[Feature] Manual approval of the node #2176
Comments
|
@kradalby If it seems reasonable, I can do a PR. |
|
I have a question regarding this: I am logged in on two devices ( |
That's the idea, device validation. If enabled, you should validate each device to reduce the risk of adding an unauthorized node if your OIDC account is compromised. P.S. If this functionality is not needed, it could always be switched off via config.yaml |
|
This will implement what Tailscale calls device approval, which I am open to, but it will have to align with the upstream behaviour.
I feel like a boolean should be sufficient here, either the device is approved or not.
I think all of these can be omitted, as per the docs, the device should not be allowed to do anything:
So I think it would be a lot more meaningful to just filter When a device is approved, a state update is sent to make new node lists being sent.
I think an approve command makes sense for OIDC, while for what we call "web auth" where you have to issue a command, it doesn't really make sense to have to execute two commands instead of just one. I am willing to be convinced that we should have it for both, but at least OIDC makes sense from the start.
As per tailscale docs, all preauthorisation keys should be automatically approved. As you mentioned in the follow up comment, this should be opt-in in the configuration and not on by default. I think we will also need a webpage explaining to the users to contact their admin (see tailscale docs) that is at least given after you have logged in with OIDC. This web page should reuse the same style as the current OIDC one, but should be written using As long as we end up in a state with the same features as upstream, I am quite positive for you to contribute this! |
I believe it is necessary to store the date so that network administrators can know at any time when a particular node was approved. |
@kradalby but the Tailscale docs says:
From which I conclude that you can create AuthKey with or without automatic node approval. P.S. I think it is necessary to do the same as in TailScale, because very often when describing HeadScale functionality references to TailScale documentation are used. |
Then we have the problem of how we will treat deauthorised nodes and how to note when that happens. When something happens, particularly when it can happen on and off multiple times should go in logs. So bool + logs make sense.
It is not an option in Tailscale, it will always be approved (see screenshot) |
I'll agree
@kradalby No) |
ah cool, I did not have it enabled, which makes sense, please proceed then! |
Use case
It is necessary to control the nodes connecting to my network.
Description
For example: registering a new node via CLI requires an explicit action by the administrator, which reduces the risk of unauthorised access to the network, unlike registering a node via OIDC, where all responsibility falls on an external OIDC system that can be compromised. To reduce the risk, additional approval (Device approval - https://tailscale.com/kb/1099/device-approval) is required for new nodes on the network.
Contribution
How can it be implemented?
authorised: datetime IS NULLto the nodes table database.IsAuthorisedvalidation methods to the Node model that will check that the field is not NULL or IsZero.MachineAuthorised: !node.IsExpired()withMachineAuthorized: node.IsAuthorized().CanAccessmethod to block approved nodes from communicating with unapproved nodesP.S. I'm already using this change on my network.
The text was updated successfully, but these errors were encountered: