[Bug] ACL User/Groups not working in v0.26.0 #1023

New Issue

adam · 2025-12-29T02:27:39+01:00

adam commented

2025-12-29 02:27:39 +01:00

Originally created by @gawsoftpl on GitHub (May 15, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

When I upgraded headscale to v0.26.0 from 0.25.1 groups and users do not have access to other services in tailscale network.

Below example acl dont work:

{
  "groups": {
    "group:root": ["contact@"],
   },
 "acls": [
    {"action": "accept", "src": ["group:root"], "dst": ["*:*"]},
  ]
}

This setup works:

{
 "acls": [
    {"action": "accept", "src": ["tag:desktop"], "dst": ["*:*"]},
  ]
}

Users list:

root@headscale:/var/lib/headscale# headscale users list
ID | Name | Username            | Email | Created            
1  |      | contact             |       | 2024-06-07 19:56:31

Expected Behavior

Should allow nodes from user contact to all services because user belongs to group root

Steps To Reproduce

{
"groups": {
"group:root": ["contact@"],
},
"acls": [
{"action": "accept", "src": ["group:root"], "dst": [":"]},
]
}

Environment

- OS: Ubuntu 24.0.4
- Headscale version: 0.26.0
- Tailscale version: 1.82.5

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

{
"groups": {
"group:root": ["contact@"],
},
"acls": [
{"action": "accept", "src": ["group:root"], "dst": [":"]},
]
}

Originally created by @gawsoftpl on GitHub (May 15, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior When I upgraded headscale to v0.26.0 from 0.25.1 groups and users do not have access to other services in tailscale network. Below example acl dont work: ```json { "groups": { "group:root": ["contact@"], }, "acls": [ {"action": "accept", "src": ["group:root"], "dst": ["*:*"]}, ] } ``` This setup works: ```json { "acls": [ {"action": "accept", "src": ["tag:desktop"], "dst": ["*:*"]}, ] } ``` Users list: ```sh root@headscale:/var/lib/headscale# headscale users list ID | Name | Username | Email | Created 1 | | contact | | 2024-06-07 19:56:31 ``` ### Expected Behavior Should allow nodes from user contact to all services because user belongs to group root ### Steps To Reproduce { "groups": { "group:root": ["contact@"], }, "acls": [ {"action": "accept", "src": ["group:root"], "dst": ["*:*"]}, ] } ### Environment ```markdown - OS: Ubuntu 24.0.4 - Headscale version: 0.26.0 - Tailscale version: 1.82.5 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information { "groups": { "group:root": ["contact@"], }, "acls": [ {"action": "accept", "src": ["group:root"], "dst": ["*:*"]}, ] }

adam added the bug label 2025-12-29 02:27:39 +01:00

adam closed this issue

2025-12-29 02:27:39 +01:00

adam commented

2025-12-29 02:27:40 +01:00

@kradalby commented on GitHub (May 15, 2025):

Is the node you are testing with tagged?

When a node is tagged, it will no longer get covered by groups as groups is only covering users.
This has been an issue with Headscale for as long as it has existed, and it is partially fixed, but likely will be more focused on in the next release.

Essentially, when you tag a node, you "unassign" it from a user (even if it shows up as owned by user for now).

Also feel free to join in on the beta testing, it helps us find these things before releasing.

@kradalby commented on GitHub (May 15, 2025): Is the node you are testing with tagged? When a node is tagged, it will no longer get covered by groups as groups is only covering users. This has been an issue with Headscale for as long as it has existed, and it is partially fixed, but likely will be more focused on in the next release. Essentially, when you tag a node, you "unassign" it from a user (even if it shows up as owned by user for now). Also feel free to join in on the beta testing, it helps us find these things before releasing.

adam commented

2025-12-29 02:27:40 +01:00

@gawsoftpl commented on GitHub (May 15, 2025):

Yes, nodes was taged, when I removed tags from nodes everything works. Now users/groups works. Thanks @kradalby.
What you mean join on the bet testing? You have special groups or you mean simple use beta releases?

@gawsoftpl commented on GitHub (May 15, 2025): Yes, nodes was taged, when I removed tags from nodes everything works. Now users/groups works. Thanks @kradalby. What you mean join on the bet testing? You have special groups or you mean simple use beta releases?

adam commented

2025-12-29 02:27:40 +01:00

@kradalby commented on GitHub (May 15, 2025):

you mean simple use beta releases?

Just simply use it hehe, then we can find these things easier.

I'll close this, more things are coming to Tags in the next release.

@kradalby commented on GitHub (May 15, 2025): > you mean simple use beta releases? Just simply use it hehe, then we can find these things easier. I'll close this, more things are coming to Tags in the next release.

adam commented

2025-12-29 02:27:40 +01:00

@godie1980 commented on GitHub (Oct 31, 2025):

I have the same issue with 0.27.0. But for me none of the nodes is tagged but i cannot access it from user or group. I can access it if i use the following ACL

acls": [
{
"#ha-meta": {
"name": "",
"open": true
},
"action": "accept",
"src": [
""
],
"dst": [
":*"
]
}
],

I am trying to access subnet route on a node that owned by another user. Maybe thats the issue?

@godie1980 commented on GitHub (Oct 31, 2025): I have the same issue with 0.27.0. But for me none of the nodes is tagged but i cannot access it from user or group. I can access it if i use the following ACL acls": [ { "#ha-meta": { "name": "", "open": true }, "action": "accept", "src": [ "*" ], "dst": [ "*:*" ] } ], I am trying to access subnet route on a node that owned by another user. Maybe thats the issue?

adam referenced this issue

2025-12-29 02:31:51 +01:00

[PR #1023] [CLOSED] Add nolint for t.parallel #1823

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1023