Skip to content

Commit

Permalink
README: document permission model and grants
Browse files Browse the repository at this point in the history
Updates #18
Updates #22
Updates #86
Updates #120

Signed-off-by: Will Norris <[email protected]>
  • Loading branch information
willnorris committed Apr 2, 2024
1 parent c66cbb8 commit f62e0b8
Showing 1 changed file with 43 additions and 0 deletions.
43 changes: 43 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,49 @@ destination="/home/nonroot"

</details>

## Permissions

By default, users own the golinks they create and only they can update or delete those links.
Ownership can be transferred to another user from the link edit page.
Links whose owner is no longer part of the tailnet can be edited by any user,
at which point that user will become the new owner.

Users can be granted admin access to edit all links using [ACL grants] in your tailnet policy file.
For example, if you have your golink instance tagged with `tag:golink` and a user group named `group:golink-admins`,
you can grant them admin access using:

```json
{
"grants": [{
"src": ["group:golink-admins"],
"dst": ["tag:golink"],
"app": {
"tailscale.com/cap/golink": [{
"admin": true
}]
}
}]
}
```

Or if you want everyone to be able to edit all links, you could use `autogroup:member`:

```json
{
"grants": [{
"src": ["autogroup:member"],
"dst": ["tag:golink"],
"app": {
"tailscale.com/cap/golink": [{
"admin": true
}]
}
}]
}
```

[ACL grants]: https://tailscale.com/kb/1324/acl-grants

## Backups

Once you have golink running, you can backup all of your links in [JSON lines] format from <http://go/.export>.
Expand Down

0 comments on commit f62e0b8

Please sign in to comment.