3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 16:30:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: update branding, concepts (#2445)

Browse source 
* Pomerium Enterprise not Pomerium Enterprise Console to be consistent.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* s/The Pomerium Enterprise/Pomerium Enterprise/g

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* update concepts

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Update docs/enterprise/about.md

Co-authored-by: Alex Fornuto <alex@fornuto.com>

* Update docs/enterprise/concepts.md

Co-authored-by: Alex Fornuto <alex@fornuto.com>

Co-authored-by: Alex Fornuto <alex@fornuto.com>
This commit is contained in:
bobby 2021-08-06 09:13:35 -07:00 committed by GitHub
parent 63ee30d69c
commit 5cfad79447
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 50 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/docs/install/helm.md
View file

@ -207,7 +207,7 @@ You can also navigate to the special pomerium endpoint `hello.localhost.pomerium
## Next Steps
Congratulations on installing Pomerium to your Kubernetes cluster! If you're installing Pomerium Enterprise next, see [Install Pomerium Enterprise Console in Helm]. If not, check our our [guides](/guides/readme.md) to install common services behind Pomerium.
Congratulations on installing Pomerium to your Kubernetes cluster! If you're installing Pomerium Enterprise next, see [Install Pomerium Enterprise in Helm]. If not, check our our [guides](/guides/readme.md) to install common services behind Pomerium.
[cert-manager]: https://cert-manager.io/docs/
[cert-manager: CA]: https://cert-manager.io/docs/configuration/ca/
@ -215,7 +215,7 @@ Congratulations on installing Pomerium to your Kubernetes cluster! If you're ins
[Helm]: https://helm.sh
[Install helm]: https://helm.sh/docs/using_helm/
[identity provider]: ../identity-providers/readme.md
[Install Pomerium Enterprise Console in Helm]: /enterprise/install/helm.md
[Install Pomerium Enterprise in Helm]: /enterprise/install/helm.md
[installing mkcert]: https://github.com/FiloSottile/mkcert#installation
[Install kubectl]: https://kubernetes.io/docs/tasks/tools/install-kubectl/
[Kubernetes]: https://kubernetes.io

20
docs/enterprise/about.md
View file

@ -6,7 +6,7 @@ description: What does the Pomerium Enterpise Console offer?
# Pomerium Enterprise
<!-- This paragraph introduces what Pomerium Enterprise is. -->
Pomerium Enterprise is built on Pomerium Open Source. Pomerium Enterprise makes Pomerium easier to manage at scale, and adds additional functionality aimed at organizations with auditing, compliance, governance, and risk management needs.
## Features
@ -14,21 +14,21 @@ In addition to the capabilities provided by open-source Pomerium, Pomerium Enter
### Management GUI
The Pomerium Enterprise Console lets you view traffic and logs, define routes and policies, and organize your service access all from an intuitive web interface.
Pomerium Enterprise lets you view traffic and logs, define routes and policies, and organize your service access from an intuitive web interface.
![Overview animation of the Pomerium Enterprise Console](./img/console-overview.gif)
![Overview animation of Pomerium Enterprise](./img/console-overview.gif)
### Programmatic API
Integrate Pomerium into your workflows by managing configuration from the programming language or infrastructure management tool of your choice.
Integrate Pomerium into your workflows by managing configuration from the programming language or infrastructure management tool of your choice. Everything that is manageable in the Management GUI can also be driven programmatically through the API.
### Session management
Quickly view who is logged in your infrastructure, with easy access to revoke sessions.
![Pomerium Enterprise Console Session List](./img/console-session-list.png)
![Pomerium Enterprise Session List](./img/console-session-list.png)
### Self-Service, and Access Controls
### Self-Service & Governance
Easily define who can control access to what areas of your infrastructure. Our [Namespaces](/enterprise/concepts.md#namespaces) make it easy to allow teams to self-manage access to the infrastructure they build from or depend on.
@ -40,10 +40,8 @@ See [Concepts: Self-Service Capabilities](./concepts.md#self-service-capabilitie
### Deployment History & Audit Logs
View and export change and access logs from the web UI. Pomerium Enterprise Console gives you a complete view of who's using it and how access is adjusted.
View and export change and access logs from the web UI. Pomerium Enterprise gives you a complete view of who's using it and how access is adjusted.
<!-- This is a start, but a weak one. -->
## Learn more
## Sign up
Review our [Pricing](https://www.pomerium.com/pricing/) page, or [Contact Sales](https://www.pomerium.com/contact-sales/) When you're ready to get started.
For a full breakdown of the difference in the enterprise and open source versions of Pomerium, please see our [Pricing](https://www.pomerium.com/pricing/) page.

