[Bug] ACL not working as expected #826

New Issue

Closed

opened 2025-12-29 02:24:32 +01:00 by adam · 4 comments

adam commented 2025-12-29 02:24:32 +01:00

Owner

Copy Link

Originally created by @Johnwulp on GitHub (Oct 11, 2024).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When using this acl json, john is not able to connect to any customer. Which is how it should work.

{
  "acls": [
    { "action": "accept", "src": ["john"], "dst": ["john:*"] },
    { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] },
    { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] }
  ]
}

If i change the acl to below, then john is able to connect to customer1. But customer2 is also able to connect to customer1.

{
  "acls": [
    { "action": "accept", "src": ["john"], "dst": ["john:*"] },
    { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] },
    { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] },
    { "action": "accept", "src": ["john"], "dst": ["customer1:*"] }
  ]
}

Expected Behavior

When using this permission acl csutomer2 should not be able to connect to customer1

{
  "acls": [
    { "action": "accept", "src": ["john"], "dst": ["john:*"] },
    { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] },
    { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] },
    { "action": "accept", "src": ["john"], "dst": ["customer1:*"] }
  ]
}

Steps To Reproduce

Set environment up with permission json as explained

Environment

- OS: Docker container linux/arm64/v8
- Headscale version: stable (v0.23.0)
- Tailscale version: 1.76.0

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

Originally created by @Johnwulp on GitHub (Oct 11, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior When using this acl json, john is not able to connect to any customer. Which is how it should work. ``` { "acls": [ { "action": "accept", "src": ["john"], "dst": ["john:*"] }, { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] }, { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] } ] } ``` If i change the acl to below, then john is able to connect to customer1. But customer2 is also able to connect to customer1. ``` { "acls": [ { "action": "accept", "src": ["john"], "dst": ["john:*"] }, { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] }, { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] }, { "action": "accept", "src": ["john"], "dst": ["customer1:*"] } ] } ``` ### Expected Behavior When using this permission acl csutomer2 should not be able to connect to customer1 ``` { "acls": [ { "action": "accept", "src": ["john"], "dst": ["john:*"] }, { "action": "accept", "src": ["customer1"], "dst": ["customer1:*"] }, { "action": "accept", "src": ["customer2"], "dst": ["customer2:*"] }, { "action": "accept", "src": ["john"], "dst": ["customer1:*"] } ] } ``` ### Steps To Reproduce Set environment up with permission json as explained ### Environment ```markdown - OS: Docker container linux/arm64/v8 - Headscale version: stable (v0.23.0) - Tailscale version: 1.76.0 ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:24:32 +01:00

adam closed this issue 2025-12-29 02:24:32 +01:00

adam commented 2025-12-29 02:24:32 +01:00

Author

Owner

Copy Link

@hopleus commented on GitHub (Oct 14, 2024):

I managed to achieve similar behaviour with the following actions:

1. Initial launch of HeadScale without any ACLs
2. Connected 3 clients
3. changing the ACL (as a file) with rules that each node can only communicate with itself
4. restarting HeadScale
5. clients continue to see and communicate with each other even though the ACL prohibits them from doing so.

In my case, this behaviour is caused by the fact that after starting HeadScale (with the changed ACL) no updated information is sent to the clients, because the logic of HeadScale does not allow it. When switching ACL to Database mode, any ACL change results in updating all clients, which results in changing ACL policies and blocking traffic if required by the ACL.

It is likely that this issue may be related to #2181

From the suggestions:

• After running HeadScale, always send update requests to clients
• Add a CLI command to send updates to clients

In any case, @kradalby opinion is needed

@hopleus commented on GitHub (Oct 14, 2024): I managed to achieve similar behaviour with the following actions: 1. Initial launch of HeadScale without any ACLs 2. Connected 3 clients 3. changing the ACL (as a file) with rules that each node can only communicate with itself 4. restarting HeadScale 5. clients continue to see and communicate with each other even though the ACL prohibits them from doing so. In my case, this behaviour is caused by the fact that after starting HeadScale (with the changed ACL) no updated information is sent to the clients, because the logic of HeadScale does not allow it. When switching ACL to Database mode, any ACL change results in updating all clients, which results in changing ACL policies and blocking traffic if required by the ACL. It is likely that this issue may be related to #2181 From the suggestions: - After running HeadScale, always send update requests to clients - Add a CLI command to send updates to clients In any case, @kradalby opinion is needed

adam commented 2025-12-29 02:24:33 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Oct 14, 2024):

After running HeadScale, always send update requests to clients

I am not sure if we are thinking of the same thing, but when Headscale starts, all nodes that connect will get a full new map, and that will be based on the loaded ACL so if it has been updated it should send the equivalent of the new one.

@kradalby commented on GitHub (Oct 14, 2024): > After running HeadScale, always send update requests to clients I am not sure if we are thinking of the same thing, but when Headscale starts, all nodes that connect will get a full new map, and that will be based on the loaded ACL so if it has been updated it should send the equivalent of the new one.

adam commented 2025-12-29 02:24:33 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Oct 14, 2024):

@Johnwulp please include the tailscale debug netmap output requested in the issue template.

@kradalby commented on GitHub (Oct 14, 2024): @Johnwulp please include the `tailscale debug netmap` output requested in the issue template.

adam commented 2025-12-29 02:24:33 +01:00

Author

Owner

Copy Link

@Johnwulp commented on GitHub (Oct 14, 2024):

I don't know what has changed, but i'm unable to reproduce the issue. Maybe it has something to do with restarting all the client i used for testing. I setteled on this configuration for the moment, and this works as expected.

{
  "groups": {
    "group:support": ["john"],
    "group:customers": ["customer1", "customer2"]
  },
  "acls": [
    { "action": "accept", "src": ["group:support"], "dst": ["group:customers:3389"] }
  ]
}

@Johnwulp commented on GitHub (Oct 14, 2024): I don't know what has changed, but i'm unable to reproduce the issue. Maybe it has something to do with restarting all the client i used for testing. I setteled on this configuration for the moment, and this works as expected. ``` { "groups": { "group:support": ["john"], "group:customers": ["customer1", "customer2"] }, "acls": [ { "action": "accept", "src": ["group:support"], "dst": ["group:customers:3389"] } ] } ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#826