Hashicorp Sentinel
Hashicorp Sentinel is a tool for authoring security as code for HashiCorp Enterprise Products. It integrates with Infrastructure as Code.
The language was designed to be approachable by non-programmers, since there are many use cases where the individual defining policy may not be a developer. However, the language includes constructs that are familiar to developers to enable powerful policies. It allow team and organisation to be proactive for compliance and risk stand point of view.
Sentinel is, in effect, a complete programming language for defining and implementing context-based policy decisions.
Sentinel is in the same class of tools as Open Policy Agent but is proprietary, closed-source and only works with HashiCorp products.
Open Policy Agent provides a high-level declarative language for authoring policies and simple APIs to answer policy queries.
Using OPA, you can offload policy decisions from your service such as:
- Should this API call be allowed? E.g.,
trueorfalse. - How much quota remains for this user? E.g.,
1048. - Which hosts can this container be deployed on? E.g.,
["host1", "host40", ..., "host329"]. - What updates must be applied to this resource? E.g.,
{"labels": {"team": "products}}.
It comes with HashiCorp products such as Terraform or Vault for the enterprise versions.
For example, in Terraform it can be used to test for policy violations before applying infrastructure changes.
In Vault, Sentinel can be used to define fine-grained access control on the APIs.
This approach has all the benefits of encapsulation, maintainability, readability and extensibility that high-level programming languages offer, creating an attractive alternative to traditional, declarative security policy.
Added to Assess Quadrant in Thoughtworks Radar Oct 2020. It is recommended to assess risk and reward nascent language.
Playground : https://play.sentinelproject.io/
Rego Playground — https://play.openpolicyagent.org/
Reference url — https://docs.hashicorp.com/sentinel/concepts/language
