Sentinel
Introduction to Sentinel
Welcome to the intro guide to Sentinel! This guide is the best place to start with Sentinel.
If you are already familiar with the basics of Sentinel, the documentation provides a better reference guide for all available features as well as internals.
What is Sentinel?
Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. A policy describes under what circumstances certain behaviors are allowed. Sentinel is an enterprise feature of HashiCorp Consul, Nomad, Terraform, and Vault.
Sentinel provides a language for writing policy and a workflow for developing and testing policies independent of the software they'll be written to. We also provide a framework for developers to build plugins that allow a Sentinel-enabled system to access external information to make policy decisions.
Most systems today have some degree of access control. You are able to define identities and what they have access to. These ACL systems solve an immediate and necessary problem of locking down a system in very broad strokes. Sentinel is a reusable system for more advanced software policy decisions. Sentinel enables:
Fine-Grained Policy: Most ACL systems only enable coarse-grained behaviors: "read", "write", etc. Sentinel enables fine-grained behavior such as disallowing a certain API call when specific parameters are present.
Logic-Based Policy: You can write policy using full conditional logic. For example, you may only allow a certain application behavior on Monday to Thursday unless there is a manager override.
Accessing External Information: Sentinel can source external information to be used in policy decisions. For example, a policy that restricts the size of a payload may read data from Consul to determine the payload size limit.
Enforcement levels: Sentinel allows policies to be defined along with an "enforcement level" that dictates the pass/fail behavior of a policy. Advisory policies warn if they fail, soft mandatory policies can have their failures overridden, and hard mandatory policies must pass under all circumstances. Having this as a built-in concept enables you to model policy more accurately and completely for your organization.
Next Steps
See the page on Why Sentinel? to learn more about the origins of the product. Then, continue onwards with the getting started guide to write your first policies and see how Sentinel works in practice.