Imports

Imports enable Sentinel to access external data and functions.

Sentinel ships with a set of standard imports. Standard imports are available by default to every Sentinel policy. Note that the application embedding Sentinel may whitelist or blacklist the available set of imports.

To use an import, use the import statement. Then, access data and functions on the import using the import name followed by a period and the field you want to access. The example below checks whether the request path starts with a prefix. Assume that request_path is available.

import "strings"

main = rule { strings.has_prefix(request_path, "/admin") }

External Data

The true power in imports is their ability to reference external data. Imports can be added to a Sentinel-enabled application through plugins. This enables any Sentinel-enabled application to make policy decision based on any source of data.

This ability allows the policy system to enforce almost any necessary organizational policy, since the ability of a policy isn't restricted purely to the embedding application's data model.

For example, policies in Nomad can access data in Consul to determine attributes of a policy. In the example below, we use a hypothetical Consul import:

import "consul"

main = rule {
    job.tasks[0].resources.memory <= int(consul.get("policy/nomad/max-memory"))
}

In this example, a Nomad job's memory usage is limited to the value of a Consul key/value item. By simply changing a Consul KV entry, policy can be changed. Imports can do anything, you can write your own import plugins to extend Sentinel.

Next, we'll learn how to test policies to ensure our policy logic is correct.