open-nomad/website/pages/api-docs/sentinel-policies.mdx

179 lines
5.2 KiB
Plaintext
Raw Normal View History

2017-09-19 14:47:10 +00:00
---
layout: api
page_title: Sentinel Policies - HTTP API
2020-02-06 23:45:31 +00:00
sidebar_title: Sentinel Policies
description: >-
The /sentinel/policy/ endpoints are used to configure and manage Sentinel
policies.
2017-09-19 14:47:10 +00:00
---
# Sentinel Policies HTTP API
The `/sentinel/policies` and `/sentinel/policy/` endpoints are used to manage Sentinel policies.
For more details about Sentinel policies, please see the [Sentinel Policy Guide](https://learn.hashicorp.com/nomad/governance-and-policy/sentinel).
2017-09-19 14:47:10 +00:00
2020-03-20 21:00:59 +00:00
Sentinel endpoints are only available when ACLs are enabled. For more details about ACLs, please see the [ACL Guide](https://learn.hashicorp.com/nomad?track=acls#operations-and-development).
2017-09-19 14:47:10 +00:00
~> **Enterprise Only!** This API endpoint and functionality only exists in
Nomad Enterprise. This is not present in the open source version of Nomad.
## List Policies
This endpoint lists all Sentinel policies. This lists the policies that have been replicated
to the region, and may lag behind the authoritative region.
2020-02-06 23:45:31 +00:00
| Method | Path | Produces |
| ------ | -------------------- | ------------------ |
| `GET` | `/sentinel/policies` | `application/json` |
2017-09-19 14:47:10 +00:00
The table below shows this endpoint's support for
2020-02-06 23:45:31 +00:00
[blocking queries](/api#blocking-queries), [consistency modes](/api#consistency-modes) and
[required ACLs](/api#acls).
2017-09-19 14:47:10 +00:00
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | `management` |
### Sample Request
2020-02-06 23:45:31 +00:00
```shell
2017-09-19 14:47:10 +00:00
$ curl \
https://localhost:4646/v1/sentinel/policies
2017-09-19 14:47:10 +00:00
```
### Sample Response
```json
[
{
"Name": "foo",
"Description": "test policy",
"Scope": "submit-job",
"EnforcementLevel": "advisory",
"Hash": "CIs8aNX5OfFvo4D7ihWcQSexEJpHp+Za+dHSncVx5+8=",
"CreateIndex": 8,
"ModifyIndex": 8
}
]
```
## Create or Update Policy
This endpoint creates or updates an Sentinel Policy. This request is always forwarded to the
authoritative region.
2020-02-06 23:45:31 +00:00
| Method | Path | Produces |
| ------ | ------------------------------- | -------------- |
| `POST` | `/sentinel/policy/:policy_name` | `(empty body)` |
2017-09-19 14:47:10 +00:00
The table below shows this endpoint's support for
2020-02-06 23:45:31 +00:00
[blocking queries](/api#blocking-queries) and
[required ACLs](/api#acls).
2017-09-19 14:47:10 +00:00
2020-02-06 23:45:31 +00:00
| Blocking Queries | ACL Required |
| ---------------- | ------------ |
| `NO` | `management` |
2017-09-19 14:47:10 +00:00
### Parameters
- `Name` `(string: <required>)` - Specifies the name of the policy.
Creates the policy if the name does not exist, otherwise updates the existing policy.
- `Description` `(string: <optional>)` - Specifies a human readable description.
- `Scope` `(string: <required>)` - Specifies the scope of when this policy applies. Only `submit-job` is currently supported.
- `EnforcementLevel` `(string: <required>)` - Specifies the enforcement level of the policy. Can be `advisory` which warns on failure,
2020-02-06 23:45:31 +00:00
`hard-mandatory` which prevents an operation on failure, and `soft-mandatory` which is like `hard-mandatory` but can be overridden.
2017-09-19 14:47:10 +00:00
- `Policy` `(string: <required>)` - Specifies the Sentinel policy itself.
### Sample Payload
```json
{
2020-02-06 23:45:31 +00:00
"Name": "my-policy",
"Description": "This is a great policy",
"Scope": "submit-job",
"EnforcementLevel": "advisory",
"Policy": "main = rule { true }"
2017-09-19 14:47:10 +00:00
}
```
### Sample Request
2020-02-06 23:45:31 +00:00
```shell
2017-09-19 14:47:10 +00:00
$ curl \
--request POST \
--data @payload.json \
https://localhost:4646/v1/sentinel/policy/my-policy
2017-09-19 14:47:10 +00:00
```
## Read Policy
This endpoint reads a Sentinel policy with the given name. This queries the policy that have been
replicated to the region, and may lag behind the authoritative region.
2020-02-06 23:45:31 +00:00
| Method | Path | Produces |
| ------ | ------------------------------- | ------------------ |
| `GET` | `/sentinel/policy/:policy_name` | `application/json` |
2017-09-19 14:47:10 +00:00
The table below shows this endpoint's support for
2020-02-06 23:45:31 +00:00
[blocking queries](/api#blocking-queries), [consistency modes](/api#consistency-modes) and
[required ACLs](/api#acls).
2017-09-19 14:47:10 +00:00
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | `management` |
### Sample Request
2020-02-06 23:45:31 +00:00
```shell
2017-09-19 14:47:10 +00:00
$ curl \
https://localhost:4646/v1/sentinel/policy/foo
2017-09-19 14:47:10 +00:00
```
### Sample Response
```json
{
"Name": "foo",
"Description": "test policy",
"Scope": "submit-job",
"EnforcementLevel": "advisory",
"Policy": "main = rule { true }\n",
"Hash": "CIs8aNX5OfFvo4D7ihWcQSexEJpHp+Za+dHSncVx5+8=",
"CreateIndex": 8,
"ModifyIndex": 8
}
```
## Delete Policy
This endpoint deletes the named Sentinel policy. This request is always forwarded to the
authoritative region.
2020-02-06 23:45:31 +00:00
| Method | Path | Produces |
| -------- | ------------------------------- | -------------- |
| `DELETE` | `/sentinel/policy/:policy_name` | `(empty body)` |
2017-09-19 14:47:10 +00:00
The table below shows this endpoint's support for
2020-02-06 23:45:31 +00:00
[blocking queries](/api#blocking-queries) and
[required ACLs](/api#acls).
2017-09-19 14:47:10 +00:00
2020-02-06 23:45:31 +00:00
| Blocking Queries | ACL Required |
| ---------------- | ------------ |
| `NO` | `management` |
2017-09-19 14:47:10 +00:00
### Parameters
- `policy_name` `(string: <required>)` - Specifies the policy name to delete.
### Sample Request
2020-02-06 23:45:31 +00:00
```shell
2017-09-19 14:47:10 +00:00
$ curl \
--request DELETE \
https://localhost:4646/v1/sentinel/policy/foo
2017-09-19 14:47:10 +00:00
```