»Your First Sentinel Policy

Sentinel is a system to enforce complex policies on an integrated application.

Writing Sentinel policy requires minimal programming experience. The Sentinel language is designed to be approachable and learned quickly and easily. Whether you're a professional programmer or someone who uses SQL and Excel, you can learn to write Sentinel policies.

Let's begin by writing a simple, working Sentinel policy:

hour = 4
main = rule { hour >= 0 and hour < 12 }

This is a valid Sentinel policy. It will pass since we hardcoded the hour to be 4. In a real system, hour may be something that is provided to us and actually set to the current hour. We'll learn more about that later.

For now, try running this policy locally. Save the above example to a file named policy.sentinel and execute it. Then, modify the policy to make it fail. Play around more if you'd like.

$ sentinel apply policy.sentinel
Pass

»Main

Every Sentinel policy must have a main rule. This is the rule that is evaluated to determine the result of a policy.

A rule describes an expression that generally means one of two things:

  • Does a policy pass a condition that would authorize an operation? In our above example, describe a policy that checks the supplied hour (4) is within an authorized time window (between 0 - midnight, and 12 noon).
  • Conversely, can a policy find any violations that would block authorization of the operation? Building on the above, consider a policy that takes a schedule, and finds all time blocks that fall outside of the example time window supplied in the above policy.

It is easy to imagine that such a rule might be used in a system such as Nomad to restrict the times when a deploy can occur. The power of arbitrary logical statements within Sentinel allows Sentinel policies to restrict almost any behavior.

Next, we'll introduce and explain rules so we can use them in our policies.