22
docs/enterprise/concepts.md
View file

@ -1,16 +1,16 @@
---
title: Concepts
sidebarDepth: 2
description: Learn how the Pomerium Enterprise Console works.
description: Learn how Pomerium Enterprise works.
---
# Concepts
## Namespaces
In the Pomerium Enterprise Console, a **Namespace** is a cornerstone organization unit. They are container objects that behave similar to a unix directory structure.
In Pomerium Enterprise, a **Namespace** is a cornerstone organization unit. They are container objects that behave similar to a unix directory structure.
In each Namespace, administrators can create organizational units where users and groups can be added. Namespaces enable fine-grained role based access control and management. The structure and hierarchy of namespaces empower teams to self-service the routes and policies pertinent to them. Namespaces can can also be used to optionally or mandatorily inherit from their parent permission or policies.
In each Namespace, administrators can create organizational units where users and groups can be added. Namespaces enable fine-grained role based access control and management (**RBAC**) to managing Pomerium. The structure and hierarchy of namespaces empower teams to self-service the routes and policies pertinent to them. Namespaces can can also be used to optionally or mandatorily inherit from their parent permission or policies.
Namespaces enable:
@ -31,11 +31,11 @@ Self-service has [several benefits](https://www.usenix.org/system/files/login/ar
- Encourages service owners to own their own route configuration and policy
- Ensures a reasonable compromise between development velocity and security controls
Unlike with a VPN, or network driven access control mechanisms, application owners (with limited access permissions managed through namespaces) can maintain route and policy configuration for their own services, while higher level operations, security, and identity teams are able to enforce higher level authorization and access policies.
Unlike with a VPN, or network driven access control mechanisms, application owners (with limited access permissions managed through namespaces) can maintain route and policy configuration for their own services, while higher level operations, security, and identity teams are able to enforce higher level authorization and access policies.
### Hierarchical Policy Enforcement
Hierarchical policy lets administrators enforce high level authorization policy. Policies can be optional (self-select), or mandatory.
Hierarchical policy lets administrators enforce inheritable authorization policy. Policies can be optional (self-select), or mandatory.
Identities and their group memberships are defined by your Identity Provider (**IdP**). Pomerium looks to your IdP for identity information, so policies defined using groups are always up-to-date with the access management defined upstream.
@ -59,7 +59,7 @@ Meanwhile, the CFO is given [manager](#manager) permissions over the "Accounting
#### Guest (no role)
Users who are authenticated by your IdP but do not have a role assigned in the Pomerium Console can still view the list of Namespaces, but nothing else.
Users who are authenticated by your IdP but do not have a role assigned in Pomerium Enterprise can still view the list of Namespaces, but nothing else.
#### Viewer
@ -86,7 +86,7 @@ Pomerium populates users and groups from your IdP. This data is cached to preven
You may encounter a situation where you may want to add users that are not directly associated with your corporate identity provider service. For example, if you have a corporate GSuite account and want to add a contractor with a gmail account. In this case, there are two workarounds:
- Create a group within your identity provider directly with the non-domain users in it. This group can be found and added to Namespaces and Policies.
- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.html#sessions) page in Pomerium Enterprise Console.
- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.html#sessions) page in Pomerium Enterprise.
A user can see their session ID by navigating to the special `/.pomerium` URL endpoint from any Pomerium managed route. The unique ID is listed as "sub" under User Claims:
@ -100,7 +100,7 @@ A service account identity can either be based on a user entry in your IdP Direc
## Routes
Routes define the connection pathway and configuration from the internet to your internal service. As a very basic level, a route sends traffic from `external-address.company.com` to `internalService-address.localdomain`, restricted by the policies associated with it, and encrypted by your TLS certificates. But more advanced configurations allow identity header pass-through, path and prefix rewrites, request and response header modification, load balancer services, and more.
Routes define the connection pathway and configuration from the internet to your internal service. As a very basic level, a route sends traffic from `external-address.company.com` to `internalService-address.localdomain`, restricted by the policies associated with it, and encrypted by your TLS certificates. But more advanced configurations allow identity header pass-through, path and prefix rewrites, request and response header modification, load balancer services, and other full featured ingress capabilities.
### Protected Endpoints
@ -112,7 +112,7 @@ A Policy defines who has access to what based on the identity of the user, their
Policies can be applied to [Routes](#routes) directly, or enforced within a [Namespace](#namespaces). Policies allow operators to add authorization and access control to a single, or collection of routes.
To learn more about how to create Policies in Pomerium Enterprise Console, see [Reference: Policies].
To learn more about how to create Policies in Pomerium Enterprise, see [Reference: Policies].
## Access control
@ -132,13 +132,13 @@ Pomerium provides authentication via your existing identity provider (Pomerium s
Authorization policy can be expressed in a high-level, [declarative language](/enterprise/reference/manage.html#pomerium-policy-language) or [as code](/enterprise/reference/manage.html#rego) that can be used to enforce ABAC, RBAC, or any other governance policy controls. Pomerium can make holistic policy and authorization decisions using external data and request context factors such as user groups, roles, time, day, location and vulnerability status.
Trust flows from identity, device-state, and context, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted.
Pomerium enables zero-trust based access in which trust flows from identity, device-state, and context, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted.
With Pomerium:
- requests are continuously re-evaluated on a per-request basis.
- authorization is identity and context aware; pomerium can be used to integrate data from any source into authorization policy decisions.
- trust flows from identity, device-state, and context, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- trust flows from user and device identity, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted.
- Pomerium provides detailed audit logs for all activity in your environment. Quickly detect anomalies to mitigate bad actors and revoke access with a click of a button. Simplify life-cycle management and access reviews.
[Reference: Policies]: /enterprise/reference/manage.md#policies-2

