2017-09-19 14:47:10 +00:00
|
|
|
---
|
|
|
|
layout: api
|
|
|
|
page_title: Sentinel Policies - HTTP API
|
2020-02-06 23:45:31 +00:00
|
|
|
description: >-
|
|
|
|
The /sentinel/policy/ endpoints are used to configure and manage Sentinel
|
|
|
|
policies.
|
2017-09-19 14:47:10 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Sentinel Policies HTTP API
|
|
|
|
|
|
|
|
The `/sentinel/policies` and `/sentinel/policy/` endpoints are used to manage Sentinel policies.
|
2023-01-25 17:31:14 +00:00
|
|
|
For more details about Sentinel policies, please see the [Sentinel Policy Guide](/nomad/tutorials/governance-and-policy/sentinel).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
2023-01-25 17:31:14 +00:00
|
|
|
Sentinel endpoints are only available when ACLs are enabled. For more details about ACLs, please see the [ACL Guide](/nomad/tutorials/access-control).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
2021-01-05 14:44:37 +00:00
|
|
|
<EnterpriseAlert>
|
2021-03-31 13:43:17 +00:00
|
|
|
This API endpoint and functionality only exists in Nomad Enterprise. This is
|
|
|
|
not present in the open source version of Nomad.
|
2021-01-05 14:44:37 +00:00
|
|
|
</EnterpriseAlert>
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
## List Policies
|
|
|
|
|
|
|
|
This endpoint lists all Sentinel policies. This lists the policies that have been replicated
|
|
|
|
to the region, and may lag behind the authoritative region.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Method | Path | Produces |
|
|
|
|
| ------ | -------------------- | ------------------ |
|
|
|
|
| `GET` | `/sentinel/policies` | `application/json` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
The table below shows this endpoint's support for
|
2023-01-25 17:31:14 +00:00
|
|
|
[blocking queries](/nomad/api-docs#blocking-queries), [consistency modes](/nomad/api-docs#consistency-modes) and
|
|
|
|
[required ACLs](/nomad/api-docs#acls).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
| Blocking Queries | Consistency Modes | ACL Required |
|
|
|
|
| ---------------- | ----------------- | ------------ |
|
|
|
|
| `YES` | `all` | `management` |
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ curl \
|
2018-01-29 16:27:52 +00:00
|
|
|
https://localhost:4646/v1/sentinel/policies
|
2017-09-19 14:47:10 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
```json
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"Name": "foo",
|
|
|
|
"Description": "test policy",
|
|
|
|
"Scope": "submit-job",
|
|
|
|
"EnforcementLevel": "advisory",
|
|
|
|
"Hash": "CIs8aNX5OfFvo4D7ihWcQSexEJpHp+Za+dHSncVx5+8=",
|
|
|
|
"CreateIndex": 8,
|
|
|
|
"ModifyIndex": 8
|
|
|
|
}
|
|
|
|
]
|
|
|
|
```
|
|
|
|
|
|
|
|
## Create or Update Policy
|
|
|
|
|
|
|
|
This endpoint creates or updates an Sentinel Policy. This request is always forwarded to the
|
|
|
|
authoritative region.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Method | Path | Produces |
|
|
|
|
| ------ | ------------------------------- | -------------- |
|
|
|
|
| `POST` | `/sentinel/policy/:policy_name` | `(empty body)` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
The table below shows this endpoint's support for
|
2023-01-25 17:31:14 +00:00
|
|
|
[blocking queries](/nomad/api-docs#blocking-queries) and
|
|
|
|
[required ACLs](/nomad/api-docs#acls).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Blocking Queries | ACL Required |
|
|
|
|
| ---------------- | ------------ |
|
|
|
|
| `NO` | `management` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
- `Name` `(string: <required>)` - Specifies the name of the policy.
|
|
|
|
Creates the policy if the name does not exist, otherwise updates the existing policy.
|
|
|
|
|
|
|
|
- `Description` `(string: <optional>)` - Specifies a human readable description.
|
|
|
|
|
|
|
|
- `Scope` `(string: <required>)` - Specifies the scope of when this policy applies. Only `submit-job` is currently supported.
|
|
|
|
|
|
|
|
- `EnforcementLevel` `(string: <required>)` - Specifies the enforcement level of the policy. Can be `advisory` which warns on failure,
|
2020-02-06 23:45:31 +00:00
|
|
|
`hard-mandatory` which prevents an operation on failure, and `soft-mandatory` which is like `hard-mandatory` but can be overridden.
