2017-09-19 09:02:53 -05:00
---
layout: "docs"
page_title: "Sentinel in Consul"
2019-03-13 12:47:25 -05:00
sidebar_current: "docs-agent-sentinel"
2017-09-19 09:02:53 -05:00
description: |-
Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration.
---
# Sentinel Overview
[//]: # ( ~> The Sentinel functionality described here is available only in )
[//]: # ( [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. )
<%= enterprise_alert :consul %>
Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
2019-03-13 12:47:25 -05:00
policies to support full conditional logic and integration with external systems.
2017-09-19 09:02:53 -05:00
## Sentinel in Consul
2017-09-28 21:00:00 -05:00
Sentinel policies are applied during writes to the KV Store.
2019-03-13 12:47:25 -05:00
An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/agent/acl-rules.html#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
2017-09-19 09:02:53 -05:00
```text
2019-03-13 12:47:25 -05:00
key "datacenter_name" {
policy = "write"
2017-09-19 09:02:53 -05:00
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "strings"
2019-03-13 12:47:25 -05:00
main = rule { strings.has_suffix(value, "dc1") }
2018-11-08 16:28:40 -06:00
EOF
2019-03-13 12:47:25 -05:00
enforcementlevel = "soft-mandatory"
2017-09-19 09:02:53 -05:00
}
2019-03-13 12:47:25 -05:00
}
2017-09-19 09:02:53 -05:00
```
If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
## Imports
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/)
from Sentinel. All functions in these imports are available to be used in policies.
## Injected Variables
Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
#### Variables injected during KV store writes
| Variable Name | Type | Description |
| ------------- | -------- | ----------- |
| `key` | `string` | Key being written |
| `value` | `string` | Value being written |
| `flags` | `uint64` | [Flags](/api/kv.html#flags) |
2019-03-13 12:47:25 -05:00
## Sentinel Examples
2017-09-19 09:02:53 -05:00
2019-03-13 12:47:25 -05:00
The following are two examples of ACL policies with Sentinel rules.
### Required Key Suffix
Any values stored under the key prefix "dc1" must end with "dev"
2017-09-19 09:02:53 -05:00
```text
2019-03-13 12:47:25 -05:00
key "dc1" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "strings"
2019-03-13 12:47:25 -05:00
main = rule { strings.has_suffix(value, "dev") }
2018-11-08 16:28:40 -06:00
EOF
2017-09-19 09:02:53 -05:00
}
}
```
2019-06-24 14:25:58 -07:00
### Restricted Update Time
2019-03-13 12:47:25 -05:00
The key "haproxy_version" can only be updated during business hours.
2017-09-19 09:02:53 -05:00
```text
2019-03-13 12:47:25 -05:00
key "haproxy_version" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "time"
2019-06-06 13:31:54 -07:00
main = rule { time.now.hour > 8 and time.now.hour < 17 }
2018-11-08 16:28:40 -06:00
EOF
2017-09-19 09:02:53 -05:00
}
}
```