6
docs/enterprise/console-settings.yaml
View file

@ -29,7 +29,7 @@ settings:
doc: |
From the **Deployment History** page administrators can review changes made to their Pomerium configuration.
The default view shows all changes made through the Pomerium Enterprise Console. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
The default view shows all changes made through Pomerium Enterprise. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
![A screenshot showing the diff of a change to a route, adding a policy](../img/deployment-diff.png)
- name: "Manage"
@ -96,7 +96,7 @@ settings:
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](../img/example-policy-single-user.png)
![A policy being constructed in Pomerium Enterprise allowing a single user access](../img/example-policy-single-user.png)
### Pomerium Policy Language
@ -174,7 +174,7 @@ settings:
- name: "Global"
settings:
- name: "Administrators"
doc: A list of users with full access to the Pomerium Enterprise Console
doc: A list of users with full access to Pomerium Enterprise
- name: "Debug"
- name: "Forward Auth"
- name: "HTTP Redirect Address"

12
docs/enterprise/install/helm.md
View file

@ -4,18 +4,18 @@ sidebarDepth: 1
description: Install Pomerium Enterprise in Kubernetes with Helm
---
# Install Pomerium Enterprise Console in Helm
# Install Pomerium Enterprise in Helm
This document covers installing Pomerium Enterprise Console into your existing helm-managed Kubernetes cluster. It's designed to work with an existing cluster running Pomerium, as described im [Pomerium using Helm]. Follow that document before continuing here.
This document covers installing Pomerium Enterprise into your existing helm-managed Kubernetes cluster. It's designed to work with an existing cluster running Pomerium, as described im [Pomerium using Helm]. Follow that document before continuing here.
## Before You Begin
The Pomerium Enterprise Console requires:
Pomerium Enterprise requires:
- An accessible RDBMS. We support PostgreSQL 9+.
- A database and user with full permissions for it.
- A certificate management solution. This page will assume a store of certificates using [cert-manager] as the solution. If you use another certificate solution, adjust the steps accordingly.
- An existing Pomerium installation. If you don't already have the open-source Pomerium installed in your cluster, see [Pomerium using Helm] before you continue.
- An existing Pomerium installation. If you don't already have open-source Pomerium installed in your cluster, see [Pomerium using Helm] before you continue.
## System Requirements
@ -84,7 +84,7 @@ This setup assumes an existing certificate solution using cert-manager, as descr
helm upgrade --install pomerium pomerium/pomerium --values=./pomerium-values.yaml
```
## Install Pomerium Enterprise Console
## Install Pomerium Enterprise
1. Create `pomerium-console-values.yaml` as shown below, replacing placeholder values:
@ -133,7 +133,7 @@ This setup assumes an existing certificate solution using cert-manager, as descr
