From 83a12414994eb183f07ed28da755e0030c755efe Mon Sep 17 00:00:00 2001 From: alexfornuto Date: Thu, 29 Jul 2021 11:49:23 -0500 Subject: [PATCH] squash mee --- docs/.vuepress/config.js | 1 - docs/enterprise/console-settings.yaml | 9 ++- .../reference/configuration-settings.md | 17 ----- docs/enterprise/reference/configure.md | 4 +- docs/enterprise/reference/manage.md | 68 ++++++++++++++++++- 5 files changed, 72 insertions(+), 27 deletions(-) delete mode 100644 docs/enterprise/reference/configuration-settings.md diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index e5816a32e..63e60a6b6 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -218,7 +218,6 @@ module.exports = { sidebarDepth: 2, children: [ "/enterprise/reference/config.md", - "/enterprise/reference/configuration-settings", "/enterprise/reference/configure", "/enterprise/reference/manage", "/enterprise/reference/reports", diff --git a/docs/enterprise/console-settings.yaml b/docs/enterprise/console-settings.yaml index b19b21679..d7bc0dba7 100644 --- a/docs/enterprise/console-settings.yaml +++ b/docs/enterprise/console-settings.yaml @@ -49,7 +49,7 @@ settings: keys: ["allow_websockets"] - name: "Timeout" keys: ["timeout"] - - name: "Stream Idle Timeout" + - name: "Idle Timeout" keys: ["idle_timeout"] - name: "Headers" settings: @@ -124,7 +124,7 @@ settings: - `time_of_day` - `user` - Some criteria also support a subpath as part of the criterion name: + Some criteria also support a sub-path as part of the criterion name: ```yaml - allow: @@ -150,9 +150,8 @@ settings: - name: "Configure" settings: - name: "User Impersonation" - keys: ["user impersonation"] doc: | - @travis fill me with delicious data! + Travis fill me with delicious data! - name: "Settings" settings: - name: "Global" @@ -165,7 +164,7 @@ settings: - name: "Proxy" - name: "Service Accounts" doc: | - + Service accounts... - name: "Namespaces" keys: ["namespace"] doc: | diff --git a/docs/enterprise/reference/configuration-settings.md b/docs/enterprise/reference/configuration-settings.md deleted file mode 100644 index 87643c5f7..000000000 --- a/docs/enterprise/reference/configuration-settings.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Configuration Settings -lang: en-US -sidebarDepth: 2 -meta: - - name: keywords - content: configuration options settings Pomerium enterprise console ---- - -# Configuration Settings - -These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI. - -## User Impersonation - -@travis fill me with delicious data! - diff --git a/docs/enterprise/reference/configure.md b/docs/enterprise/reference/configure.md index e7bb40a41..4612890cc 100644 --- a/docs/enterprise/reference/configure.md +++ b/docs/enterprise/reference/configure.md @@ -11,7 +11,7 @@ meta: ## User Impersonation -@travis fill me with delicious data! +Travis fill me with delicious data! ## Settings @@ -92,7 +92,7 @@ tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅ ## Service Accounts - + Service accounts... ## Namespaces diff --git a/docs/enterprise/reference/manage.md b/docs/enterprise/reference/manage.md index 73296e8d9..4d3bb3973 100644 --- a/docs/enterprise/reference/manage.md +++ b/docs/enterprise/reference/manage.md @@ -159,8 +159,9 @@ If set, enables proxying of websocket connections. #### Timeout +Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values. -#### Stream Idle Timeout +#### Idle Timeout If you are proxying long-lived requests that employ streaming calls such as websockets or gRPC, set this to either a maximum value there may be no data exchange over a connection (recommended), @@ -242,6 +243,20 @@ The browser would be redirected to: `http://frontend/one/some/path/`. This is si ### Load Balancer +#### Load Balancing Policy + +In presence of multiple upstreams, defines load balancing strategy between them. + +See [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-lbpolicy) for more details. + +- [`ROUND_ROBIN`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-round-robin) (default) +- [`LEAST_REQUEST`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-least-request) and may be further configured using [`least_request_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-leastrequestlbconfig) +- [`RING_HASH`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash) and may be further configured using [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig) option +- [`RANDOM`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#random) +- [`MAGLEV`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) and may be further configured using [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) option + +Some policy types support additional [configuration](#load-balancing-policy-config). + ## Policies A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model. @@ -264,6 +279,55 @@ From the **EDITOR** tab users can write policies in Pomerium Policy Language (** ![A policy as viewed from the editor tab](../img/example-policy-editor.png) +PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators. +Each logical operator contains criteria and each criterion has a name and corresponding data. + +PPL documents are defined via YAML: + +```yaml +- allow: + or: + - email: + is: x@example.com + - email: + is: y@example.com +``` + +The available rule actions are: + +- `allow` +- `deny` + +The available logical operators are: + +- `and` +- `or` +- `not` +- `nor` + +The available criteria types are: + +- `accept` +- `authenticated_user` +- `claim` +- `date` +- `day_of_week` +- `domain` +- `email` +- `groups` +- `reject` +- `time_of_day` +- `user` + +Some criteria also support a subpath as part of the criterion name: + +```yaml +- allow: + or: + - claim/family_name: + is: Smith +``` + ### Rego For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego. @@ -275,7 +339,7 @@ A policy can only support PPL or Rego. Once one is set, the other tab is disable ### Overrides - **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**). -- **CORS Preflight**: +- **CORS Preflight**: - **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.