github.com/Aestek/consul@v1.2.4-0.20190309222502-b2c31e33971a/website/source/docs/guides/sentinel.html.markdown.erb

github.com/Aestek/consul@v1.2.4-0.20190309222502-b2c31e33971a/website/source/docs/guides/sentinel.html.markdown.erb (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Sentinel in Consul"
     4  sidebar_current: "docs-guides-sentinel"
     5  description: |-
     6    Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration.
     7  ---
     8  
     9  # Sentinel Overview
    10  [//]: # ( ~> The Sentinel functionality described here is available only in )
    11  [//]: # (   [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. )
    12  
    13  <%= enterprise_alert :consul %>
    14  
    15   Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
    16   Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
    17   policies to support full conditional logic, and integration with external systems.
    18  
    19  ## Sentinel in Consul
    20  
    21  Sentinel policies are applied during writes to the KV Store.
    22  
    23  ACL policy definitions take a `sentinel` field specifying the code and the enforcement level.
    24  
    25  Here's an example:
    26  
    27  
    28  ```text
    29    sentinel {
    30        code = <<EOF
    31  import "strings"
    32  main = rule { strings.has_suffix(value,"foo") }
    33  enforcementlevel = "soft-mandatory"
    34  EOF
    35    }
    36  ```
    37  
    38  This policy ensures that the value written during a KV update must end with "foo".
    39  
    40  If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
    41  
    42  ## Imports
    43  
    44  Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/)
    45  from Sentinel. All functions in these imports are available to be used in policies.
    46  
    47  ## Injected Variables
    48  
    49  Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
    50  
    51  #### Variables injected during KV store writes
    52  
    53  | Variable Name |  Type    | Description |
    54  | ------------- | -------- | ----------- |
    55  | `key`         | `string` | Key being written |
    56  | `value`       | `string` | Value being written |
    57  | `flags`       | `uint64` | [Flags](/api/kv.html#flags) |
    58  
    59  
    60  ## Examples
    61  The following are some examples of ACL policies with Sentinel rules.
    62  
    63  ### Any values stored under the key prefix "foo" must end with "bar"
    64  
    65  ```text
    66  key "foo" {
    67      policy = "write"
    68      sentinel {
    69          code = <<EOF
    70  import "strings"
    71  main = rule { strings.has_suffix(value, "bar") }
    72  EOF
    73      }
    74  }
    75  ```
    76  
    77  ### The key "foo" can only be updated during business hours.
    78  
    79  ```text
    80  key "foo" {
    81      policy = "write"
    82      sentinel {
    83          code = <<EOF
    84  import "time"
    85  main = rule { time.hour > 8 and time.hour < 17 }
    86  EOF
    87      }
    88  }
    89  ```