-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow tagged nodes to authenticate #2
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Xe <me@christine.website>
Needs testing. A lot of testing. Signed-off-by: Xe <me@christine.website>
Several questions...
Since our expectation is that a user of the plugin is always going to have their own caddy config which maps user attributes to HTTP headers, I wonder if we could provide the building blocks to allow people to map things however is appropriate for their use case. What if we just populated a Or if that's too gnarly, maybe it's configuration for the tailscale_auth directive? So you'd have something like:
Or whatever the right configuration there is |
stick in the mud: what if we only allow nodes with a single tag to be used with this? then it's not ambiguous |
Well that definitely solves the tag sorting/ordering question. This still feels round-peg-square-hole enough that worry about this being enabled with exactly these settings by default. How do you feel about |
I'd be okay with that yeah |
The current version doesn't have any configuration, but you can see how it worked in a previous version: Lines 102 to 131 in 68b91cc
Another thought I had in the direction of letting users configure this how they want on their own would be to use the map directive, particularly now that caddyserver/caddy#5081 has merged. So, if we set the tag on the caddy user object, users could map it in if they want to:
That's not near as elegant as a simple flag like:
But does provide a different way for users to customize how tags map to usernames, using caddy's existing directives. I'm not sure how common this would be likely to be, so don't know how easy we need to make it, versus just making it possible, even if it takes a little extra config. |
(In my experience, start minimal and see what users request, then add it for valid use cases.) Something we sometimes do is to have some directives or sub-directives be shortcuts for expanded Caddyfile config that yes, the user could write themselves, but is much simpler with the shortcut because it is so common. For example, But you could also just wait and see what users request first 🤷♂️ |
Which are you suggesting would be the minimal option here? Not supporting tagged nodes at all? That's the case today, and we already know it's a model we want to support somehow. Or are you saying suggesting letting users use the map directive like I mentioned above, and add a new option when needed? Or something else? |
^ that one For now. Just to save yourselves some time and see what the real uses cases are to help form the final solution. I mean, if you can foresee it or want it yourself go ahead -- it sounds really convenient -- I'm just telling you my usual approach to adding config surface area. 👍 |
Signed-off-by: Christine Dodrill <xe@tailscale.com>
Hey @Xe and @willnorris -- just wanted to follow up. How can I help with this? We'd love to be able to use Caddy to have multiple hosts per TS node "just work" -- I think we're close, yeah? |
The basic logic here is that we want tagged machines to be able to authenticate with Tailscale auth. The main problem here is that our identity model is usually one to one (one machine has one owner) but tags make this complicated (one machine can have n tags). As a stick in the mud, I propose that we allow tagged machines to connect with Tailscale auth but the first tag is the one that has "identity power".
This decision was made arbitrarily. It should probably be brought up in an eng meeting, but this works enough to make it work on my Steam Deck:
(pictured: a Valve Steam Deck running Firefox connected to Jenkins over Tailscale, proving that both Jenkins is configured to use Tailscale for auth and that a tagged node can authenticate to Jenkins)
Points of contention
tag:name
totag___name
so that it's less likely to collide with an actual human user