3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 08:19:23 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/enterprise/console-settings.yaml
Alex Fornuto 5332a752d0
Enterprise Docs (#2390) 
* install VuePress Plugin Tabs

https://www.npmjs.com/package/vuepress-plugin-tabs

* init Enterprise documentation section

* replace Vuepress tab plugin

now using https://github.com/superbiger/vuepress-plugin-tabs

* init Enterprise Quickstart

* block of enterprise doc updates

* Helm Quickstart Update (#2380)

* removed/fixed redundant or incorrect config

And some small copy edits

* Update docs/docs/quick-start/helm.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* init console with helm doc

* squash me

* codeblock fix

* init about page

* updates to Enterprise section

* consolidate on Postgres

* WIP helm updates

* update and align OS and Enterprise helm docs

* Enterprise settings docs (#2397)

* init console-specific reference docs files

* remove shortdoc for name

* init Enterprise Reference doc

* expanding Enterprise Reference

* init JS script for reference subpages

When reviewing please remember that I'm not a developer, be kind

* update script and apply

* remove errant dep

* document script and expand for CLI help output

* import pomerium-console_serve.yaml

In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo

* init new output file

* update script call and output

* fix anchor links

* BROKEN - import content from settings.yaml when dupe is true

* filtering WiP

* fix dupe script, more content

* replace if dupe with if not docs

* squash me

* squash me!

* add docs about PPL (#2404)

* squash meeeeee

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* symlink img dir from docs/reference

* squash mee

* update install reqs

* Fixed links throughout

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* remove internal note

* - format python with black
- format js with prettier

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* optimize images with imageOptim

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* run prettier on config.js

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* concepts.md

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* update concepts

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* copy edits

* typo

* symlink img dir from docs/reference

* modify TLS section in quick-start

* rm whitespace

* add common links postamble

* block of updates

* block of updates

* updates with @travisgroth

* turtles all the way down

* more content

* import all the things

* fill out reports

* fill out reports

* fix file extension

* fix links

* crosslink PPL ref

* document embedded prometheus

* expand example

* update reqs

* document non-directory users

* typo fix

* update metrics_address

* fix broken links in example configs

* update examples for route syntax

* replaced required with deprecated

Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link.

* update enterprise/about

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* remove commented config lines

* update non-domain user section in concepts

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/about.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* add console route to OSS conf

