ACLs: add fine-grained ACLs for Sentinel CRUD operations

tgross · tgross · commit d2f244d24ced · 2026-02-20T09:42:33.000-05:00
Updating Sentinel policies currently requires a management token. We'd like to break up the management token capabilities so that users can provide less-privileged tokens to services for specific purposes. For example, one might want to run testing on Sentinel policies and not allow that test pipeline to have full management access. Add support for fine-grained ACLs on Sentinel CRUD operations. Note that unlike most ACLs, Sentinel is disabled when ACLs are disabled. This is the CE portion of the work. The Sentinel RPC handlers are in the Enterprise PR. Ref: hashicorp/nomad-enterprise#3700 Ref: https://hashicorp.atlassian.net/browse/NMD-512 Fixes: #24225
diff --git a/.changelog/27556.txt b/.changelog/27556.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+acl (Enterprise): Added `sentinel` policy block to allow managing Sentinel policies without a management token
+```
diff --git a/acl/acl.go b/acl/acl.go
@@ -73,11 +73,13 @@ type ACL struct {
 	agent    string
 	node     string
 	operator string
+	sentinel string
 	quota    string
 	plugin   string
 
 	// Fine-grained capabilities for policies that don't need namespace globbing
 	operatorCapabilities capabilitySet
+	sentinelCapabilities capabilitySet
 
 	// The attributes below detail a virtual policy that we never expose
 	// directly to the end user.
@@ -127,6 +129,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
 	wsvTxn := iradix.New[capabilitySet]().Txn()
 
 	operatorCapabilities := make(capabilitySet)
+	sentinelCapabilities := make(capabilitySet)
 
 	for _, policy := range policies {
 	NAMESPACES:
@@ -299,6 +302,20 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
 				}
 			}
 		}
+		if policy.Sentinel != nil {
+			acl.sentinel = maxPrivilege(acl.sentinel, policy.Sentinel.Policy)
+			if !sentinelCapabilities.Check(SentinelCapabilityDeny) {
+				for _, cap := range policy.Sentinel.Capabilities {
+					if cap == SentinelCapabilityDeny {
+						// Deny always takes precedence
+						sentinelCapabilities.Clear()
+						sentinelCapabilities.Set(SentinelCapabilityDeny)
+						break
+					}
+					sentinelCapabilities.Set(cap)
+				}
+			}
+		}
 		if policy.Quota != nil {
 			acl.quota = maxPrivilege(acl.quota, policy.Quota.Policy)
 		}
@@ -321,6 +338,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
 	acl.wildcardVariables = wsvTxn.Commit()
 
 	acl.operatorCapabilities = operatorCapabilities
+	acl.sentinelCapabilities = sentinelCapabilities
 
 	acl.client = PolicyDeny
 	acl.server = PolicyDeny
@@ -886,6 +904,26 @@ func (a *ACL) AllowOperatorOperation(op string) bool {
 	}
 }
 
