Sentinel
Your First Sentinel Policy
Sentinel is a system to enforce complex policies on an integrated application.
Writing Sentinel policy requires minimal programming experience. The Sentinel language is designed to be approachable and learned quickly and easily. Whether you're a professional programmer or someone who uses SQL and Excel, you can learn to write Sentinel policies.
Let's begin by writing a simple, working Sentinel policy:
hour = 4
main = rule { hour >= 0 and hour < 12 }
This is a valid Sentinel policy. It will pass since we hardcoded the
hour
to be 4. In a real system, hour
may be something that is provided
to us and actually set to the current hour. We'll learn more about that later.
For now, try running this policy locally. Save the above example to a file
named policy.sentinel
and execute it. Then, modify the policy to make it
fail. Play around more if you'd like.
$ sentinel apply policy.sentinel
Pass
Main
Every Sentinel policy must have a main
rule. This is the rule that
is evaluated to determine the result of a policy.
A rule describes an expression that generally means one of two things:
- Does a policy pass a condition that would authorize an operation? In our above example, describe a policy that checks the supplied hour (4) is within an authorized time window (between 0 - midnight, and 12 noon).
- Conversely, can a policy find any violations that would block authorization of the operation? Building on the above, consider a policy that takes a schedule, and finds all time blocks that fall outside of the example time window supplied in the above policy.
It is easy to imagine that such a rule might be used in a system such as Nomad to restrict the times when a deploy can occur. The power of arbitrary logical statements within Sentinel allows Sentinel policies to restrict almost any behavior.
Next, we'll introduce and explain rules so we can use them in our policies.