github.com/outbrain/consul@v1.4.5/website/source/docs/agent/sentinel.html.markdown.erb

github.com/outbrain/consul@v1.4.5/website/source/docs/agent/sentinel.html.markdown.erb (about)

     1  ---
     2  layout: "docs"
     3  page_title: "Sentinel in Consul"
     4  sidebar_current: "docs-agent-sentinel"
     5  description: |-
     6    Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on KV modify and service registration.
     7  ---
     8  
     9  # Sentinel Overview
    10  [//]: # ( ~> The Sentinel functionality described here is available only in )
    11  [//]: # (   [Consul Enterprise](https://www.hashicorp.com/products/consul/) version 1.0.0 and later. )
    12  
    13  <%= enterprise_alert :consul %>
    14  
    15   Consul 1.0 adds integration with [Sentinel](https://hashicorp.com/sentinel) for policy enforcement.
    16   Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny"
    17   policies to support full conditional logic and integration with external systems.
    18  
    19  ## Sentinel in Consul
    20  
    21  Sentinel policies are applied during writes to the KV Store.
    22  
    23  An optional `sentinel` field specifying code and enforcement level can be added to [ACL policy definitions](/docs/agent/acl-rules.html#sentinel-integration) for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
    24  
    25  ```text
    26  key "datacenter_name" {
    27    policy = "write"
    28    sentinel {
    29        code = <<EOF
    30  import "strings"
    31  main = rule { strings.has_suffix(value, "dc1") }
    32  EOF
    33        enforcementlevel = "soft-mandatory"
    34    }
    35  }
    36  ```
    37  
    38  If the `enforcementlevel` property is not set, it defaults to "hard-mandatory".
    39  
    40  ## Imports
    41  
    42  Consul imports all the [standard imports](https://docs.hashicorp.com/sentinel/imports/)
    43  from Sentinel. All functions in these imports are available to be used in policies.
    44  
    45  ## Injected Variables
    46  
    47  Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
    48  
    49  #### Variables injected during KV store writes
    50  
    51  | Variable Name |  Type    | Description |
    52  | ------------- | -------- | ----------- |
    53  | `key`         | `string` | Key being written |
    54  | `value`       | `string` | Value being written |
    55  | `flags`       | `uint64` | [Flags](/api/kv.html#flags) |
    56  
    57  
    58  ## Sentinel Examples
    59  
    60  The following are two examples of ACL policies with Sentinel rules.
    61  
    62  ### Required Key Suffix 
    63  
    64  Any values stored under the key prefix "dc1" must end with "dev"
    65  
    66  ```text
    67  key "dc1" {
    68      policy = "write"
    69      sentinel {
    70          code = <<EOF
    71  import "strings"
    72  main = rule { strings.has_suffix(value, "dev") }
    73  EOF
    74      }
    75  }
    76  ```
    77  
    78  ### Restrited Update Time
    79  
    80  The key "haproxy_version" can only be updated during business hours.
    81  
    82  ```text
    83  key "haproxy_version" {
    84      policy = "write"
    85      sentinel {
    86          code = <<EOF
    87  import "time"
    88  main = rule { time.hour > 8 and time.hour < 17 }
    89  EOF
    90      }
    91  }
    92  ```