» Sentinel Overview

Enterprise
This feature requires Consul Enterprise

Consul 1.0 adds integration with Sentinel for policy enforcement. Sentinel policies help extend the ACL system in Consul beyond the static "read", "write", and "deny" policies to support full conditional logic, and integration with external systems.

» Sentinel in Consul

Sentinel policies are applied during writes to the KV Store.

ACL policy definitions take a sentinel field specifying the code and the enforcement level.

Here's an example:

  sentinel {
      code = <<EOF
import "strings"
main = rule { strings.has_suffix(value,"foo") }
enforcementlevel = "soft-mandatory"
EOF
  }

This policy ensures that the value written during a KV update must end with "foo".

If the enforcementlevel property is not set, it defaults to "hard-mandatory".

» Imports

Consul imports all the standard imports from Sentinel. All functions in these imports are available to be used in policies.

» Injected Variables

Consul passes some context as variables into Sentinel, which are available to use inside any policies you write.

» Variables injected during KV store writes

Variable Name Type Description
key string Key being written
value string Value being written
flags uint64 Flags

» Examples

The following are some examples of ACL policies with Sentinel rules.

» Any values stored under the key prefix "foo" must end with "bar"

key "foo" {
    policy = "write"
    sentinel {
        code = <<EOF
import "strings"
main = rule { strings.has_suffix(value, "bar") }
EOF
    }
}

» The key "foo" can only be updated during business hours.

key "foo" {
    policy = "write"
    sentinel {
        code = <<EOF
import "time"
main = rule { time.hour > 8 and time.hour < 17 }
EOF
    }
}