Rename namespace to user in docs
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
parent
bf0b85f382
commit
fb3e2dcf10
8 changed files with 29 additions and 29 deletions
|
@ -258,7 +258,7 @@ dns_config:
|
||||||
# Defines the base domain to create the hostnames for MagicDNS.
|
# Defines the base domain to create the hostnames for MagicDNS.
|
||||||
# `base_domain` must be a FQDNs, without the trailing dot.
|
# `base_domain` must be a FQDNs, without the trailing dot.
|
||||||
# The FQDN of the hosts will be
|
# The FQDN of the hosts will be
|
||||||
# `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).
|
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
|
||||||
base_domain: example.com
|
base_domain: example.com
|
||||||
|
|
||||||
# Unix socket used for the CLI to connect without authentication
|
# Unix socket used for the CLI to connect without authentication
|
||||||
|
@ -301,9 +301,9 @@ unix_socket_permission: "0770"
|
||||||
# - alice@example.com
|
# - alice@example.com
|
||||||
#
|
#
|
||||||
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
|
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
|
||||||
# This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
|
# This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
|
||||||
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
|
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
|
||||||
# namespace: `first-name.last-name.example.com`
|
# user: `first-name.last-name.example.com`
|
||||||
#
|
#
|
||||||
# strip_email_domain: true
|
# strip_email_domain: true
|
||||||
|
|
||||||
|
|
|
@ -39,12 +39,12 @@ written by community members. It is _not_ verified by `headscale` developers.
|
||||||
Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
|
Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
|
||||||
|
|
||||||
For instance, instead of referring to users when defining groups you must
|
For instance, instead of referring to users when defining groups you must
|
||||||
use namespaces (which are the equivalent to user/logins in Tailscale.com).
|
use users (which are the equivalent to user/logins in Tailscale.com).
|
||||||
|
|
||||||
Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
|
Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
|
||||||
|
|
||||||
When using ACL's the Namespace borders are no longer applied. All machines
|
When using ACL's the User borders are no longer applied. All machines
|
||||||
whichever the Namespace have the ability to communicate with other hosts as
|
whichever the User have the ability to communicate with other hosts as
|
||||||
long as the ACL's permits this exchange.
|
long as the ACL's permits this exchange.
|
||||||
|
|
||||||
The [ACLs](acls.md) document should help understand a fictional case of setting
|
The [ACLs](acls.md) document should help understand a fictional case of setting
|
||||||
|
|
10
docs/acls.md
10
docs/acls.md
|
@ -29,17 +29,17 @@ servers.
|
||||||
|
|
||||||
## ACL setup
|
## ACL setup
|
||||||
|
|
||||||
Note: Namespaces will be created automatically when users authenticate with the
|
Note: Users will be created automatically when users authenticate with the
|
||||||
Headscale server.
|
Headscale server.
|
||||||
|
|
||||||
ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
|
ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
|
||||||
or YAML. Check the [test ACLs](../tests/acls) for further information.
|
or YAML. Check the [test ACLs](../tests/acls) for further information.
|
||||||
|
|
||||||
When registering the servers we will need to add the flag
|
When registering the servers we will need to add the flag
|
||||||
`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
|
`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
|
||||||
registering the server should be allowed to do it. Since anyone can add tags to
|
registering the server should be allowed to do it. Since anyone can add tags to
|
||||||
a server they can register, the check of the tags is done on headscale server
|
a server they can register, the check of the tags is done on headscale server
|
||||||
and only valid tags are applied. A tag is valid if the namespace that is
|
and only valid tags are applied. A tag is valid if the user that is
|
||||||
registering it is allowed to do it.
|
registering it is allowed to do it.
|
||||||
|
|
||||||
Here are the ACL's to implement the same permissions as above:
|
Here are the ACL's to implement the same permissions as above:
|
||||||
|
@ -164,8 +164,8 @@ Here are the ACL's to implement the same permissions as above:
|
||||||
"dst": ["tag:dev-app-servers:80,443"]
|
"dst": ["tag:dev-app-servers:80,443"]
|
||||||
},
|
},
|
||||||
|
|
||||||
// We still have to allow internal namespaces communications since nothing guarantees that each user have
|
// We still have to allow internal users communications since nothing guarantees that each user have
|
||||||
// their own namespaces.
