starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 20:53:29 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[PR #1792] [MERGED] feat: implements apis for managing headscale policy #2321

New Issue
Closed
opened 2025-12-29 03:20:46 +01:00 by adam · 0 comments
adam commented 2025-12-29 03:20:46 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/1792
Author: @pallabpain
Created: 2/24/2024
Status: Merged
Merged: 7/18/2024
Merged by: @kradalby

Base: mainHead: feat/acl-apis

📝 Commits (2)

  • 4e7704d fix(mapper): fix empty packetfilter being omitted
  • f79a2f3 feat: implements apis for managing headscale policy

📊 Changes

39 files changed (+1872 additions, -564 deletions)

View changed files

📝 .github/workflows/test-integration.yaml (+2 -0)
📝 CHANGELOG.md (+3 -0)
cmd/headscale/cli/policy.go (+91 -0)
📝 cmd/headscale/cli/utils.go (+8 -23)
📝 config-example.yaml (+12 -4)
📝 gen/go/headscale/v1/apikey.pb.go (+1 -1)
📝 gen/go/headscale/v1/device.pb.go (+1 -1)
📝 gen/go/headscale/v1/headscale.pb.go (+278 -254)
📝 gen/go/headscale/v1/headscale.pb.gw.go (+225 -15)
📝 gen/go/headscale/v1/headscale_grpc.pb.go (+129 -85)
📝 gen/go/headscale/v1/node.pb.go (+1 -1)
gen/go/headscale/v1/policy.pb.go (+352 -0)
📝 gen/go/headscale/v1/preauthkey.pb.go (+1 -1)
📝 gen/go/headscale/v1/routes.pb.go (+1 -1)
📝 gen/go/headscale/v1/user.pb.go (+1 -1)
📝 gen/openapiv2/headscale/v1/apikey.swagger.json (+0 -1)
📝 gen/openapiv2/headscale/v1/device.swagger.json (+0 -1)
📝 gen/openapiv2/headscale/v1/headscale.swagger.json (+94 -19)
📝 gen/openapiv2/headscale/v1/node.swagger.json (+0 -1)
gen/openapiv2/headscale/v1/policy.swagger.json (+43 -0)

...and 19 more files

📄 Description

Description

Headscale currently lacks APIs for managing ACLs.
The only way to manage ACLs is by loading them
from a file, and any changes to the policy
require reloading the Headscale process. This
limitation makes it difficult to integrate
Headscale with other systems via APIs, as
there is no ACL management available.

This commit introduces two APIs allowing you to set the policy.

APIs

Set ACL Policy

PUT /api/v1/policy

Payload (Not JSON, so convert to string before invoking the API.)

{"policy": "{// This is a comment\n\"groups\":{\"g1\":[\"u1\",\"u2\"]},\"acls\":[]}"}

Get ACL Policy

GET /api/v1/policy

Response

{"policy": {"groups": {}, "tags": {}}}

CLI

→ go run cmd/headscale/headscale.go --config ./config.yaml policy --help
Manage the Headscale ACL Policy

Usage:
  headscale policy [command]

Available Commands:
  get         Print the current ACL Policy
  set         Updates the ACL Policy

Flags:
  -h, --help   help for policy

Global Flags:
  -c, --config string   config file (default is /etc/headscale/config.yaml)
      --force           Disable prompts and forces the execution
  -o, --output string   Output format. Empty for human-readable, 'json', 'json-line' or 'yaml'

Use "headscale policy [command] --help" for more information about a command.
  • read the CONTRIBUTING guidelines
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

Resolves

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/1792 **Author:** [@pallabpain](https://github.com/pallabpain) **Created:** 2/24/2024 **Status:** ✅ Merged **Merged:** 7/18/2024 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `feat/acl-apis` --- ### 📝 Commits (2) - [`4e7704d`](https://github.com/juanfont/headscale/commit/4e7704d1e68bb528b01427772ca01ee48123cabc) fix(mapper): fix empty packetfilter being omitted - [`f79a2f3`](https://github.com/juanfont/headscale/commit/f79a2f308115d4dd5b09cf6d9173761c4c7a3686) feat: implements apis for managing headscale policy ### 📊 Changes **39 files changed** (+1872 additions, -564 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/test-integration.yaml` (+2 -0) 📝 `CHANGELOG.md` (+3 -0) ➕ `cmd/headscale/cli/policy.go` (+91 -0) 📝 `cmd/headscale/cli/utils.go` (+8 -23) 📝 `config-example.yaml` (+12 -4) 📝 `gen/go/headscale/v1/apikey.pb.go` (+1 -1) 📝 `gen/go/headscale/v1/device.pb.go` (+1 -1) 📝 `gen/go/headscale/v1/headscale.pb.go` (+278 -254) 📝 `gen/go/headscale/v1/headscale.pb.gw.go` (+225 -15) 📝 `gen/go/headscale/v1/headscale_grpc.pb.go` (+129 -85) 📝 `gen/go/headscale/v1/node.pb.go` (+1 -1) ➕ `gen/go/headscale/v1/policy.pb.go` (+352 -0) 📝 `gen/go/headscale/v1/preauthkey.pb.go` (+1 -1) 📝 `gen/go/headscale/v1/routes.pb.go` (+1 -1) 📝 `gen/go/headscale/v1/user.pb.go` (+1 -1) 📝 `gen/openapiv2/headscale/v1/apikey.swagger.json` (+0 -1) 📝 `gen/openapiv2/headscale/v1/device.swagger.json` (+0 -1) 📝 `gen/openapiv2/headscale/v1/headscale.swagger.json` (+94 -19) 📝 `gen/openapiv2/headscale/v1/node.swagger.json` (+0 -1) ➕ `gen/openapiv2/headscale/v1/policy.swagger.json` (+43 -0) _...and 19 more files_ </details> ### 📄 Description ### Description Headscale currently lacks APIs for managing ACLs. The only way to manage ACLs is by loading them from a file, and any changes to the policy require reloading the Headscale process. This limitation makes it difficult to integrate Headscale with other systems via APIs, as there is no ACL management available. This commit introduces two APIs allowing you to set the policy. ### APIs #### Set ACL Policy ``` PUT /api/v1/policy ``` Payload (Not JSON, so convert to string before invoking the API.) ``` {"policy": "{// This is a comment\n\"groups\":{\"g1\":[\"u1\",\"u2\"]},\"acls\":[]}"} ``` #### Get ACL Policy ``` GET /api/v1/policy ``` Response ``` {"policy": {"groups": {}, "tags": {}}} ``` ### CLI ``` → go run cmd/headscale/headscale.go --config ./config.yaml policy --help Manage the Headscale ACL Policy Usage: headscale policy [command] Available Commands: get Print the current ACL Policy set Updates the ACL Policy Flags: -h, --help help for policy Global Flags: -c, --config string config file (default is /etc/headscale/config.yaml) --force Disable prompts and forces the execution -o, --output string Output format. Empty for human-readable, 'json', 'json-line' or 'yaml' Use "headscale policy [command] --help" for more information about a command. ``` <!-- Please tick if the following things apply. You… --> - [x] read the [CONTRIBUTING guidelines](README.md#contributing) - [x] raised a GitHub issue or discussed it on the projects chat beforehand - [x] added unit tests - [x] added integration tests - [x] updated documentation if needed - [x] updated CHANGELOG.md <!-- If applicable, please reference the issue using `Fixes #XXX` and add tests to cover your new code. --> ### Resolves * https://github.com/juanfont/headscale/issues/582 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-29 03:20:46 +01:00
adam closed this issue 2025-12-29 03:20:46 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#2321
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?