FR: Add group membership to whois

[hamishforbes]

What are you trying to do?

I'm experimenting with implementing something similar to the existing nginx-auth and proxy-to-grafana features.

tl;dr: An nginx-ingress plugin to authenticate Tailscale users per-Ingress

However ideally I'd like to be able to specify a Tailscale ACL group as allowed to access an Ingress.
The localapi whois response only gives me the username, so I either have to specify all users explicitly in my Ingress or maintain a separate group configuration outside of Tailscale.

How should we solve this?

Return ACL group membership in the localapi whois response

What is the impact of not solving this?

Maintain an external group configuration, not the end of the world especially as this method doesn't impact billing at all...

Anything else?

No response

[DentonGentry]

Related: #5968 requests a Users API.

The node doesn't know anything about group memberships currently, all of that is handled in the coordination server. The node receives a compiled ACL filter with the effects of group membership applied. The API, handled by the coordination server, would be an easier place to know about group memberships.

[alexwlchan]

This would have been useful for https://github.com/tailscale/corp/issues/31932, where we protected an internal debugging endpoint behind JIT access.

Only members of a group can see the endpoint, and it would have been nice if the "Access denied" error could distinguish between members of the group who need to JIT, and non-members who should never be permitted access.