|
// their own users.
|
||||||
{ "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
|
{ "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
|
||||||
{ "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
|
{ "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
|
||||||
{ "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
|
{ "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Glossary
|
# Glossary
|
||||||
|
|
||||||
| Term | Description |
|
| Term | Description |
|
||||||
| --------- | --------------------------------------------------------------------------------------------------------------------- |
|
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||||
| Machine | A machine is a single entity connected to `headscale`, typically an installation of Tailscale. Also known as **Node** |
|
| Machine | A machine is a single entity connected to `headscale`, typically an installation of Tailscale. Also known as **Node** |
|
||||||
| Namespace | A namespace is a logical grouping of machines "owned" by the same entity, in Tailscale, this is typically a User |
|
| Namespace | A namespace was a logical grouping of machines "owned" by the same entity, in Tailscale, this is typically a User (This is now called user) |
|
||||||
|
|
|
@ -44,9 +44,9 @@ oidc:
|
||||||
- alice@example.com
|
- alice@example.com
|
||||||
|
|
||||||
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
|
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
|
||||||
# This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
|
# This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
|
||||||
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
|
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
|
||||||
# namespace: `first-name.last-name.example.com`
|
# user: `first-name.last-name.example.com`
|
||||||
strip_email_domain: true
|
strip_email_domain: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -101,11 +101,11 @@ Verify `headscale` is available:
|
||||||
curl http://127.0.0.1:9090/metrics
|
curl http://127.0.0.1:9090/metrics
|
||||||
```
|
```
|
||||||
|
|
||||||
6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
6. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
docker exec headscale \
|
docker exec headscale \
|
||||||
headscale namespaces create myfirstnamespace
|
headscale users create myfirstuser
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register a machine (normal login)
|
### Register a machine (normal login)
|
||||||
|
@ -120,7 +120,7 @@ To register a machine when running `headscale` in a container, take the headscal
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
docker exec headscale \
|
docker exec headscale \
|
||||||
headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
|
headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register machine using a pre authenticated key
|
### Register machine using a pre authenticated key
|
||||||
|
@ -129,7 +129,7 @@ Generate a key using the command line:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
docker exec headscale \
|
docker exec headscale \
|
||||||
headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
|
headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
|
||||||
```
|
```
|
||||||
|
|
||||||
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
||||||
|
|
|
@ -78,10 +78,10 @@ Verify `headscale` is available:
|
||||||
curl http://127.0.0.1:9090/metrics
|
curl http://127.0.0.1:9090/metrics
|
||||||
```
|
```
|
||||||
|
|
||||||
8. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale namespaces create myfirstnamespace
|
headscale users create myfirstuser
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register a machine (normal login)
|
### Register a machine (normal login)
|
||||||
|
@ -95,7 +95,7 @@ tailscale up --login-server YOUR_HEADSCALE_URL
|
||||||
Register the machine:
|
Register the machine:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
|
headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register machine using a pre authenticated key
|
### Register machine using a pre authenticated key
|
||||||
|
@ -103,7 +103,7 @@ headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
|
||||||
Generate a key using the command line:
|
Generate a key using the command line:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
|
headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
|
||||||
```
|
```
|
||||||
|
|
||||||
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
||||||
|
|
|
@ -116,10 +116,10 @@ Verify `headscale` is available:
|
||||||
curl http://127.0.0.1:9090/metrics
|
curl http://127.0.0.1:9090/metrics
|
||||||
```
|
```
|
||||||
|
|
||||||
6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
6. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale namespaces create myfirstnamespace
|
headscale users create myfirstuser
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register a machine (normal login)
|
### Register a machine (normal login)
|
||||||
|
@ -133,7 +133,7 @@ tailscale up --login-server YOUR_HEADSCALE_URL
|
||||||
Register the machine:
|
Register the machine:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
|
headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Register machine using a pre authenticated key
|
### Register machine using a pre authenticated key
|
||||||
|
@ -141,7 +141,7 @@ headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
|
||||||
Generate a key using the command line:
|
Generate a key using the command line:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
|
headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
|
||||||
```
|
```
|
||||||
|
|
||||||
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
|
||||||
|
|
Loading…
Reference in a new issue