squash mee

2025-06-17 02:02:57 +02:00 · 2021-07-29 11:49:23 -05:00 · 2021-07-29 11:49:23 -05:00 · 83a1241499
commit 83a1241499
parent 1e0a767ed8
5 changed files with 72 additions and 27 deletions
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -218,7 +218,6 @@ module.exports = {
              sidebarDepth: 2,
              children: [
                "/enterprise/reference/config.md",
-                "/enterprise/reference/configuration-settings",
                "/enterprise/reference/configure",
                "/enterprise/reference/manage",
                "/enterprise/reference/reports",
--- a/docs/enterprise/console-settings.yaml
+++ b/docs/enterprise/console-settings.yaml
@ -49,7 +49,7 @@ settings:
                keys: ["allow_websockets"]
              - name: "Timeout"
                keys: ["timeout"]
-              - name: "Stream Idle Timeout"
+              - name: "Idle Timeout"
                keys: ["idle_timeout"]
          - name: "Headers"
            settings:
@ -124,7 +124,7 @@ settings:
          - `time_of_day`
          - `user`

-          Some criteria also support a subpath as part of the criterion name:
+          Some criteria also support a sub-path as part of the criterion name:

          ```yaml
          - allow:
@ -150,9 +150,8 @@ settings:
  - name: "Configure"
    settings:
      - name: "User Impersonation"
-        keys: ["user impersonation"]
        doc: |
-          @travis fill me with delicious data!
+          Travis fill me with delicious data!
      - name: "Settings"
        settings:
          - name: "Global"
@ -165,7 +164,7 @@ settings:
          - name: "Proxy"
      - name: "Service Accounts"
        doc: |
-          <!-- Explain Service Accounts -->
+          <!-- Explain Service Accounts --> Service accounts...
      - name: "Namespaces"
        keys: ["namespace"]
        doc: |
--- a/docs/enterprise/reference/configuration-settings.md
+++ b/docs/enterprise/reference/configuration-settings.md
@ -1,17 +0,0 @@
---
-title: Configuration Settings
-lang: en-US
-sidebarDepth: 2
-meta:
-    - name: keywords
-      content: configuration options settings Pomerium enterprise console
---
-
-# Configuration Settings
-
-These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI.
-
-## User Impersonation
-
-@travis fill me with delicious data!
-
--- a/docs/enterprise/reference/configure.md
+++ b/docs/enterprise/reference/configure.md
@ -11,7 +11,7 @@ meta:

 ## User Impersonation

-@travis fill me with delicious data!
+Travis fill me with delicious data!


 ## Settings
@ -92,7 +92,7 @@ tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅

 ## Service Accounts

-<!-- Explain Service Accounts -->
+<!-- Explain Service Accounts --> Service accounts...


 ## Namespaces
--- a/docs/enterprise/reference/manage.md
+++ b/docs/enterprise/reference/manage.md
@ -159,8 +159,9 @@ If set, enables proxying of websocket connections.

 #### Timeout

+Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values.

-#### Stream Idle Timeout
+#### Idle Timeout

 If you are proxying long-lived requests that employ streaming calls such as websockets or gRPC,
 set this to either a maximum value there may be no data exchange over a connection (recommended),
@ -242,6 +243,20 @@ The browser would be redirected to: `http://frontend/one/some/path/`. This is si
 ### Load Balancer


+#### Load Balancing Policy
+
+In presence of multiple upstreams, defines load balancing strategy between them.
+
+See [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-lbpolicy) for more details.
+
+- [`ROUND_ROBIN`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-round-robin) (default)
+- [`LEAST_REQUEST`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#weighted-least-request) and may be further configured using [`least_request_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-leastrequestlbconfig)
+- [`RING_HASH`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash) and may be further configured using [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig) option
+- [`RANDOM`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#random)
+- [`MAGLEV`](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) and may be further configured using [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) option
+
+Some policy types support additional [configuration](#load-balancing-policy-config).
+
 ## Policies

 A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model.
@ -264,6 +279,55 @@ From the **EDITOR** tab users can write policies in Pomerium Policy Language (**

 ![A policy as viewed from the editor tab](../img/example-policy-editor.png)

+PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
+Each logical operator contains criteria and each criterion has a name and corresponding data.
+
+PPL documents are defined via YAML:
+
+```yaml
+- allow:
+    or:
+      - email:
+          is: x@example.com
+      - email:
+          is: y@example.com
+```
+
+The available rule actions are:
+
+- `allow`
+- `deny`
+
+The available logical operators are:
+
+- `and`
+- `or`
+- `not`
+- `nor`
+
+The available criteria types are:
+
+- `accept`
+- `authenticated_user`
+- `claim`
+- `date`
+- `day_of_week`
+- `domain`
+- `email`
+- `groups`
+- `reject`
+- `time_of_day`
+- `user`
+
+Some criteria also support a subpath as part of the criterion name:
+
+```yaml
+- allow:
+    or:
+      - claim/family_name:
+          is: Smith
+```
+
 ### Rego

 For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.
@ -275,7 +339,7 @@ A policy can only support PPL or Rego. Once one is set, the other tab is disable
 ### Overrides

 - **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**).
- **CORS Preflight**: 
+- **CORS Preflight**:
 - **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.