+// AllowSentinelOperation checks if a given operation is allowed for sentinel
+func (a *ACL) AllowSentinelOperation(op string) bool {
+	switch {
+	case a == nil:
+		return false
+	case a.aclsDisabled:
+		return false // Sentinel is entirely disabled when ACLs are disabled
+	case a.management:
+		return true
+	case a.sentinel == PolicyWrite:
+		return true
+	case a.server == PolicyWrite:
+		return true // needed to support cross-region replication
+	case a.sentinelCapabilities.Check(op):
+		return true
+	default:
+		return false
+	}
+}
+
 // AllowQuotaRead checks if read operations are allowed for all quotas
 func (a *ACL) AllowQuotaRead() bool {
 	switch {
diff --git a/acl/acl_test.go b/acl/acl_test.go
@@ -1263,3 +1263,135 @@ func TestAllowOperatorOperation(t *testing.T) {
 		must.True(t, acl.AllowOperatorOperation(OperatorCapabilityKeyringRotate))
 	})
 }
+
+func TestAllowSentinelOperation(t *testing.T) {
+	ci.Parallel(t)
+
+	testCases := []struct {
+		name      string
+		policy    string
+		operation string
+		expect    bool
+	}{
+		{
+			name:      "policy write allows sentinel-read",
+			policy:    `sentinel { policy = "write" }`,
+			operation: SentinelCapabilityRead,
+			expect:    true,
+		},
+		{
+			name:      "policy write allows sentinel-submit",
+			policy:    `sentinel { policy = "write" }`,
+			operation: SentinelCapabilitySubmit,
+			expect:    true,
+		},
+		{
+			name:      "policy write allows sentinel-delete",
+			policy:    `sentinel { policy = "write" }`,
+			operation: SentinelCapabilityDelete,
+			expect:    true,
+		},
+		{
+			name:      "policy read allows sentinel-read",
+			policy:    `sentinel { policy = "read" }`,
+			operation: SentinelCapabilityRead,
+			expect:    true,
+		},
+		{
+			name:      "policy read denies sentinel-submit",
+			policy:    `sentinel { policy = "read" }`,
+			operation: SentinelCapabilitySubmit,
+			expect:    false,
+		},
+		{
+			name:      "policy read denies sentinel-delete",
+			policy:    `sentinel { policy = "read" }`,
+			operation: SentinelCapabilityDelete,
+			expect:    false,
+		},
+		{
+			name: "policy deny overrides all capabilities",
+			policy: `sentinel { policy = "deny"
+                                capabilities = ["sentinel-read"] }`,
+			operation: SentinelCapabilityRead,
+			expect:    false,
+		},
+		{
+			name: "capability sentinel-submit allows sentinel-submit over read policy",
+			policy: `sentinel { policy = "read"
+                                capabilities = ["sentinel-submit"] }`,
+			operation: SentinelCapabilitySubmit,
+			expect:    true,
+		},
+		{
+			name:      "capability sentinel-read allows sentinel-read",
+			policy:    `sentinel { capabilities = ["sentinel-read"] }`,
+			operation: SentinelCapabilityRead,
+			expect:    true,
+		},
+		{
+			name:      "multiple capabilities allow respective operations",
+			policy:    `sentinel { capabilities = ["sentinel-read", "sentinel-submit"] }`,
+			operation: SentinelCapabilitySubmit,
+			expect:    true,
+		},
+		{
+			name:      "capability deny denies all operations",
+			policy:    `sentinel { capabilities = ["deny"] }`,
+			operation: SentinelCapabilityRead,
+			expect:    false,
+		},
+		{
+			name:      "capability deny takes precedence over other capabilities",
+			policy:    `sentinel { capabilities = ["sentinel-read", "deny"] }`,
+			operation: SentinelCapabilityRead,
+			expect:    false,
+		},
+		{
+			name:      "deny everything without a sentinel policy",
+			policy:    `agent { policy = "read" }`,
+			operation: SentinelCapabilityRead,
+			expect:    false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			policy, err := Parse(tc.policy, PolicyParseStrict)
+			must.NoError(t, err)
+
+			acl, err := NewACL(false, []*Policy{policy})
+			must.NoError(t, err)
+
+			got := acl.AllowSentinelOperation(tc.operation)
+			must.Eq(t, tc.expect, got)
+		})
+	}
+
+	t.Run("nil ACL denies all operations", func(t *testing.T) {
+		var acl *ACL
+		must.False(t, acl.AllowSentinelOperation(SentinelCapabilityRead))
+	})
+
+	t.Run("management token allows all operations", func(t *testing.T) {
+		acl, err := NewACL(true, nil)
+		must.NoError(t, err)
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilityRead))
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilitySubmit))
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilityDelete))
+	})
+
+	t.Run("ACLs disabled denies all operations", func(t *testing.T) {
+		acl := &ACL{aclsDisabled: true}
+		must.False(t, acl.AllowSentinelOperation(SentinelCapabilityRead))
+		must.False(t, acl.AllowSentinelOperation(SentinelCapabilitySubmit))
+		must.False(t, acl.AllowSentinelOperation(SentinelCapabilityDelete))
+	})
+
+	t.Run("server write policy allows all operations", func(t *testing.T) {
+		acl := &ACL{server: PolicyWrite}
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilityRead))
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilitySubmit))
+		must.True(t, acl.AllowSentinelOperation(SentinelCapabilityDelete))
+	})
+}
diff --git a/acl/policy.go b/acl/policy.go
@@ -144,6 +144,16 @@ const (
 	OperatorCapabilityKeyringDelete = "keyring-delete"
 )
 
