ACL testing (#1803) #3005
ACL testing (#1803) #3005
Conversation
Janhouse
commented
Jan 12, 2026
Janhouse
commented
- have read the CONTRIBUTING.md file
- raised a GitHub issue or discussed it on the projects chat beforehand
- added unit tests
- added integration tests
- updated documentation if needed
- updated CHANGELOG.md
Janhouse
requested review from
juanfont,
kradalby,
nblock and
ohdearaugustin
as code owners
Janhouse
force-pushed
the
acl-testing
branch
2 times, most recently
from
2672a2f to
1be0b25
Compare
Nice feature to get in, its quite a large change, and we need to be careful about it as we do not want to provide users with a false sense of security or confidence, but definitely something to work towards.
I agree with this assessment, it should live more or less in the policy package and not need integration. That said, this will be an important one which we need test exhaustively. Another important question is, should we implement this exhaustively? Should we support everything from "day one", and should implementing new things in the policy be blocked on supporting acl tests? It's quite a large change, and I do have a lot to do, but will try to look at it in the upcoming weeks, I already have quite a backlog of other large PRs queued up. |
I think it does not matter, this should not block adding new things in the policy. It uses the same filter rule resolution logic. So if new autogroups or something like that are added to types.go with proper Resolve() implementation, it should still work fine. Of course if a new dimension is added to FilterRule then we would have to update it somewhat. But I don't expect that happening anytime soon. Not even sure if Tailscale itself has something other than source, destination and protocol. Of course more testing is needed. I also added the UI part in headplane, see the screenshots in tale/headplane#425 |
|
Next release will focus on |
2 participants
