2017-11-14 11:13:11 +00:00
---
layout: "docs"
page_title: "Sentinel Properties"
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Properties"
2017-11-14 11:13:11 +00:00
sidebar_current: "docs-vault-enterprise-sentinel-properties"
description: |-
An overview of how Sentinel interacts with Vault Enterprise.
---
# Properties
Vault injects a rich set of data into the running Sentinel environment,
allowing for very fine-grained controls. The set of available properties are
enumerated on this page.
The following properties are available for use in Sentinel policies.
2019-03-14 16:22:02 +00:00
## Namespace Properties
The `namespace` (Sentinel) namespace gives access to information about the
namespace in which the request is running. (This may or may not match the
client's chosen namespace, if a request reaches into a child namespace).
| Name | Type | Description |
| :----| :------| :------------------------------|
2019-03-14 16:24:11 +00:00
| `id` | `string` | The namespace ID |
| `path` | `string` | The root path of the namespace |
2019-03-14 16:22:02 +00:00
2017-11-14 11:13:11 +00:00
## Request Properties
The following properties are available in the `request` namespace.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :----------------------- | :----------------------- | :------------------------------------------------------------------------------------------ |
| `connection.remote_addr` | `string` | TCP/IP source address/port of the client |
| `data` | `map (string -> any)` | Raw request data |
| `operation` | `string` | Operation type, e.g. "read" or "update" |
| `path` | `string` | Path, with any leading `/` trimmed |
| `policy_override` | `bool` | `true` if a `soft-mandatory` policy override was requested |
| `unauthenticated` | `bool` | `true` if the requested path is an unauthenticated path |
| `wrapping.ttl` | `duration` | The requested response-wrapping TTL in nanoseconds, suitable for use with the `time` import |
| `wrapping.ttl_seconds` | `int` | The requested response-wrapping TTL in seconds |
### Replication Properties
The following properties exists at the `replication.mode` namespace.
| Name | Type | Description |
| :------------ | :------- | :------------------------------------------------------------------------------------------------------------- |
| `dr` | `string` | The state of DR replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary" |
| `replication` | `string` | The state of performance replication. Valid values are "disabled", "bootstrapping", "primary", and "secondary" |
2017-11-14 11:13:11 +00:00
## Token Properties
The following properties, if available, are in the `token` namespace. The
namespace will not exist if there is no token information attached to a
request, e.g. when logging in.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :------------------------- | :----------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
| `creation_time` | `string` | The timestamp of the token's creation, in RFC3339 format |
| `creation_time_unix` | `int` | The timestamp of the token's creation, in seconds since Unix epoch UTC |
| `creation_ttl` | `duration` | The TTL the token was first created with in nanoseconds, suitable for use with the `time` import |
| `creation_ttl_seconds` | `int` | The TTL the token was first created with in seconds |
| `display_name` | `string` | The display name set on the token, if any |
| `entity_id` | `string` | The Identity entity ID attached to the token, if any |
| `explicit_max_ttl` | `duration` | If the token has an explicit max TTL, the duration of the explicit max TTL in nanoseconds, suitable for use with the `time` import |
| `explicit_max_ttl_seconds` | `int` | If the token has an explicit max TTL, the duration of the explicit max TTL in seconds |
| `metadata` | `map (string -> string)` | Metadata set on the token |
| `num_uses` | `int` | The number of uses remaining on a use-count-limited token; 0 if the token has no use-count limit |
| `path` | `string` | The request path that resulted in creation of this token |
| `period` | `duration` | If the token has a period, the duration of the period in nanoseconds, suitable for use with the `time` import |
| `period_seconds` | `int` | If the token has a period, the duration of the period in seconds |
| `policies` | `list (string)` | Policies directly attached to the token |
| `role` | `string` | If created via a token role, the role that created the token |
2018-10-27 18:07:27 +00:00
| `type` | `string` | The type of token, currently will be either `batch` or `service` |
2017-11-14 11:13:11 +00:00
## Identity Properties
The following properties, if available, are in the `identity` namespace. The
namespace may not exist if there is no token information attached to the
request; however, at login time the user's request data will be used to attempt
to find any existing Identity information, or create some information to pass
to MFA functions.
