servers"],
|
"src": ["tag:dev-app-servers"],
|
||||||
"ports": ["tag:dev-databases:5432"]
|
"dst": ["tag:dev-databases:5432"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["tag:prod-app-servers"],
|
"src": ["tag:prod-app-servers"],
|
||||||
"ports": ["tag:prod-databases:5432"]
|
"dst": ["tag:prod-databases:5432"]
|
||||||
},
|
},
|
||||||
|
|
||||||
// interns have access to dev-app-servers only in reading mode
|
// interns have access to dev-app-servers only in reading mode
|
||||||
{
|
{
|
||||||
"action": "accept",
|
"action": "accept",
|
||||||
"users": ["group:intern"],
|
"src": ["group:intern"],
|
||||||
"ports": ["tag:dev-app-servers:80,443"]
|
"dst": ["tag:dev-app-servers:80,443"]
|
||||||
},
|
},
|
||||||
|
|
||||||
// We still have to allow internal namespaces communications since nothing guarantees that each user have
|
// We still have to allow internal namespaces communications since nothing guarantees that each user have
|
||||||
// their own namespaces.
|
// their own namespaces.
|
||||||
{ "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
|
{ "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
|
||||||
{ "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
|
{ "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
|
||||||
{ "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
|
{ "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
|
||||||
{ "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
|
{ "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
|
||||||
{ "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
|
{ "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in a new issue