layout | page_title | description |
---|---|---|
docs |
Sentinel ACL Policies (Enterprise) |
Sentinel allows you to include conditional logic in access control policies. Learn how Consul can use Sentinel policies to extend the ACL system's capabilities for controlling key-value (KV) write access. |
Consul 1.0 adds integration with Sentinel for policy enforcement. Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" policies to support full conditional logic and integration with external systems.
Sentinel policies are applied during writes to the KV Store.
An optional sentinel
field specifying code and enforcement level can be added to ACL policy definitions for Consul KV. The following policy ensures that the value written during a KV update must end with "dc1".
key "datacenter_name" {
policy = "write"
sentinel {
code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dc1") }
EOF
enforcementlevel = "soft-mandatory"
}
}
If the enforcementlevel
property is not set, it defaults to "hard-mandatory".
Consul imports all the standard imports from Sentinel except http
. All functions in these imports are available to be used in policies.
Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.
Variable Name | Type | Description |
---|---|---|
key |
string |
Key being written |
value |
string |
Value being written |
flags |
uint64 |
Flags |
The following are two examples of ACL policies with Sentinel rules.
key "dc1" {
policy = "write"
sentinel {
code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "dev") }
EOF
}
}
key "haproxy_version" {
policy = "write"
sentinel {
code = <<EOF
import "time"
main = rule { time.now.hour > 8 and time.now.hour < 17 }
EOF
}
}