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
- `Policy` `(string: <required>)` - Specifies the Sentinel policy itself.
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
2020-02-06 23:45:31 +00:00
|
|
|
"Name": "my-policy",
|
|
|
|
"Description": "This is a great policy",
|
|
|
|
"Scope": "submit-job",
|
|
|
|
"EnforcementLevel": "advisory",
|
|
|
|
"Policy": "main = rule { true }"
|
2017-09-19 14:47:10 +00:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ curl \
|
2017-09-19 14:47:10 +00:00
|
|
|
--request POST \
|
|
|
|
--data @payload.json \
|
2018-01-29 16:27:52 +00:00
|
|
|
https://localhost:4646/v1/sentinel/policy/my-policy
|
2017-09-19 14:47:10 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Read Policy
|
|
|
|
|
|
|
|
This endpoint reads a Sentinel policy with the given name. This queries the policy that have been
|
|
|
|
replicated to the region, and may lag behind the authoritative region.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Method | Path | Produces |
|
|
|
|
| ------ | ------------------------------- | ------------------ |
|
|
|
|
| `GET` | `/sentinel/policy/:policy_name` | `application/json` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
The table below shows this endpoint's support for
|
2023-01-25 17:31:14 +00:00
|
|
|
[blocking queries](/nomad/api-docs#blocking-queries), [consistency modes](/nomad/api-docs#consistency-modes) and
|
|
|
|
[required ACLs](/nomad/api-docs#acls).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
| Blocking Queries | Consistency Modes | ACL Required |
|
|
|
|
| ---------------- | ----------------- | ------------ |
|
|
|
|
| `YES` | `all` | `management` |
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ curl \
|
2018-01-29 16:27:52 +00:00
|
|
|
https://localhost:4646/v1/sentinel/policy/foo
|
2017-09-19 14:47:10 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"Name": "foo",
|
|
|
|
"Description": "test policy",
|
|
|
|
"Scope": "submit-job",
|
|
|
|
"EnforcementLevel": "advisory",
|
|
|
|
"Policy": "main = rule { true }\n",
|
|
|
|
"Hash": "CIs8aNX5OfFvo4D7ihWcQSexEJpHp+Za+dHSncVx5+8=",
|
|
|
|
"CreateIndex": 8,
|
|
|
|
"ModifyIndex": 8
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Delete Policy
|
|
|
|
|
|
|
|
This endpoint deletes the named Sentinel policy. This request is always forwarded to the
|
|
|
|
authoritative region.
|
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Method | Path | Produces |
|
|
|
|
| -------- | ------------------------------- | -------------- |
|
|
|
|
| `DELETE` | `/sentinel/policy/:policy_name` | `(empty body)` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
The table below shows this endpoint's support for
|
2023-01-25 17:31:14 +00:00
|
|
|
[blocking queries](/nomad/api-docs#blocking-queries) and
|
|
|
|
[required ACLs](/nomad/api-docs#acls).
|
2017-09-19 14:47:10 +00:00
|
|
|
|
2020-02-06 23:45:31 +00:00
|
|
|
| Blocking Queries | ACL Required |
|
|
|
|
| ---------------- | ------------ |
|
|
|
|
| `NO` | `management` |
|
2017-09-19 14:47:10 +00:00
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
- `policy_name` `(string: <required>)` - Specifies the policy name to delete.
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
2020-05-18 20:53:06 +00:00
|
|
|
```shell-session
|
|
|
|
$ curl \
|
2017-09-19 14:47:10 +00:00
|
|
|
--request DELETE \
|
2018-01-29 16:27:52 +00:00
|
|
|
https://localhost:4646/v1/sentinel/policy/foo
|
2017-09-19 14:47:10 +00:00
|
|
|
```
|