[Feature] Is it possible to prevent different users from seeing each other's nodes? #944

New Issue

adam · 2025-12-29T02:26:32+01:00

adam commented

2025-12-29 02:26:32 +01:00

Originally created by @agostop on GitHub (Feb 16, 2025).

Use case

Prevent clients from querying nodes that do not belong to their own namespace unless ACL allows it

Description

For example, there are two tenants, user1 and user2. When user1 uses tailscale status locally, he can only see the nodes in his own namespace.
But, If acl rule allow user1 to access some node of user2, then user1 can see those nodes when using 'tailscale status'.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

No response

Originally created by @agostop on GitHub (Feb 16, 2025). ### Use case Prevent clients from querying nodes that do not belong to their own namespace unless ACL allows it ### Description For example, there are two tenants, user1 and user2. When user1 uses tailscale status locally, he can only see the nodes in his own namespace. But, If acl rule allow user1 to access some node of user2, then user1 can see those nodes when using 'tailscale status'. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? _No response_

adam added the enhancement faq labels 2025-12-29 02:26:32 +01:00

adam closed this issue

2025-12-29 02:26:32 +01:00

adam commented

2025-12-29 02:26:32 +01:00

@kradalby commented on GitHub (Feb 16, 2025):

No, this is not possible and documented in the tailscale docs.

If traffic is allowed to flow one way, then both needs to be in each others netmap.

This has been discussed multiple times before, please ask in discord or search the GitHub tracker.

@kradalby commented on GitHub (Feb 16, 2025): No, this is not possible and documented in the tailscale docs. If traffic is allowed to flow one way, then both needs to be in each others netmap. This has been discussed multiple times before, please ask in discord or search the GitHub tracker.

adam referenced this issue

2025-12-29 02:31:34 +01:00

[PR #944] [MERGED] Make TLS setup work automatically #1756

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#944