This are the public release notes for the Sentinel runtime. See this document for the latest updates.

Sentinel Runtime Release Notes

Release Notes

Consul Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies are applied during writes to the KV Store.

Consul and Sentinel

Consul

Documentation

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions.

Nomad Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. Sentinel policies can currently execute on job submission (creation, update).

Nomad and Sentinel

Nomad

Sentinel can be used with Terraform and Terraform Enterprise to enforce policy on Terraform configurations, states, and plans.

Terraform and Sentinel

Terraform

Vault Enterprise uses Sentinel to augment the built-in policy system to provide Role Governing Policies (RGPs) and Endpoint Governing Policies (EGPs) to enable complex, flexible policies across identities and endpoints.

Vault and Sentinel

Vault

Sentinel policies are easy to write while still supporting advanced constructs for creating complex policies. This page will explain the basics of writing Sentinel policies to get started.

Writing Sentinel Policy

Basics

Imports enable policy decision based on arbitrary external information.

Debugging

Imports

Sentinel provides a language and workflow for building policy across any system that embeds Sentinel. By learning Sentinel once, you are able to effectively control access to many systems using Sentinel's powerful features. Basic concepts that are important to understand for Vault usage.

Writing Policy

Rules

Sentinel has a built-in test framework to validate a policy behaves as expected.

Testing

Sentinel provides execution traces to better understand the execution of a policy.

Traces

Sentinel supports arithmetic operators for integers and floats. Sentinel supports sum, difference, product, quotient, and remainder.

Sentinel Language - Arithmetic

Arithmetic

Boolean expressions are expressions that evaluate to a boolean value from the result of a combination of one or more comparisons and logical operators.

Sentinel Language - Boolean Expressions

Boolean Expressions

Operations for interacting with collections (list, map).

Sentinel Language - Collection Operations

Collection Operations

Conditional statements allow your policy to behave differently depending on a condition.

Sentinel Language - Conditionals

Conditionals

Functions allow you to create reusable code to perform computations.

Sentinel Language - Functions

Functions

Imports enable a Sentinel policy to access reusable libraries and external data and functions.

Sentinel Language - Imports

Sentinel policies are written using the Sentinel language. This language
is easy to learn and easy to write. You can learn the Sentinel language
and be productive within an hour. Learning Sentinel doesn't require any
formal programming experience.

Sentinel Language

Language

Lists are a collection of zero or more values.

Sentinel Language - Lists

Lists

The built-in functions `print` and `error` can be used for logging and errors.

Sentinel Language - Logging and Errors

Logging and Errors

Loop statements allow you to execute a body of code for each element in a collection or for some fixed number of times.

Sentinel Language - Loops

Loops

Maps are a collection of zero or more key/value pairs. These are useful for storing values that are looked up by a unique key.

Sentinel Language - Maps

Maps

Parameteres allow a Sentinel policy to describe variables that are expected to be supplied by the calling application, in addition to any default value.

Sentinel Language - Parameters

Parameters

Rules form the basis of a policy by representing behavior that is either passing or failing (true or false).

Sentinel Language - Rules

Sentinel Language - Scope

Scope

Slices are an efficient way to create a substring or sublist from an existing string or list, respectively.

Sentinel Language - Slices

Slices

This is the specification for the Sentinel policy language.

Sentinel Language Specification

Specification

The value `undefined` is a special value representing undefined behavior or an unknown value. Any operation on an `undefined` value results in `undefined`.

Sentinel Language - Undefined

Undefined

Values are the data that Sentinel policies operate on.

Sentinel Language - Values

Values

Variables store values that can be used later.

Sentinel Language - Variables

Variables

Welcome to the intro guide to Sentinel! This guide is the best place to start with Sentinel.

Introduction

What is Sentinel?

Why Sentinel?

Let's begin by writing a working Sentinel policy.

Your First Sentinel Policy

Your First Policy

Imports enable Sentinel to access external data and functions.

The first step to using Sentinel is to get the CLI installed.

Install Sentinel CLI - Getting Started

Getting Started

Installing the CLI

A rule describes a set of conditions that result in either true or false.

Logic

That concludes the getting started guide for Sentinel.

Next Steps

The base64 import enables a Sentinel policy to encode and decode Base64 values.

Import: base64

base64

The decimal import provides functions for operating on numbers represented
as decimals.

Import: decimal

decimal

The http import enables the use of HTTP-accessible data from outside the runtime in Sentinel policy rules.

Import: http

http

Standard Imports are the built-in imports that are available to all Sentinel policies.

Sentinel Language - Standard Imports

Standard Imports

The json import enables a Sentinel policy to parse and access a JSON document.

Import: json

json

The runtime import contains various information about the Sentinel runtime.

Import: runtime

runtime

The sockaddr import makes working with IP addresses easy.

Import: sockaddr

sockaddr

The strings import exposes common string operations.

Import: strings

strings

The time import provides access to the execution time and time functions.

Import: time

time

The types import enables a Sentinel policy to parse an object's type.

Import: types

types

Import: units

units

The version import provides functions for parsing versions and version constraints,
and verifying versions against a set of constraints.

Import: version

version

The built-in function `append` appends a value to the end of a list.

Sentinel Language - Builtin Function: Append

append

The built-in function `delete` deletes an element from a map.

Sentinel Language - Builtin Function: delete

delete

The built-in function `error` is used to exit immediately with an error message.

Sentinel Language - Builtin Function: error

error

Builtin functions are functions that are available in all Sentinel policies.

Sentinel Language - Builtin Functions

Builtin Functions

The built-in function `keys` returns the keys of a map.

Sentinel Language - Builtin Function: keys

keys

Sentinel Language - Builtin Function: Length

length

The built-in function `print` is used for logging and debugging.

Sentinel Language - Builtin Function: print

print

The built-in function `range` returns a list of numbers in a range.

Sentinel Language - Builtin Function: Range

range

The built-in function `values` returns the values of a map.

Sentinel Language - Builtin Function: values

values

Learn how to create your own Sentinel imports to extend Sentinel's functionality.

Extending Sentinel

This Section covers some details about Sentinel's import internals.

Extending Sentinel: Internals

Internals

Modules allow you to re-use Sentinel code as an import.

Extending Sentinel: Modules

Modules

Plugins allow you to write imports as standalone executables, allowing you to extend Sentinel in ways not normally possible with policy code alone.

Extending Sentinel: Plugins

Plugins

The Sentinel CLI's configuration file can be used to control the behavior of the simulator during apply and test operations.

Sentinel CLI Configuration File Syntax

Configuration File Syntax

There are a number of options for formatting the URL provided to the source attribute on policy and module blocks.

Remote Sources

Enforcement Levels

Basic concepts that are important to understand for Sentinel usage.

Basic Concepts

Policy Language

Policy as code is the idea of writing code in a high-level language to manage and automate policies. By representing policies as code in text files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment.

Policy as Code

The `sentinel apply` command is used to execute a policy locally for development purposes.

Command: apply

<code>apply</code>

The `sentinel fmt` command formats a policy source to a canonical format.

Command: fmt

<code>fmt</code>

Sentinel provides a `sentinel` command-line interface (CLI) for developing and testing policies.

Commands (CLI)

The `sentinel test` command runs policies against the Sentinel test framework.

»Debugging

»Print Logging