3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-17 02:02:57 +02:00
Code Issues Projects Releases Packages Wiki Activity

squash mee

Browse source
This commit is contained in:
alexfornuto 2021-07-29 11:49:23 -05:00
parent 1e0a767ed8
commit 83a1241499
5 changed files with 72 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/.vuepress/config.js
View file

@ -218,7 +218,6 @@ module.exports = {
sidebarDepth: 2, sidebarDepth: 2,
children: [ children: [
"/enterprise/reference/config.md", "/enterprise/reference/config.md",
"/enterprise/reference/configuration-settings",
"/enterprise/reference/configure", "/enterprise/reference/configure",
"/enterprise/reference/manage", "/enterprise/reference/manage",
"/enterprise/reference/reports", "/enterprise/reference/reports",

9
docs/enterprise/console-settings.yaml
View file

@ -49,7 +49,7 @@ settings:
keys: ["allow_websockets"] keys: ["allow_websockets"]
- name: "Timeout" - name: "Timeout"
keys: ["timeout"] keys: ["timeout"]
- name: "Stream Idle Timeout" - name: "Idle Timeout"
keys: ["idle_timeout"] keys: ["idle_timeout"]
- name: "Headers" - name: "Headers"
settings: settings:
@ -124,7 +124,7 @@ settings:
- `time_of_day` - `time_of_day`
- `user` - `user`
Some criteria also support a subpath as part of the criterion name: Some criteria also support a sub-path as part of the criterion name:
```yaml ```yaml
- allow: - allow:
@ -150,9 +150,8 @@ settings:
- name: "Configure" - name: "Configure"
settings: settings:
- name: "User Impersonation" - name: "User Impersonation"
keys: ["user impersonation"]
doc: | doc: |
@travis fill me with delicious data! Travis fill me with delicious data!
- name: "Settings" - name: "Settings"
settings: settings:
- name: "Global" - name: "Global"
@ -165,7 +164,7 @@ settings:
- name: "Proxy" - name: "Proxy"
- name: "Service Accounts" - name: "Service Accounts"
doc: | doc: |
<!-- Explain Service Accounts --> <!-- Explain Service Accounts --> Service accounts...
- name: "Namespaces" - name: "Namespaces"
keys: ["namespace"] keys: ["namespace"]
doc: | doc: |

17
docs/enterprise/reference/configuration-settings.md
View file

@ -1,17 +0,0 @@
---
title: Configuration Settings
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Configuration Settings
These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI.
## User Impersonation
@travis fill me with delicious data!

4
docs/enterprise/reference/configure.md
View file

@ -11,7 +11,7 @@ meta:
## User Impersonation ## User Impersonation
@travis fill me with delicious data! Travis fill me with delicious data!
## Settings ## Settings
@ -92,7 +92,7 @@ tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅
## Service Accounts ## Service Accounts
<!-- Explain Service Accounts --> <!-- Explain Service Accounts --> Service accounts...
## Namespaces ## Namespaces

66
docs/enterprise/reference/manage.md
View file

@ -159,8 +159,9 @@ If set, enables proxying of websocket connections.
#### Timeout #### Timeout
Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values.
#### Stream Idle Timeout #### Idle Timeout
If you are proxying long-lived requests that employ streaming calls such as websockets or gRPC, If you are proxying long-lived requests that employ streaming calls such as websockets or gRPC,
set this to either a maximum value there may be no data exchange over a connection (recommended), set this to either a maximum value there may be no data exchange over a connection (recommended),
@ -242,6 +243,20 @@ The browser would be redirected to: `http://frontend/one/some/path/`. This is si
### Load Balancer ### Load Balancer
#### Load Balancing Policy
In presence of multiple upstreams, defines load balancing strategy between them.
See [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-lbpolicy) for more details.
- [`ROUND_ROBIN`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-round-robin) (default)
- [`LEAST_REQUEST`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-least-request) and may be further configured using [`least_request_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-leastrequestlbconfig)
- [`RING_HASH`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash) and may be further configured using [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig) option
- [`RANDOM`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#random)
- [`MAGLEV`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) and may be further configured using [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) option
Some policy types support additional [configuration](#load-balancing-policy-config).
## Policies ## Policies
A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model. A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model.
@ -264,6 +279,55 @@ From the **EDITOR** tab users can write policies in Pomerium Policy Language (**
![A policy as viewed from the editor tab](../img/example-policy-editor.png) ![A policy as viewed from the editor tab](../img/example-policy-editor.png)
PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
Each logical operator contains criteria and each criterion has a name and corresponding data.
PPL documents are defined via YAML:
```yaml
- allow:
or:
- email:
is: x@example.com
- email:
is: y@example.com
```
The available rule actions are:
- `allow`
- `deny`
The available logical operators are:
- `and`
- `or`
- `not`
- `nor`
The available criteria types are:
- `accept`
- `authenticated_user`
- `claim`
- `date`
- `day_of_week`
- `domain`
- `email`
- `groups`
- `reject`
- `time_of_day`
- `user`
Some criteria also support a subpath as part of the criterion name:
```yaml
- allow:
or:
- claim/family_name:
is: Smith
```
### Rego ### Rego
For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego. For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.