96 lines
2.7 KiB
Plaintext
Raw Normal View History

---
2020-04-07 14:55:19 -04:00
layout: docs
2022-09-13 14:45:42 -05:00
page_title: Sentinel ACL Policies (Enterprise)
2020-04-07 14:55:19 -04:00
description: >-
Sentinel allows you to include conditional logic in access control policies. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities for controlling key-value (KV) write access.
---
# Sentinel for KV ACL Policy Enforcement
2020-04-07 14:55:19 -04:00
<EnterpriseAlert />
2020-04-07 14:55:19 -04:00
Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
policies to support full conditional logic and integration with external systems.
## Sentinel in Consul
Sentinel policies are applied during writes to the KV Store.
An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
<CodeBlockConfig heading="Ensure values written during KV updates end in 'dc1'">
2022-01-13 17:04:19 -05:00
```go
key "datacenter_name" {
policy = "write"
sentinel {
code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dc1") }
EOF
enforcementlevel = "soft-mandatory"
}
}
```
</CodeBlockConfig>
If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
## Imports
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http/). All functions in these imports are available to be used in policies.
## Injected Variables
Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
#### Variables injected during KV store writes
2020-04-09 19:46:54 -04:00
| Variable Name | Type | Description |
| ------------- | -------- | ---------------------- |
| `key` | `string` | Key being written |
| `value` | `string` | Value being written |
| `flags` | `uint64` | [Flags](/api-docs/kv#flags) |
## Sentinel Examples
The following are two examples of ACL policies with Sentinel rules.
2020-04-07 14:55:19 -04:00
### Required Key Suffix
<CodeBlockConfig heading="Any values stored under the key 'dc1' end with 'dev'">
2022-01-13 17:04:19 -05:00
```go
key "dc1" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dev") }
EOF
}
}
```
</CodeBlockConfig>
### Restricted Update Time
<CodeBlockConfig heading="The key 'haproxy_version' can only be updated during business hours">
2022-01-13 17:04:19 -05:00
```go
key "haproxy_version" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
code = <<EOF
import "time"
main = rule { time.now.hour > 8 and time.now.hour < 17 }
EOF
}
}
```
</CodeBlockConfig>