Introduction to Sentinel
Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. A policy describes under what circumstances certain behaviors are allowed. Sentinel is an enterprise-only feature of HashiCorp Consul, Nomad, Terraform, and Vault.
This documentation should serve as a reference guide for developing Sentinel policies, embedding Sentinel into your own software, extending Sentinel with plugins, and more. If you're just getting started with Sentinel, please start with the "Why Sentinel?" to understand what Sentinel is, how it compares to other software, and more.
What is Sentinel?
Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. A policy describes under what circumstances certain behaviors are allowed. Sentinel is an enterprise feature of HashiCorp Consul, Nomad, Terraform, and Vault.
Sentinel provides a language for writing policy and a workflow for developing and testing policies independent of the software they'll be written to. We also provide a framework for developers to build plugins that allow a Sentinel-enabled system to access external information to make policy decisions.
Most systems today have some degree of access control. You are able to define identities and what they have access to. These ACL systems solve an immediate and necessary problem of locking down a system in very broad strokes. Sentinel is a reusable system for more advanced software policy decisions. Sentinel enables:
Fine-Grained Policy: Most ACL systems only enable coarse-grained behaviors: "read", "write", etc. Sentinel enables fine-grained behavior such as disallowing a certain API call when specific parameters are present.
Logic-Based Policy: You can write policy using full conditional logic. For example, you may only allow a certain application behavior on Monday to Thursday unless there is a manager override.
Accessing External Information: Sentinel can source external information to be used in policy decisions. For example, a policy that restricts the size of a payload may read data from Consul to determine the payload size limit.
Enforcement levels: Sentinel allows policies to be defined along with an "enforcement level" that dictates the pass/fail behavior of a policy. Advisory policies warn if they fail, soft mandatory policies can have their failures overridden, and hard mandatory policies must pass under all circumstances. Having this as a built-in concept enables you to model policy more accurately and completely for your organization.
Next steps
Refer the page on Why Sentinel? to learn more about the origins of Sentinel.