diff --git a/content/docs/capabilities/reports.md b/content/docs/capabilities/reports.md index 687ebdfab..a3669ea84 100644 --- a/content/docs/capabilities/reports.md +++ b/content/docs/capabilities/reports.md @@ -35,4 +35,3 @@ The default view shows all changes made through Pomerium Enterprise. Use the **C [namespace-concept]: /docs/concepts/namespacing [namespace-reference]: /docs/enterprise/reference/configure#namespaces [service-accounts-concept]: /docs/capabilities/service-accounts.md -[policy-reference]: /docs/concepts/policies diff --git a/content/docs/capabilities/routing.mdx b/content/docs/capabilities/routing.mdx index 925c7a5b4..9fdd95b67 100644 --- a/content/docs/capabilities/routing.mdx +++ b/content/docs/capabilities/routing.mdx @@ -24,7 +24,7 @@ keywords: ## Routes -A [Route](/docs/concepts/routes) defines how to access a service running behind Pomerium. This includes authentication (both for Pomerium and passed through to the service), rewrites, header management, load balancing, etc. +A **Route** defines how to access a service running behind Pomerium. This includes authentication (both for Pomerium and passed through to the service), rewrites, header management, load balancing, etc. When first installing Pomerium Enterprise, users may want to import existing routes from the open-source Pomerium core. The **Migrate Routes** button accepts the open-source `config.yaml` file and imports routes from it to Pomerium Enterprise. diff --git a/content/docs/concepts/policies.mdx b/content/docs/concepts/policies.mdx deleted file mode 100644 index 7d4e192ca..000000000 --- a/content/docs/concepts/policies.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -sidebar_label: Policies -lang: en-US -keywords: - [ - access, - authentication, - authorization, - authorization policy, - authorization policies, - policy enforcement, - authz, - ] ---- - -# Policies - -A Policy defines who is authorized to what based on the identity of the user, their device, and the associated request context. - -Policies can be applied to [Routes] directly, or enforced within a [Namespace]. Policies allow operators to add authorization and access control to a single, or collection of routes. - -## Policies in Pomerium - -- To learn how to create policies in Pomerium Core, see [Capabilities: Policies]. -- To learn more about how to create Policies in Pomerium Enterprise, see [Enterprise Reference: Policies]. - -[capabilities: policies]: /docs/capabilities/ppl -[enterprise reference: policies]: /docs/concepts/policies -[namespace]: /docs/capabilities/namespacing -[routes]: /docs/concepts/routes diff --git a/content/docs/concepts/routes.mdx b/content/docs/concepts/routes.mdx deleted file mode 100644 index e82e2a8c7..000000000 --- a/content/docs/concepts/routes.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -# cSpell:ignore localdomain - -sidebar_label: Routes -lang: en-US -keywords: - [ - access, - authentication, - authorization, - authorization policy, - authorization policies, - policy enforcement, - authz, - ] ---- - -# Routes - -Routes define the connection pathway and configuration from the internet to your internal service. As a very basic level, a route sends traffic from `external-address.company.com` to `internalService-address.localdomain`, restricted by the policies associated with it, and encrypted by your TLS certificates. But more advanced configurations allow identity header pass-through, path and prefix rewrites, request and response header modification, load balancer services, and other full featured ingress capabilities. - -For more information, see [Reference: Routes](#reference-routes) - -## Protected Endpoints - -This term refers to the system or service the route provides or restricts access to. - -## Moving Routes - -When moving a Route from one [Namespace](#namespace) to another, enforced policies will automatically be removed or applied. Optional policies available in the source Namespace but not the target will prevent the move. This is intentional to prevent unassociated policies. - -[namespace]: /docs/concepts/namespacing -[reference-routes]: /docs/reference/routes diff --git a/content/docs/concepts/service-accounts.mdx b/content/docs/concepts/service-accounts.mdx deleted file mode 100644 index 9a8350242..000000000 --- a/content/docs/concepts/service-accounts.mdx +++ /dev/null @@ -1,20 +0,0 @@ ---- -sidebar_label: Service Accounts -lang: en-US -keywords: - [ - service-accounts, - pomerium service-accounts, - service account, - pomerium enterprise, - pomerium, - ] ---- - -# Service Accounts - -Service accounts provides bearer token based authentication for machine-to-machine communication through Pomerium to your protected endpoints. They can provide auth for monitoring services, create API integrations, and other non-human driven scripts or services. - -A service account identity can either be based on a user entry in your IdP Directory, or exist as a custom identity managed in a Pomerium Console [Namespace](/docs/capabilities/namespacing). - -See the [Service Accounts](/docs/capabilities/service-accounts) capabilities page for more information on how to use service accounts in Pomerium. diff --git a/content/docs/deploy/enterprise/changelog.mdx b/content/docs/deploy/enterprise/changelog.mdx index 0b8481602..efc2b3f5b 100644 --- a/content/docs/deploy/enterprise/changelog.mdx +++ b/content/docs/deploy/enterprise/changelog.mdx @@ -262,9 +262,7 @@ toc_max_heading_level: 5 [`signing key`]: /docs/reference/signing-key [google cloud serverless]: /docs/reference/routes/enable-google-cloud-serverless-authentication -[policies]: /docs/concepts/policies [policy language]: /docs/capabilities/ppl [runtime]: /docs/capabilities/reports.md#runtime -[service accounts]: /docs/concepts/service-accounts [spdy]: /docs/reference/routes/timeouts#spdy [telemetry]: /docs/capabilities/reports.md#traffic diff --git a/content/docs/guides/code-server.mdx b/content/docs/guides/code-server.mdx index 69f1383cf..180c5f290 100644 --- a/content/docs/guides/code-server.mdx +++ b/content/docs/guides/code-server.mdx @@ -159,7 +159,7 @@ To complete this guide, you need: ### Configure Pomerium -In your Console, create a [policy](/docs/concepts/policies) that allows any authenticated user to access the route: +In your Console, create a [policy](/docs/capabilities/ppl) that allows any authenticated user to access the route: 1. Select **New Policy** 2. Enter a **Name** for your policy, like `any authenticated` diff --git a/content/docs/internals/glossary.md b/content/docs/internals/glossary.md index 1689f7574..4652ac600 100644 --- a/content/docs/internals/glossary.md +++ b/content/docs/internals/glossary.md @@ -1,4 +1,6 @@ --- +# cSpell:ignore localdomain + title: Glossary lang: en-US keywords: @@ -60,11 +62,27 @@ The term "Perimeter" in the context of Pomerium and general networking usually r ### Policy -Pomerium allows administrators to define authorization policies dictating what combination of users, groups, devices, etc, have access to protected services. Open-source Pomerium defines a unique policy to every [route], while Pomerium Enterprise can define reusable policies at the global and [namespace] level. +A Policy defines what services behind Pomerium a user is authorized to access based on policy criteria, such as user identity and device identity, and the associated request context. + +Policies can be applied to [Routes](/docs/capabilities/routing) directly, or enforced within a [Namespace](/docs/capabilities/namespacing). Policies allow operators to add authorization and access control to a single route or collection of routes. ### Route -Specific to Pomerium, a route is a defined path from outside the network (via a public domain) to an internal service. Routes can be defined in the [configuration](/docs/reference/routes) for open-source Pomerium or the [Pomerium Enterprise Console][pom-routes]. +Specific to Pomerium, a route is a defined path from outside the network (through a public domain) to an internal service. At a very basic level, a route sends traffic from `external-address.company.com` to `internalService-address.localdomain`; a route is restricted by its associated policies and encrypted by your TLS certificates. + +Routes can be defined in the [configuration](/docs/reference/routes) for open-source Pomerium or the [Pomerium Enterprise Console][/docs/deploy/enterprise]. + +More advanced configurations allow identity header pass-through, path and prefix rewrites, request and response header modification, load balancer services, and other full featured ingress capabilities. + +For more information, see the [Routing Capabilities])(/docs/capabilities/routing) page. + +### Service Account + +A service account provides bearer token based authentication for machine-to-machine communication through Pomerium to your protected endpoints. A service account can provide authentication for monitoring services, create API integrations, and other non-human driven scripts or services. + +A service account identity can either be based on a user entry in your IdP Directory, or exist as a custom identity managed in a Pomerium Console [Namespace](/docs/capabilities/namespacing). + +See the [Service Accounts](/docs/capabilities/service-accounts) capabilities page for more information on how to use service accounts in Pomerium. ### Single Sign-On @@ -145,7 +163,6 @@ Zero trust is a philosophy and/or framework for security models that includes se [policies]: #policy [pomerium enterprise]: /docs/deploy/enterprise/install [pom-namespace]: /docs/internals/glossary -[pom-routes]: /docs/concepts/routes [route]: #route [routes]: #route [secure enclave]: #secure-enclave diff --git a/static/_redirects b/static/_redirects index b45e2374d..256941ed1 100644 --- a/static/_redirects +++ b/static/_redirects @@ -91,6 +91,9 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co # Reference, capabilities, topics, concepts links /docs/reference/readme.html /docs/ /docs/concepts/namespacing /docs/capabilities/namespacing +/docs/concepts/policies /docs/internals/glossary#policy +/docs/concepts/routes /docs/internals/glossary#route +/docs/concepts/service-accounts /docs/internals/glossary#service-account # Redirects incorrectly /docs/reference/certificates.html /docs/topics/certificates /docs/topics/certificates /docs/concepts/certificates