2017-09-19 09:02:53 -05:00
---
2020-04-07 14:55:19 -04:00
layout: docs
2022-09-13 14:45:42 -05:00
page_title: Sentinel ACL Policies (Enterprise)
2020-04-07 14:55:19 -04:00
description: >-
2022-09-16 10:28:32 -05:00
Sentinel allows you to include conditional logic in access control policies. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities for controlling key-value (KV) write access.
2017-09-19 09:02:53 -05:00
---
2022-09-15 12:10:20 -05:00
# Sentinel for KV ACL Policy Enforcement
2020-04-07 14:55:19 -04:00
2020-04-23 15:13:18 -07:00
<EnterpriseAlert />
2017-09-19 09:02:53 -05:00
2020-04-07 14:55:19 -04:00
Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
policies to support full conditional logic and integration with external systems.
2017-09-19 09:02:53 -05:00
## Sentinel in Consul
2017-09-28 21:00:00 -05:00
Sentinel policies are applied during writes to the KV Store.
2023-01-25 10:52:43 -06:00
An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/consul/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
2017-09-19 09:02:53 -05:00
2022-01-13 16:07:11 -05:00
<CodeBlockConfig heading="Ensure values written during KV updates end in 'dc1'">
2022-01-13 17:04:19 -05:00
```go
2019-03-13 12:47:25 -05:00
key "datacenter_name" {
policy = "write"
2017-09-19 09:02:53 -05:00
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "strings"
2019-03-13 12:47:25 -05:00
main = rule { strings.has_suffix(value, "dc1") }
2018-11-08 16:28:40 -06:00
EOF
2019-03-13 12:47:25 -05:00
enforcementlevel = "soft-mandatory"
2017-09-19 09:02:53 -05:00
}
2019-03-13 12:47:25 -05:00
}
2017-09-19 09:02:53 -05:00
```
2022-01-13 16:07:11 -05:00
</CodeBlockConfig>
2017-09-19 09:02:53 -05:00
If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
## Imports
2022-10-11 09:58:52 -05:00
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http). All functions in these imports are available to be used in policies.
2017-09-19 09:02:53 -05:00
## Injected Variables
Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
#### Variables injected during KV store writes
2020-04-09 19:46:54 -04:00
| Variable Name | Type | Description |
| ------------- | -------- | ---------------------- |
| `key` | `string` | Key being written |
| `value` | `string` | Value being written |
2023-01-25 10:52:43 -06:00
| `flags` | `uint64` | [Flags](/consul/api-docs/kv#flags) |
2017-09-19 09:02:53 -05:00
2019-03-13 12:47:25 -05:00
## Sentinel Examples
2017-09-19 09:02:53 -05:00
2019-03-13 12:47:25 -05:00
The following are two examples of ACL policies with Sentinel rules.
2020-04-07 14:55:19 -04:00
### Required Key Suffix
2019-03-13 12:47:25 -05:00
2022-01-13 16:07:11 -05:00
<CodeBlockConfig heading="Any values stored under the key 'dc1' end with 'dev'">
2017-09-19 09:02:53 -05:00
2022-01-13 17:04:19 -05:00
```go
2019-03-13 12:47:25 -05:00
key "dc1" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "strings"
2019-03-13 12:47:25 -05:00
main = rule { strings.has_suffix(value, "dev") }
2018-11-08 16:28:40 -06:00
EOF
2017-09-19 09:02:53 -05:00
}
}
```
2022-01-13 16:07:11 -05:00
</CodeBlockConfig>
2019-06-24 14:25:58 -07:00
### Restricted Update Time
2019-03-13 12:47:25 -05:00
2022-01-13 16:07:11 -05:00
<CodeBlockConfig heading="The key 'haproxy_version' can only be updated during business hours">
2017-09-19 09:02:53 -05:00
2022-01-13 17:04:19 -05:00
```go
2019-03-13 12:47:25 -05:00
key "haproxy_version" {
2017-10-13 12:15:08 -07:00
policy = "write"
sentinel {
2018-11-08 16:28:40 -06:00
code = <<EOF
import "time"
2019-06-06 13:31:54 -07:00
main = rule { time.now.hour > 8 and time.now.hour < 17 }
2018-11-08 16:28:40 -06:00
EOF
2017-09-19 09:02:53 -05:00
}
}
```
2022-01-13 16:07:11 -05:00
</CodeBlockConfig>