d81889bb41
Avoid HTTP redirects for internal site links by updating old URLs to point to the new location for the target content.
98 lines
2.7 KiB
Plaintext
98 lines
2.7 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Sentinel in Consul
|
|
description: >-
|
|
Consul Enterprise uses Sentinel to augment the built-in ACL system to provide
|
|
advanced policy enforcement. Sentinel policies can currently execute on KV
|
|
modify and service registration.
|
|
---
|
|
|
|
# Sentinel Overview
|
|
|
|
<EnterpriseAlert />
|
|
|
|
Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
|
|
Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
|
|
policies to support full conditional logic and integration with external systems.
|
|
|
|
## Sentinel in Consul
|
|
|
|
Sentinel policies are applied during writes to the KV Store.
|
|
|
|
An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/security/acl/acl-rules#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
|
|
|
|
<CodeBlockConfig heading="Ensure values written during KV updates end in 'dc1'">
|
|
|
|
```go
|
|
key "datacenter_name" {
|
|
policy = "write"
|
|
sentinel {
|
|
code = <<EOF
|
|
import "strings"
|
|
main = rule { strings.has_suffix(value, "dc1") }
|
|
EOF
|
|
enforcementlevel = "soft-mandatory"
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
|
|
|
|
## Imports
|
|
|
|
Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/) from Sentinel _except_ [`http`](https://docs.hashicorp.com/sentinel/imports/http/). All functions in these imports are available to be used in policies.
|
|
|
|
## Injected Variables
|
|
|
|
Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
|
|
|
|
#### Variables injected during KV store writes
|
|
|
|
| Variable Name | Type | Description |
|
|
| ------------- | -------- | ---------------------- |
|
|
| `key` | `string` | Key being written |
|
|
| `value` | `string` | Value being written |
|
|
| `flags` | `uint64` | [Flags](/api/kv#flags) |
|
|
|
|
## Sentinel Examples
|
|
|
|
The following are two examples of ACL policies with Sentinel rules.
|
|
|
|
### Required Key Suffix
|
|
|
|
<CodeBlockConfig heading="Any values stored under the key 'dc1' end with 'dev'">
|
|
|
|
```go
|
|
key "dc1" {
|
|
policy = "write"
|
|
sentinel {
|
|
code = <<EOF
|
|
import "strings"
|
|
main = rule { strings.has_suffix(value, "dev") }
|
|
EOF
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
### Restricted Update Time
|
|
|
|
<CodeBlockConfig heading="The key 'haproxy_version' can only be updated during business hours">
|
|
|
|
```go
|
|
key "haproxy_version" {
|
|
policy = "write"
|
|
sentinel {
|
|
code = <<EOF
|
|
import "time"
|
|
main = rule { time.now.hour > 8 and time.now.hour < 17 }
|
|
EOF
|
|
}
|
|
}
|
|
```
|
|
|
|
</CodeBlockConfig>
|