Why subpath didn't it work

Support
1

What happened?

It has no effect for "subpath“

is this case, tom can still access other url paths?
No usage documentation for subpath was found( http_path and http_method

What’s your environment like?

pomerium 0.17.1
os: ubuntu 18.04 x64

What’s your config.yaml?

  - from: https://test.example.com
    pass_identity_headers: true
    to: http://127.0.0.1:8080
    allowed_users:
    - tom
    - jack
    policy:
    - allow:
        and:
          - http_path:
              is: /test

What did you see in the logs?

log is normal

2

Hi @cfanbo. It looks like you’re mixing the older “Policy” based config model with the new “Route” based model, where the policy is a sub-key of the route. You probably want to standardize on the new model, which would look something like this:

routes:
  - from: https://test.example.com
    pass_identity_headers: true
    to: http://127.0.0.1:8080
    policy:
    - allow:
        and:
          - http_path:
              is: /test
        or:
          - user:
              is: tom
              is: jack
3

Is this feature only supported in the Enterprise edition?

4

Nope, the new route/policy format applies to the OSS Pomerium config.

5

whiat is OSS Pomerium config? Where is the document?

6

The config file location depends on how you installed Pomerium. For system services, it lives in /etc/pomerium/config.yaml. For docker installations it’s attached to the container at /pomerium/config.yaml. Each install doc references the location.

The reference page I linked above has all the settings available in the config. It’s broken up into settings for each service (for those using split service mode, as well as the shared settings required by all config files. If you’re running in all-in-one mode, then there’s only a single file.

7

Only some users are allowed to access some specified directories. How should I set it?
For example, only allow access path '/manager/ ’ and ‘/admin/’ for user tom or jack

WHERE subpath IN ("/manager/", "/admin/") AND user IN ("tom", "jack")

8

Set specific routes for each subpath with separate policies: Settings | Pomerium

9

is that so?

routes:
  - from: https://test.example.com
    pass_identity_headers: true
    to: http://127.0.0.1:8080
    policy:
    - allow:
         or:
          - http_path:
              is: /manager
          - user:
              is: tom
        or:
          - http_path:
              is: /admin
          - user:
              is: tom   
        or:
          - http_path:
              is: /manager
          - user:
              is: jack
        or:
          - http_path:
              is: /admin
          - user:
              is: jack
10

Not sure if that will work or not, I haven’t tested a route like that. What you’ve got there is a single route with multiple policy rules based on path. The docs I referred you to cover making individual routes for paths that can then have individual policies applied.