1. When visiting `https://console.localhost.pomerium.io`, you should se the Session List page:
![The Session List page after installing Pomerium Enterprise Console](../img/console-session-landing.png)
![The Session List page after installing Pomerium Enterprise](../img/console-session-landing.png)
## Troubleshooting

12
docs/enterprise/install/quickstart.md
View file

@ -21,7 +21,7 @@ This document assumes:
## Requirements
- The Pomerium Enterprise Console requires Linux amd64/x86_64. It can manage Pomerium instances on other platforms, however.
- Pomerium Enterprise requires Linux amd64/x86_64. It can manage Pomerium instances on other platforms, however.
- Each Console instance should have at least:
- 4 vCPUs
- 8G RAM
@ -35,7 +35,7 @@ This document assumes:
- 4G RAM
- 20G for data files
## Install Pomerium Enterprise Console
## Install Pomerium Enterprise
Pomerium publishes standard OS packages for RPM and DEB based systems. The repositories require authentication via username and access key. These credentials will be issued to you during the onboarding process.
@ -59,7 +59,7 @@ Pomerium publishes standard OS packages for RPM and DEB based systems. The repos
echo "deb https://dl.cloudsmith.io/[access-key]/pomerium/enterprise/deb/debian buster main" | sudo tee /apt/sources.list.d/pomerium-console.list
```
1. Update `apt` and install the Pomerium Enterprise Console:
1. Update `apt` and install Pomerium Enterprise:
```bash
sudo apt update; sudo apt install pomerium-console
@ -108,7 +108,7 @@ sudo systemctl enable --now pomerium-console
## Initial Configuration
Like the open-source Pomerium base, Pomerium Enterprise Console is configured through a single config file, located at `/etc/pomerium-console/config.yaml`.
Like the open-source Pomerium base, Pomerium Enterprise is configured through a single config file, located at `/etc/pomerium-console/config.yaml`.
### Update Pomerium
@ -160,7 +160,7 @@ Once you have set permissions in the console UI, you should remove this configur
### TLS, Signing Key and Audience
1. If your open-source Pomerium installation is already configured to use TLS to secure back-end communication, you can do the same for the Pomerium Enterprise Console by providing it a certificate, key, and optional custom CA file to validate the `databroker_service_url` connection:
1. If your open-source Pomerium installation is already configured to use TLS to secure back-end communication, you can do the same for Pomerium Enterprise by providing it a certificate, key, and optional custom CA file to validate the `databroker_service_url` connection:
```yaml
tls_ca_file: /etc/pomerium-console/ca.pem
@ -202,4 +202,4 @@ audience: console.localhost.pomerium.com
## Next Steps
The Pomerium Enterprise Console assumes access to a [Prometheus](https://prometheus.io/) data store for metrics. See [Prometheus Metrics](/enterprise/prometheus.md) to learn how to configure access.
Pomerium Enterprise assumes access to a [Prometheus](https://prometheus.io/) data store for metrics. See [Prometheus Metrics](/enterprise/prometheus.md) to learn how to configure access.

