Table: tailscale_acl_entry - Query Tailscale ACL Entries using SQL
Tailscale is a zero config VPN for building secure networks. Access Control Lists (ACLs) in Tailscale define the rules that govern the access between devices in a Tailscale network. Each entry in the ACL specifies the permissions for a particular set of devices.
Table Usage Guide
The tailscale_acl_entry
table provides insights into ACL entries within Tailscale. As a network administrator, explore entry-specific details through this table, including allowed or denied permissions, source and destination addresses, and associated metadata. Utilize it to uncover information about entries, such as those with broad permissions, the relationships between entries, and the verification of access rules.
Examples
Basic Info
Explore the actions taken between different sources and destinations in your network. This can help identify patterns or anomalies in network traffic, enhancing security and efficiency.
select action, source, destinationfrom tailscale_acl_entry;
select action, source, destinationfrom tailscale_acl_entry;
Devices that the user has access to
This query is useful for determining which devices a particular user has access to in a network. It helps in managing user permissions by identifying the devices a user can interact with, thereby enhancing network security and control.
with user_groups as ( select g.key as groups, v as users from tailscale_tailnet, jsonb_each(acl_groups) as g, jsonb_array_elements_text(g.value) as v),src_dest as ( select action, sources, destinations from tailscale_acl_entry, jsonb_array_elements_text(source) as sources, jsonb_array_elements_text(destination) as destinations where sources like 'group:%'),devices as ( select d.name as device_name, d.hostname as device_hostname, tag from tailscale_device as d, jsonb_array_elements_text(tags) as tag),user_perm as ( select action, destinations, users from user_groups u join src_dest s on u.groups = s.sources)select users as user_name, device_name, device_hostname, actionfrom devices d join user_perm u on u.destinations like '%' || d.tag || '%';
with user_groups as ( select g.key as groups, v as users from tailscale_tailnet, json_each(acl_groups) as g, json_each(g.value) as v),src_dest as ( select action, sources, destinations from tailscale_acl_entry, json_each(source) as sources, json_each(destination) as destinations where sources like 'group:%'),devices as ( select d.name as device_name, d.hostname as device_hostname, tag from tailscale_device as d, json_each(tags) as tag),user_perm as ( select action, destinations, users from user_groups u join src_dest s on u.groups = s.sources)select users as user_name, device_name, device_hostname, actionfrom devices d join user_perm u on u.destinations like '%' || d.tag || '%';
Devices that can be accessed using other devices in the network
Determine the areas in which devices in your network can be accessed by other devices. This could be beneficial in identifying potential security vulnerabilities or optimizing device connectivity within your network.
with src_dest as ( select action, sources, destinations from tailscale_acl_entry, jsonb_array_elements_text(source) as sources, jsonb_array_elements_text(destination) as destinations where sources like 'tag:%'),devices as ( select id, tag from tailscale_device as d, jsonb_array_elements_text(tags) as tag),all_devices as ( select td.name as device_name, tag, td.addresses ->> 0 as ipv4, td.addresses ->> 1 as ipv6, td.id, td.hostname as device_hostname from devices as d right join tailscale_device as td on d.id = td.id),source_devices as ( select action, device_name as sources, destinations from src_dest as sd join all_devices as d on d.tag = sd.sources group by action, device_name, destinations)select sources as source_device, ad.device_name as destination_devicefrom source_devices sd join all_devices ad on sd.destinations like '%' || ad.tag || '%' or sd.destinations like '%' || ad.ipv4 || '%';
with src_dest as ( select action, sources, destinations from tailscale_acl_entry, json_each(source) as sources, json_each(destination) as destinations where sources.value like 'tag:%'),devices as ( select id, tag from tailscale_device as d, json_each(tags) as tag),all_devices as ( select td.name as device_name, tag, json_extract(td.addresses, '$[0]') as ipv4, json_extract(td.addresses, '$[1]') as ipv6, td.id, td.hostname as device_hostname from devices as d left join tailscale_device as td on d.id = td.id),source_devices as ( select action, device_name as sources, destinations from src_dest as sd join all_devices as d on d.tag = sd.sources.value group by action, device_name, destinations)select sources as source_device, ad.device_name as destination_devicefrom source_devices sd join all_devices ad on sd.destinations.value like '%' || ad.tag || '%' or sd.destinations.value like '%' || ad.ipv4 || '%';
Schema for tailscale_acl_entry
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
action | text | Action defined for a device or a network. | |
destination | jsonb | The list of destination IP addresses for the connection. | |
ports | jsonb | The list of ports to apply the action on. | |
protocol | text | The protocol of the connection. | |
source | jsonb | The list of source IP addresses for the connection. | |
tailnet_name | text | The name of your tailnet. | |
users | jsonb | The list of users to apply an action on. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- tailscale
You can pass the configuration to the command with the --config
argument:
steampipe_export_tailscale --config '<your_config>' tailscale_acl_entry