### Entity Properties
These exist at the `identity.entity` namespace.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :------------------ | :----------------------- | :------------------------------------------------------------ |
| `creation_time` | `string` | The entity's creation time in RFC3339 format |
| `id` | `string` | The entity's ID |
| `last_update_time` | `string` | The entity's last update (modify) time in RFC3339 format |
| `metadata` | `map (string -> string)` | Metadata associated with the entity |
| `name` | `string` | The entity's name |
| `merged_entity_ids` | `list (string)` | A list of IDs of entities that have been merged into this one |
| `aliases` | `list (alias)` | List of aliases associated with this entity |
| `policies` | `list (string)` | List of the policies set on this entity |
2017-11-14 11:13:11 +00:00
### Alias Properties
These can be retrieved from `identity.entity.aliases` .
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :----------------------- | :----------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------- |
| `creation_time` | `string` | The alias's creation time in RFC3339 format |
| `id` | `string` | The alias's ID |
| `last_update_time` | `string` | The alias's last update (modify) time in RFC3339 format |
| `metadata` | `map (string -> string)` | Metadata associated with the alias |
| `merged_from_entity_ids` | `list (string)` | If this alias was attached to the current entity via one or more merges, the original entity/entities will be in this list |
| `mount_accessor` | `string` | The immutable accessor of the mount that created this alias |
| `mount_path` | `string` | The path of the mount that created this alias; unlike the accessor, there is no guarantee that the current path represents the original mount |
| `mount_type` | `string` | The type of the mount that created this alias |
| `name` | `string` | The alias's name |
2017-11-14 11:13:11 +00:00
### Groups Properties
These exist at the `identity.groups` namespace.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :-------- | :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- |
| `by_id` | `map (string -> group)` | A map of group ID to group information |
2017-11-14 11:13:11 +00:00
| `by_name` | `map (string -> group)` | A map of group name to group information; unlike the group ID, there is no guarantee that the current name will always represent the same group |
### Group Properties
These can be retrieved from the `identity.groups` maps.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :------------------ | :----------------------- | :----------------------------------------------------------------- |
| `creation_time` | `string` | The group's creation time in RFC3339 format |
| `id` | `string` | The group's ID |
| `last_update_time` | `string` | The group's last update (modify) time in RFC3339 format |
| `metadata` | `map (string -> string)` | Metadata associated with the group |
| `name` | `string` | The group's name |
| `member_entity_ids` | `list (string)` | A list of IDs of entities that are directly assigned to this group |
| `parent_group_ids` | `list (string)` | A list of IDs of groups that are parents of this group |
| `policies` | `list (string)` | List of the policies set on this group |
2017-11-14 11:13:11 +00:00
## MFA Properties
These properties exist at the `mfa` namespace.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :-------- | :----------------------- | :---------------------------------------- |
2017-11-14 11:13:11 +00:00
| `methods` | `map (string -> method)` | A map of method name to method properties |
### MFA Method Properties
These properties can be accessed via the `mfa.methods` selector.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :------ | :----- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
2017-11-14 11:13:11 +00:00
| `valid` | `bool` | Whether the method has successfully been validated; if validation has not been attempted, this will trigger the validation attempt. The result of the validation attempt will be used for this method for all policies for the given request. |
## Control Group Properties
These properties exist at the `controlgroup` namespace.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :--------------------- | :--------------------- | :------------------------------------------ |
| `time` , `request_time` | `string` | The original request time in RFC3339 format |
| `authorizations` | `list (authorization)` | List of control group authorizations |
2017-11-14 11:13:11 +00:00
### Control Group Authorization
These properties can be accessed via the `controlgroup.authorizations` selector.
2018-07-05 20:11:21 +00:00
| Name | Type | Description |
| :------- | :---------------- | :--------------------------------------------------------- |
| `time` | `string` | The authorization time in RFC3339 format |
| `entity` | `identity.entity` | The identity entity for the authorizer. |
2017-11-14 11:13:11 +00:00
| `groups` | `identity.groups` | The map of identity groups associated with the authorizer. |
