[Bug] Headscale tags differ conceptually from Tailscale tags #914

New Issue

adam · 2025-12-29T02:25:54+01:00

adam commented

2025-12-29 02:25:54 +01:00

Originally created by @adnandaut on GitHub (Jan 21, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

The tagOwners section of my ACLs reads as follows:

  "tagOwners": {
    "tag:test": [ "group:admin" ],
  },

When trying to create an auth key with the headscale CLI for that tag, the operation fails, because it asks for a user account to tie the tag to:

$ headscale preauthkeys create --tags test
required flag(s) "user" not set

Expected Behavior

From the Tailscale documenation on auth keys

An auth key authenticates a device as the user who generated the key. […]
However, if you use tags with an auth key, a device that uses the auth key assumes the identity of the tags applied to it.

and on tags

Tags are essentially service accounts […]
Other key characteristics of tags include:

Applying a tag to a device removes any user-based authentication.

[...]

Tags are defined in the tailnet policy file in the tagOwners section.

I would expect to be able to create preauth keys that are tied to either a user or to tags , while I would expect an attempt to create a preauth key that is tied to a user and a tag at the same time to yield an error. In Tailscale, it does not appear to be possible to have a device be owned by a user and a tag at the same time.

Steps To Reproduce

I hope the steps for reproduction are relatively clear from the "Current behavior" section.

Environment

- OS: Docker
- Headscale version: 0.23.0
- Tailscale version: 1.78.1

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Anything else?

No response

Originally created by @adnandaut on GitHub (Jan 21, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior The tagOwners section of my ACLs reads as follows: ```json "tagOwners": { "tag:test": [ "group:admin" ], }, ``` When trying to create an auth key with the headscale CLI for that tag, the operation fails, because it asks for a user account to tie the tag to: ``` $ headscale preauthkeys create --tags test required flag(s) "user" not set ``` ### Expected Behavior From the Tailscale documenation [on auth keys](https://tailscale.com/kb/1085/auth-keys) > An auth key authenticates a device as the user who generated the key. […] > However, if you use [tags](https://tailscale.com/kb/1068/tags#best-practices) with an auth key, a device that uses the auth key assumes the identity of the tags applied to it. and [on tags](https://tailscale.com/kb/1068/tags) > Tags are essentially service accounts […] > Other key characteristics of tags include: > - Applying a tag to a device removes any user-based authentication. > - [...] > - Tags are defined in the tailnet policy file in the tagOwners section. I would expect to be able to create preauth keys that are tied to either a user or to tags , while I would expect an attempt to create a preauth key that is tied to a user and a tag at the same time to yield an error. In Tailscale, it does not appear to be possible to have a device be owned by a user and a tag at the same time. ### Steps To Reproduce I hope the steps for reproduction are relatively clear from the "Current behavior" section. ### Environment ```markdown - OS: Docker - Headscale version: 0.23.0 - Tailscale version: 1.78.1 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:25:54 +01:00

adam closed this issue

2025-12-29 02:25:54 +01:00

adam commented

2025-12-29 02:25:54 +01:00

@adnandaut commented on GitHub (Jan 21, 2025):

Sorry, I wasn't searching for "tag", just for "preauth".
This is a duplicate of #1369.

@adnandaut commented on GitHub (Jan 21, 2025): Sorry, I wasn't searching for "tag", just for "preauth". This is a duplicate of #1369.

adam referenced this issue

2025-12-29 02:31:29 +01:00

[PR #914] [MERGED] fix bug in #912 #1734

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#914