authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-08-03 00:40:25 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/docs/guide/from-source.md
+++ b/docs/guide/from-source.md
@ -27,17 +27,19 @@ The command will run all the tests, some code linters, then build the binary. If

 ## Configure

-Make a copy of the [env.example] and name it something like `env`.
+### Environmental Configuration Variables 

-```bash
-cp env.example env
-```
+Create a environmental configuration file modify its configuration to to match your [identity provider] settings. For example, `env`: 

-Modify your `env` configuration to to match your [identity provider] settings.
+<<< @/env.example

-```bash
-vim env
-```
+
+### policy.yaml
+Next, create a policy configuration file which will contain the routes you want to proxy, and their desired access-controls. For example, `policy.example.yaml`:
+
+<<< @/policy.example.yaml
+
+### Certificates

 Place your domain's wild-card TLS certificate next to the compose file. If you don't have one handy, the included [script] generates one from [LetsEncrypt].

--- a/docs/guide/kubernetes.md
+++ b/docs/guide/kubernetes.md
@ -35,6 +35,8 @@ git clone https://github.com/pomerium/pomerium.git $HOME/pomerium

 Edit the the [example kubernetes files][./scripts/kubernetes_gke.sh] to match your [identity provider] settings:

+- `./docs/docs/examples/authorize.deploy.yml`
+- `./docs/docs/examples/authorize.service.yml`
 - `./docs/docs/examples/authenticate.deploy.yml`
 - `./docs/docs/examples/authenticate.service.yml`
 - `./docs/docs/examples/proxy.deploy.yml`
@ -50,8 +52,8 @@ Edit [./scripts/kubernetes_gke.sh] making sure to change the identity provider s
 Run [./scripts/kubernetes_gke.sh] which will:

 1. Provision a new cluster
-2. Create authenticate and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
-3. Provision and apply authenticate and proxy [services](https://cloud.google.com/kubernetes-engine/docs/concepts/service).
+2. Create authenticate, authorize, and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
+3. Provision and apply authenticate, authorize, and proxy [services](https://cloud.google.com/kubernetes-engine/docs/concepts/service).
 4. Configure an ingress load balancer.

 ```bash
--- a/docs/guide/readme.md
+++ b/docs/guide/readme.md
@ -10,11 +10,23 @@ Docker and docker-compose are tools for defining and running multi-container Doc

 ## Download

-Copy and paste the contents of the provided example [basic.docker-compose.yml] and save it locally as `docker-compose.yml`.
+Copy and paste the contents of the provided example [basic.docker-compose.yml].

 ## Configure

-Edit the `docker-compose.yml` to match your [identity provider] settings.
+### Docker-compose
+
+Edit the `docker-compose.yml` to match your specific [identity provider]'s settings. For example, `basic.docker-compose.yml`:
+
+<<< @/docs/docs/examples/docker/basic.docker-compose.yml
+
+### Policy configuration
+
+Next, create a policy configuration file which will contain the routes you want to proxy, and their desired access-controls. For example, `policy.example.yaml`:
+
+<<< @/policy.example.yaml
+
+### Certificates

 Place your domain's wild-card TLS certificate next to the compose file. If you don't have one handy, the included [script] generates one from [LetsEncrypt].