Sentinel
Imports
Imports enable Sentinel to access external data and functions.
Sentinel ships with a set of standard imports. Standard imports are available by default to every Sentinel policy. Note that the application embedding Sentinel may allow or deny the available set of imports.
To use an import, use the import
statement. Then, access data and
functions on the import using the import name followed by a period and
the field you want to access. The example below checks whether the request
path starts with a prefix. Assume that request_path
is available.
import "strings"
main = rule { strings.has_prefix(request_path, "/admin") }
External Data
The true power in imports is their ability to reference external data. Imports can be added to a Sentinel-enabled application through plugins. This enables any Sentinel-enabled application to make policy decision based on any source of data.
This ability allows the policy system to enforce almost any necessary organizational policy, since the ability of a policy isn't restricted purely to the embedding application's data model.
For example, policies in Nomad can access data in Consul to determine attributes of a policy. In the example below, we use a hypothetical Consul import:
import "consul"
main = rule {
job.tasks[0].resources.memory <= int(consul.get("policy/nomad/max-memory"))
}
In this example, a Nomad job's memory usage is limited to the value of a Consul key/value item. By simply changing a Consul KV entry, policy can be changed. Imports can do anything, you can write your own import plugins to extend Sentinel.
Next, we'll learn how to test policies to ensure our policy logic is correct.