diff --git a/api.md b/api.md index 449a1a94b..52c010b11 100644 --- a/api.md +++ b/api.md @@ -402,20 +402,20 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c" // Example/default ACLs for unrestricted connections. { - "Tests": [], + "tests": [], // Declare static groups of users beyond those in the identity service. - "Groups": { + "groups": { "group:example": [ "user1@example.com", "user2@example.com" ], }, // Declare convenient hostname aliases to use in place of IP addresses. - "Hosts": { + "hosts": { "example-host-1": "100.100.100.100", }, // Access control lists. - "ACLs": [ + "acls": [ // Match absolutely everything. Comment out this section if you want // to define specific ACL restrictions. { @@ -494,14 +494,14 @@ A special value `ts-default` will ensure that ACL will be set only if current AC The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object. An ACL policy may contain the following top-level properties: -* `Groups` - Static groups of users which can be used for ACL rules. -* `Hosts` - Hostname aliases to use in place of IP addresses or subnets. -* `ACLs` - Access control lists. -* `TagOwners` - Defines who is allowed to use which tags. -* `Tests` - Run on ACL updates to check correct functionality of defined ACLs. -* `AutoApprovers` - Defines which users can advertise routes or exit nodes without further approval. -* `SSH` - Configures access policy for Tailscale SSH. -* `NodeAttrs` - Defines which devices can use certain features. +* `groups` - Static groups of users which can be used for ACL rules. +* `hosts` - Hostname aliases to use in place of IP addresses or subnets. +* `acls` - Access control lists. +* `tagOwners` - Defines who is allowed to use which tags. +* `tests` - Run on ACL updates to check correct functionality of defined ACLs. +* `autoApprovers` - Defines which users can advertise routes or exit nodes without further approval. +* `ssh` - Configures access policy for Tailscale SSH. +* `nodeAttrs` - Defines which devices can use certain features. See https://tailscale.com/kb/1018/acls for more information on those properties. @@ -514,22 +514,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \ --data-binary '// Example/default ACLs for unrestricted connections. { // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines. - "Tests": [ - // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}, + "tests": [ + // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]}, ], // Declare static groups of users beyond those in the identity service. - "Groups": { + "groups": { "group:example": [ "user1@example.com", "user2@example.com" ], }, // Declare convenient hostname aliases to use in place of IP addresses. - "Hosts": { + "hosts": { "example-host-1": "100.100.100.100", }, // Access control lists. - "ACLs": [ + "acls": [ // Match absolutely everything. Comment out this section if you want // to define specific ACL restrictions. - { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] }, + { "action": "accept", "users": ["*"], "ports": ["*:*"] }, ] }' ``` @@ -539,22 +539,22 @@ Response: // Example/default ACLs for unrestricted connections. { // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines. - "Tests": [ - // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}, + "tests": [ + // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]}, ], // Declare static groups of users beyond those in the identity service. - "Groups": { + "groups": { "group:example": [ "user1@example.com", "user2@example.com" ], }, // Declare convenient hostname aliases to use in place of IP addresses. - "Hosts": { + "hosts": { "example-host-1": "100.100.100.100", }, // Access control lists. - "ACLs": [ + "acls": [ // Match absolutely everything. Comment out this section if you want // to define specific ACL restrictions. - { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] }, + { "action": "accept", "users": ["*"], "ports": ["*:*"] }, ] } ``` @@ -597,22 +597,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo --data-binary '// Example/default ACLs for unrestricted connections. { // Declare tests to check functionality of ACL rules. User must be a valid user with registered machines. - "Tests": [ - // {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}, + "tests": [ + // {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]}, ], // Declare static groups of users beyond those in the identity service. - "Groups": { + "groups": { "group:example": [ "user1@example.com", "user2@example.com" ], }, // Declare convenient hostname aliases to use in place of IP addresses. - "Hosts": { + "hosts": { "example-host-1": "100.100.100.100", }, // Access control lists. - "ACLs": [ + "acls": [ // Match absolutely everything. Comment out this section if you want // to define specific ACL restrictions. - { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] }, + { "action": "accept", "users": ["*"], "ports": ["*:*"] }, ] }' ``` @@ -648,7 +648,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \ -u "tskey-yourapikey123:" \ --data-binary ' [ - {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]} + {"src": "user1@example.com", "accept": ["example-host-1:22"], "deny": ["example-host-2:100"]} ]' ``` @@ -659,10 +659,10 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \ -u "tskey-yourapikey123:" \ --data-binary ' { - "ACLs": [ - { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] }, + "acls": [ + { "action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] }, ], - "Tests", [ + "tests", [ {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]} ], }'