A new generation of Tailscale access controls

Summary

Today, we’re announcing the general availability of grants, Tailscale’s next generation of access controls that combine network and application capabilities into a single syntax.Grants are a superset of our original ACLs — anything you can write as an ACL can be expressed as a grant. In most scenarios, grants are easier to write and read than the ACL syntax. Let’s take a look: "acls": [ { "action": "accept", "src": ["group:eng"], "dst": ["tag:internal-tool:443"], "proto": ["tcp"] } ], "grants": [ { "src": ["group:eng"], "dst": ["tag:internal-tool"] "ip": ["tcp:443"] } ]Grants are designed to be easy to write and easy to read, for both humans and computers. We combined ports and protocols into a single ip field, and removed the redundant action field. This simplifies our original ACL syntax, where these fields were needed in every rule.Grants go beyond simplifying the ACL syntax, they also add new tools that you can use for more powerful access controls.Tailscale’s access controls have always been able to define network-level permissions at Layer 3, but this is only half the story — you still need to handle authentication and authorization for users once their packets reach your applications.For private services inside your tailnet, like internal tools, implementing auth on every app is overkill. That’s why we developed tsnet, a Go library that embeds Tailscale directly in your applications. This lets you see and react to the identity of every user who makes a request to your app. So, authentication is handled…what about authorization?That’s where grants come in. You define application capabilities in a grant, and they’re passed to your application. There, you can read them alongside the identity of the user. Together, grants and tsnet let you build private services that rely on Tailscale's RBAC policy expansion for authentication and authorization.Application capabilities are namespaced, freeform JSON objects. You can define permissions that should be granted to the...