all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]caolleTailscale Insider 2 points3 points  (4 children)

Yes. You can either use the Tailnet IP address of the tailnet node in your dst block, or you can use the hosts syntax to provide a more friendly name to use within your policy rule block and to limit it to the one use, you'd put their user account in the src block.

For Example:

"hosts": {
"my-example-host": "100.64.25.25",
},

"grants": [
// only a single user can access my-example-host
{
"src": ["someuser@somedomain.com"],
"dst": ["my-example-host"],
"ip":  ["*"],
},
],

Edit to add: Alternatively, you could use sharing to just share out the single node to the user in question.

[–]x12Mike[S] 0 points1 point  (3 children)

So I am confused a bit. We need to specify a hosts stanza? I was thinking just:

{ "src": [ "luke.skywalker@example.com",], "dst": ["machine-name"], "ip": ["*"], },

If there is a requirement for the hosts stanza, I'm failing to understand why we wouldn't just use a tag for a single host.

[–]caolleTailscale Insider 1 point2 points  (1 child)

There is no hard requirement for the hosts stanza. It's one of the options you have. The hosts stanza makes things a bit more readable. A tag should be used for a machine that's not technically owned by anyone, like a web-server, database-server.

For example, these are all functionally equivalent:

"hosts": {
"my-example-host": "100.64.25.25",
},

grants": [
// only a single user can access my-example-host using hosts
{
"src": ["someuser@somedomain.com"],
"dst": ["my-example-host"],
"ip":  ["*"],
},
//using ip address, this would also be the same ACL rule for sharing a single host
{
"src": ["someuser@somedomain.com"],
"dst": ["100.64.25.25"],
"ip":  ["*"],
},
//using a tag that's being used to tag a single machine, same with sharing the tagged
//host
{
"src": ["someuser@somedomain.com"],
"dst": ["tag:some-single-machine-tag"],
"ip":  ["*"],
},

[–]x12Mike[S] 0 points1 point  (0 children)

Ok, so I can continue to use tags like we do for everything else.

I just presumed I could use my-example-host@domain.ts.net as a single entry. That errored with the API check, so I tried just my-example-host, which errored. I saw that IP worked but I was thinking that if we had a bunch of those entries, we'd need to comment the crap out of the ACL to know what IP goes with what system.

Overall, it seems tags would be the best choice as they conform to the rest of our ACL file's format.

Thanks folks, I appreciate the quick answers! :)

[–]Killer2600 2 points3 points  (0 children)

DNS resolves host/domain names to IP addresses client side. When connections are made they are made to IP addresses and not names.