2
docs/enterprise/install/readme.md
View file

@ -6,7 +6,7 @@ meta:
content: pomerium identity-access-proxy oidc docker reverse-proxy containers install enterprise console
---
There are several ways to install Pomerium Enterprise, to suite your organization's needs. We provide open-source Pomerium and the Pomerium Enterprise Console as deb and rpm packages from an upstream repository, and as Docker images, and Helm charts. You can also build Pomerium from source.
There are several ways to install Pomerium Enterprise, to suite your organization's needs. We provide open-source Pomerium and Pomerium Enterprise as deb and rpm packages from an upstream repository, and as Docker images, and Helm charts. You can also build Pomerium from source.
Our docs are updated frequently, so check back if you don't see your preferred installation method here.

10
docs/enterprise/prometheus.md
View file

@ -6,7 +6,7 @@ description: Use Prometheus as a metrics data store.
# Prometheus Metrics
The Pomerium Enterprise Console uses Prometheus as a metrics collection back-end. You can configure Pomerium and the Console to talk to an existing Prometheus server, or configure the embedded Prometheus backend.
Pomerium Enterprise uses Prometheus as a metrics collection back-end. You can configure Pomerium and the Console to talk to an existing Prometheus server, or configure the embedded Prometheus backend.
## Prepare Pomerium
@ -37,19 +37,19 @@ The Pomerium Enterprise Console uses Prometheus as a metrics collection back-end
curl -i -XPOST path.to.prometheus:port/-/reload
```
1. In the Pomerium Enterprise Console `config.yaml` file, define the `prometheus_url` key to point to your Prometheus instance(s):
1. In the Pomerium Enterprise `config.yaml` file, define the `prometheus_url` key to point to your Prometheus instance(s):
```yaml
prometheus_url: http://192.168.122.50:9090
```
1. Restart the Pomerium and Pomerium Enterprise Console services. You should now see route traffic data in the Enterprise Console:
1. Restart the Pomerium and Pomerium Enterprise services. You should now see route traffic data in the Enterprise Console:
![Traffic Data in Pomerium Enterprise Console](./img/console-route-traffic.png)
![Traffic Data in Pomerium Enterprise](./img/console-route-traffic.png)
## Embedded Prometheus
To take advantage of Prometheus embedded in Pomerium Enterprise Console, edit `/etc/pomerium-console/config.yaml`:
To take advantage of Prometheus embedded in Pomerium Enterprise, edit `/etc/pomerium-console/config.yaml`:
```yaml
prometheus_data_dir: /var/lib/pomerium-console/tsdb

2
docs/enterprise/reference/config.md
View file

@ -3,7 +3,7 @@ title: Environment Variables
lang: en-US
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
content: configuration options settings Pomerium Enterprise
---
# Pomerium Console Environment Variables

4
docs/enterprise/reference/configure.md
View file

@ -4,7 +4,7 @@ lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
content: configuration options settings Pomerium Enterprise
---
# Configure
@ -17,7 +17,7 @@ meta:
#### Administrators
A list of users with full access to the Pomerium Enterprise Console
A list of users with full access to Pomerium Enterprise
#### Debug

4
docs/enterprise/reference/manage.md
View file

@ -4,7 +4,7 @@ lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
content: configuration options settings Pomerium Enterprise
---
# Manage
@ -280,7 +280,7 @@ Policies can be constructed three ways:
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](../img/example-policy-single-user.png)
![A policy being constructed in Pomerium Enterprise allowing a single user access](../img/example-policy-single-user.png)
### Pomerium Policy Language

4
docs/enterprise/reference/reports.md
View file

@ -4,7 +4,7 @@ lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
content: configuration options settings Pomerium Enterprise
---
# Reports
@ -45,7 +45,7 @@ The value under **Resource ID** will usually match the resource ID of a [Policy]
From the **Deployment History** page administrators can review changes made to their Pomerium configuration.
The default view shows all changes made through the Pomerium Enterprise Console. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
The default view shows all changes made through Pomerium Enterprise. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
![A screenshot showing the diff of a change to a route, adding a policy](../img/deployment-diff.png)