starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[PR #2619] [CLOSED] Tags: reimplement, make first class #2765

New Issue
Closed
opened 2025-12-29 04:18:53 +01:00 by adam · 0 comments
adam commented 2025-12-29 04:18:53 +01:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2619
Author: @kradalby
Created: 5/21/2025
Status: Closed

Base: mainHead: kradalby/tag-smarter

📝 Commits (8)

  • b87bb35 types/node: make user optional, document tagged
  • d3005b1 types/node: make user pointer
  • 19add15 types/node: make user pointer
  • 27a518a policy: add user helper for tests
  • 4d3483e policy: ensure group and tags can only have ascii chars and dash
  • bdcd549 types/pak: make user/tag optional
  • 0152597 db/pak: make authkeys have identifiable hash
  • 47d0f2d temp

📊 Changes

30 files changed (+1375 additions, -720 deletions)

View changed files

📝 hscontrol/app.go (+8 -0)
📝 hscontrol/auth.go (+11 -36)
📝 hscontrol/db/api_key.go (+2 -2)
📝 hscontrol/db/db.go (+36 -0)
📝 hscontrol/db/ip_test.go (+10 -10)
📝 hscontrol/db/node.go (+88 -15)
📝 hscontrol/db/node_test.go (+21 -21)
📝 hscontrol/db/preauth_keys.go (+118 -54)
📝 hscontrol/db/preauth_keys_test.go (+1 -1)
📝 hscontrol/db/users.go (+3 -2)
📝 hscontrol/db/users_test.go (+5 -5)
📝 hscontrol/grpcv1.go (+21 -29)
📝 hscontrol/mapper/mapper.go (+14 -5)
📝 hscontrol/mapper/mapper_test.go (+21 -21)
📝 hscontrol/mapper/tail.go (+9 -12)
📝 hscontrol/mapper/tail_test.go (+6 -10)
📝 hscontrol/oidc.go (+3 -3)
📝 hscontrol/policy/policy_test.go (+364 -260)
📝 hscontrol/policy/route_approval_test.go (+17 -16)
📝 hscontrol/policy/v2/filter_test.go (+6 -7)

...and 10 more files

📄 Description

This PR is going to be the core work of #2417, redoing our Tags support.

From the tailscale docs:

Tailscale tags are how you authenticate and identify non-user devices, such as servers and ephemeral nodes. They serve two primary purposes: to provide an identity to non-user devices and to let you manage access control policies based on purpose. In this context, a purpose could be anything from hosting a web server to serving as a subnet router for employees in a specific geographic location.

We do not really implement tags this way, as a node is always associated with a user, even if it is tagged.

After this PR, we will stream line tags to work in the same way as upstream, and making sure we align and ensure that tagged devices are truly not associated with a user.

This is an important building block to ensure that the Tags part of the Policy works in the correct way and provide the correct isolation.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2619 **Author:** [@kradalby](https://github.com/kradalby) **Created:** 5/21/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `kradalby/tag-smarter` --- ### 📝 Commits (8) - [`b87bb35`](https://github.com/juanfont/headscale/commit/b87bb35004f6075f686edf9fff55598ae0156726) types/node: make user optional, document tagged - [`d3005b1`](https://github.com/juanfont/headscale/commit/d3005b1d4f62c3d7d2bf27e92ef11d59d55a9a4f) types/node: make user pointer - [`19add15`](https://github.com/juanfont/headscale/commit/19add159275c921dadb0c3341f66a89ba3434c11) types/node: make user pointer - [`27a518a`](https://github.com/juanfont/headscale/commit/27a518a2fa6b67840f8a0f540df5f1d2deceaa24) policy: add user helper for tests - [`4d3483e`](https://github.com/juanfont/headscale/commit/4d3483ed3a282d0279b233d969928afb6c2dfe31) policy: ensure group and tags can only have ascii chars and dash - [`bdcd549`](https://github.com/juanfont/headscale/commit/bdcd5496fcbbf095d664e9ed4b49c36fc36b80da) types/pak: make user/tag optional - [`0152597`](https://github.com/juanfont/headscale/commit/0152597c50442caa36474e94ab2d25d98d34a0b5) db/pak: make authkeys have identifiable hash - [`47d0f2d`](https://github.com/juanfont/headscale/commit/47d0f2d4c9daf30564f1f73f08405ffcf9fb9b29) temp ### 📊 Changes **30 files changed** (+1375 additions, -720 deletions) <details> <summary>View changed files</summary> 📝 `hscontrol/app.go` (+8 -0) 📝 `hscontrol/auth.go` (+11 -36) 📝 `hscontrol/db/api_key.go` (+2 -2) 📝 `hscontrol/db/db.go` (+36 -0) 📝 `hscontrol/db/ip_test.go` (+10 -10) 📝 `hscontrol/db/node.go` (+88 -15) 📝 `hscontrol/db/node_test.go` (+21 -21) 📝 `hscontrol/db/preauth_keys.go` (+118 -54) 📝 `hscontrol/db/preauth_keys_test.go` (+1 -1) 📝 `hscontrol/db/users.go` (+3 -2) 📝 `hscontrol/db/users_test.go` (+5 -5) 📝 `hscontrol/grpcv1.go` (+21 -29) 📝 `hscontrol/mapper/mapper.go` (+14 -5) 📝 `hscontrol/mapper/mapper_test.go` (+21 -21) 📝 `hscontrol/mapper/tail.go` (+9 -12) 📝 `hscontrol/mapper/tail_test.go` (+6 -10) 📝 `hscontrol/oidc.go` (+3 -3) 📝 `hscontrol/policy/policy_test.go` (+364 -260) 📝 `hscontrol/policy/route_approval_test.go` (+17 -16) 📝 `hscontrol/policy/v2/filter_test.go` (+6 -7) _...and 10 more files_ </details> ### 📄 Description This PR is going to be the core work of #2417, redoing our Tags support. From the [tailscale docs](https://tailscale.com/kb/1068/tags): > Tailscale tags are how you authenticate and identify non-user devices, such as servers and [ephemeral nodes](https://tailscale.com/kb/1111/ephemeral-nodes). They serve two primary purposes: to provide an identity to non-user devices and to let you manage [access control policies](https://tailscale.com/kb/1393/access-control) based on purpose. In this context, a purpose could be anything from hosting a web server to serving as a [subnet router](https://tailscale.com/kb/1019/subnets) for employees in a specific geographic location. We do not really implement tags this way, as a node is _always_ associated with a user, even if it is tagged. After this PR, we will stream line tags to work in the same way as upstream, and making sure we align and ensure that tagged devices are truly not associated with a user. This is an important building block to ensure that the Tags part of the Policy works in the correct way and provide the correct isolation. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2025-12-29 04:18:53 +01:00
adam closed this issue 2025-12-29 04:18:53 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#2765
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?