* update enterprise settings copy from source file

* Update docs/enterprise/concepts.md

* Update reports reference

* merge conflict resolution

* update sourced doc content, fix whitespace

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2021-08-04 13:55:04 -05:00

246 lines
11 KiB
YAML
Raw Blame History

settings:
- name: "Reports"
settings:
- name: "Traffic"
doc: |
View the traffic running through Pomerium. Filter by [Route][route-concept] name, or date range.
![The Traffic page in Pomerium Enterprise](../img/traffic-fullpage.png)
- name: "Runtime"
doc: |
Monitor how many system resources Pomerium is consuming. Filter by date range, service, and instance.
![The Runtime Info page in Pomerium Enterprise](../img/runtime-fullpage.png)
- name: "Sessions"
doc: |
View active Sessions. From here you can revoke sessions, filter by session or user information, or revoke one or multiple sessions. You can also export the data.
![The Sessions page in Pomerium Enterprise](../img/sessions-fullpage.png)
- name: "Events"
doc: |
The events page displays the log output of Envoy as it process changes from Pomerium and applies updates to the underlying services.
![The Events page in Pomerium Enterprise](../img/events-fullpage.png)
The most common updates are to Pomerium Proxy services, which are updated every time a Route or Policy is created or updated.
The value under **Resource ID** will usually match the resource ID of a [Policy][policy-reference], visible in the Policy under **Change History** or in the URL. A value of "Pomerium Restarted" refers to when services are reloaded, usually due to a system update.
- name: "Deployments"
doc: |
From the **Deployment History** page administrators can review changes made to their Pomerium configuration.
The default view shows all changes made through the Pomerium Enterprise Console. Use the **COMPARE** button next to an entry to filter to only changes that affected that resource. Select two versions of that resource, then **DIFF** to see what changed:
![A screenshot showing the diff of a change to a route, adding a policy](../img/deployment-diff.png)
- name: "Manage"
settings:
- name: "Routes"
doc: |
A Route defines how to access a service running behind Pomerium. This includes authentication (both for Pomerium and passed through to the service), rewrites, header management, load balancing, etc.
settings:
- name: "General"
doc: |
The **General** tab defines the route path, both from the internet and to the internal service, and the policies attached. Note that policies enforced on a [Namespace][namespace-reference] the route resides in will also be applied.
settings:
- name: "Name"
doc: This value is only visible in the Console UI.
- name: "From"
- name: "To"
- name: "Redirect"
- name: "Pass Identity Headers"
- name: "Policies"
doc: Add or remove Policies to be applied to the Route. Note that Policies enforced in the Route's Namespace will be applied automatically.
- name: "Enable Google Cloud Serverless Authentication"
- name: "Matchers"
settings:
- name: Path
- name: Prefix
- name: Regex
- name: "Rewrite"
settings:
- name: "Prefix Rewrite"
- name: "Regex Rewrite Pattern"
keys: ["regex_rewrite_pattern"]
doc: |
The pattern to match before rewriting, ex: `^/service/([^/]+)(/.*)$`.
- name: "Regex Rewrite Substitution"
keys: ["regex_rewrite_substitution"]
doc: |
The substitution for your regex pattern, ex: `\\2/instance/\\1`.
- name: "Timeouts"
settings:
- name: "Allow Websockets"
keys: ["allow_websockets"]
- name: "Timeout"
keys: ["timeout"]
- name: "Idle Timeout"
keys: ["idle_timeout"]
- name: "Headers"
settings:
- name: "Host Headers"
keys: ["host_rewrite"]
- name: "Set Request Headers"
- name: "Remove Request Headers"
- name: "Rewrite Response Headers"
- name: "Load Balancer"
settings:
- name: "Load Balancing Policy"
- name: "Policies"
keys: ["Policy"]
doc: |
A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model.
Policies can be constructed three ways:
### Web UI
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](../img/example-policy-single-user.png)
### Pomerium Policy Language
From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
![A policy as viewed from the editor tab](../img/example-policy-editor.png)
PPL documents contain one or more rules. Each rule has a corresponding action and one or more logical operators.
Each logical operator contains criteria and each criterion has a name and corresponding data.
PPL documents are defined via YAML:
```yaml
- allow:
or:
- email:
is: x@example.com
- email:
is: y@example.com
```
The available rule actions are:
- `allow`
- `deny`
The available logical operators are:
- `and`
- `or`
- `not`
- `nor`
The available criteria types are:
- `accept`
- `authenticated_user`
- `claim`
- `date`
- `day_of_week`
- `domain`
- `email`
- `groups`
- `reject`
- `time_of_day`
- `user`
Some criteria also support a sub-path as part of the criterion name:
```yaml
- allow:
or:
- claim/family_name:
is: Smith
```
### Rego
For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.
::: tip
A policy can only support PPL or Rego. Once one is set, the other tab is disabled.
:::
### Overrides
- **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**).
- **CORS Preflight**:
- **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.
- name: "Certificates"
- name: "Configure"
settings:
- name: "Settings"
settings:
- name: "Global"
settings:
- name: "Administrators"
doc: A list of users with full access to the Pomerium Enterprise Console
- name: "Debug"
- name: "Forward Auth"
- name: "HTTP Redirect Address"
- name: "DNS Lookup Family"
- name: "Log Level"
- name: "Proxy Log Level"
- name: "Enable User Impersonation"
- name: "Cookies"
settings:
- name: "HTTPS Only"
keys: ["cookie_secure"]
- name: "Javascript Security"
- name: "Expires"
keys: ["cookie_expire"]
- name: "Timeouts"
doc: "Timeouts set the global server timeouts. Timeouts can also be set for individual routes."
- name: "GRPC"
settings:
- name: "GRPC Server Max Connection Age"
doc: |
Set max connection age for GRPC servers. After this interval, servers ask clients to reconnect and perform any rediscovery for new/updated endpoints from DNS.
See https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters for details
- name: "GRPC Server Max Connection Age Grace"
doc: |
Additive period with grpc_server_max_connection_age, after which servers will force connections to close.
See https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters (opens new window)for details
- name: "Tracing"
- name: "Authenticate"
- name: "Authorize"
settings:
- name: "Signing Key"
- name: "Signing Key Algorithm"
- name: "Proxy"
settings:
- name: "Certificate Authority"
keys: ["certificate_authority"]
- name: "Default Upstream Timeout"
- name: "JWT Claim Headers"
- name: "Override Certificate Name"
- name: "Refresh Cooldown"
- name: "X-Forward-For HTTP Header"
keys: ["skip_xff_append"]
- name: "Response Headers"
keys: ["set_response_headers"]
- name: "Service Accounts"
doc: |
See [Concepts: Service Accounts][service-accounts-concept].
- name: "Namespaces"
keys: ["namespace"]
doc: |
A [Namespace][namespace-concept] is a collection of users, groups, routes, and policies that allows system administrators to organize, manage, and delegate permissions across their infrastructure.
- Policies can be optional or enforced on a Namespace.
- Enforced policies are also enforced on child Namespaces, and optional policies are available to them as well.
- Users or groups can be granted permission to edit access to routes within a Namespace, allowing them self-serve access to the routes critical to their work.
::: tip
When using an IdP without directory sync or when working with non-domain users, they will not show up in the look-ahead search. See [Non-Domain Users](/enterprise/concepts.html#non-domain-users) for more information.
:::
postamble: |
[route-concept]: /enterprise/concepts.md#routes
[route-reference]: /enterprise/reference/manage.md#routes
[namespace-concept]: /enterprise/concepts.md#namespaces
[namespace-reference]: /enterprise/reference/configure.md#namespaces
[service-accounts-concept]: /enterprise/concepts.md#service-accounts
[policy-reference]: /enterprise/reference/manage.md#policies-2
Reference in a new issue View git blame Copy permalink