+const (
+	// The following are the fine-grained capabilities that can be granted for
+	// Sentinel CRUD operations. Deny takes precedence and overwrites all other
+	// capabilities.
+	SentinelCapabilityDeny   = "deny"
+	SentinelCapabilityRead   = "sentinel-read"
+	SentinelCapabilitySubmit = "sentinel-submit"
+	SentinelCapabilityDelete = "sentinel-delete"
+)
+
 // Policy represents a parsed HCL or JSON policy.
 type Policy struct {
 	Namespaces  []*NamespacePolicy  `hcl:"namespace,expand"`
@@ -152,6 +162,7 @@ type Policy struct {
 	Agent       *AgentPolicy        `hcl:"agent"`
 	Node        *NodePolicy         `hcl:"node"`
 	Operator    *OperatorPolicy     `hcl:"operator"`
+	Sentinel    *SentinelPolicy     `hcl:"sentinel"`
 	Quota       *QuotaPolicy        `hcl:"quota"`
 	Plugin      *PluginPolicy       `hcl:"plugin"`
 	Raw         string              `hcl:"-"`
@@ -177,6 +188,7 @@ func (p *Policy) IsEmpty() bool {
 		p.Agent == nil &&
 		p.Node == nil &&
 		p.Operator == nil &&
+		p.Sentinel == nil &&
 		p.Quota == nil &&
 		p.Plugin == nil
 }
@@ -233,6 +245,11 @@ type OperatorPolicy struct {
 	Capabilities []string
 }
 
+type SentinelPolicy struct {
+	Policy       string
+	Capabilities []string
+}
+
 type QuotaPolicy struct {
 	Policy string
 }
@@ -405,6 +422,17 @@ func isOperatorCapabilityValid(cap string) bool {
 	}
 }
 
+// isSentinelCapabilityValid ensures the given capability is valid for a sentinel policy
+func isSentinelCapabilityValid(cap string) bool {
+	switch cap {
+	case SentinelCapabilityDeny, SentinelCapabilityRead,
+		SentinelCapabilitySubmit, SentinelCapabilityDelete:
+		return true
+	default:
+		return false
+	}
+}
+
 func expandNodePoolPolicy(policy string) []string {
 	switch policy {
 	case PolicyDeny:
@@ -440,6 +468,21 @@ func expandOperatorPolicy(policy string) []string {
 	}
 }
 
+// expandSentinelPolicy provides the equivalent set of capabilities for
+// a sentinel policy
+func expandSentinelPolicy(policy string) []string {
+	switch policy {
+	case PolicyDeny:
+		return []string{SentinelCapabilityDeny}
+	case PolicyRead:
+		return []string{SentinelCapabilityRead}
+	case PolicyWrite:
+		return []string{SentinelCapabilityRead, SentinelCapabilitySubmit, SentinelCapabilityDelete}
+	default:
+		return nil
+	}
+}
+
 func isHostVolumeCapabilityValid(cap string) bool {
 	switch cap {
 	case HostVolumeCapabilityDeny, HostVolumeCapabilityMountReadOnly, HostVolumeCapabilityMountReadWrite:
@@ -658,6 +701,24 @@ func Parse(rules string, strict bool) (*Policy, error) {
 		}
 	}
 
+	if p.Sentinel != nil {
+		if p.Sentinel.Policy != "" && !isPolicyValid(p.Sentinel.Policy) {
+			return nil, fmt.Errorf("Invalid sentinel policy: %#v", p.Sentinel)
+		}
+		for _, cap := range p.Sentinel.Capabilities {
+			if !isSentinelCapabilityValid(cap) {
+				return nil, fmt.Errorf("Invalid sentinel capability '%s'", cap)
+			}
+		}
+
+		// Expand the short hand policy to the capabilities and
+		// add to any existing capabilities
+		if p.Sentinel.Policy != "" {
+			extraCap := expandSentinelPolicy(p.Sentinel.Policy)
+			p.Sentinel.Capabilities = append(p.Sentinel.Capabilities, extraCap...)
+		}
+	}
+
 	if p.Quota != nil && !isPolicyValid(p.Quota.Policy) {
 		return nil, fmt.Errorf("Invalid quota policy: %#v", p.Quota)
 	}
diff --git a/acl/policy_test.go b/acl/policy_test.go
@@ -99,6 +99,10 @@ func TestParse(t *testing.T) {
 			operator {
 				policy = "deny"
 			}
+			sentinel {
+				policy = "read"
+				capabilities = ["sentinel-delete"]
+			}
 			quota {
 				policy = "read"
 			}
@@ -232,6 +236,13 @@ func TestParse(t *testing.T) {
 					Policy:       PolicyDeny,
 					Capabilities: []string{"deny"},
 				},
+				Sentinel: &SentinelPolicy{
+					Policy: PolicyRead,
+					Capabilities: []string{
+						SentinelCapabilityDelete,
+						SentinelCapabilityRead,
+					},
+				},
 				Quota: &QuotaPolicy{
 					Policy: PolicyRead,
 				},
@@ -940,6 +951,16 @@ func TestParse(t *testing.T) {
 			"Invalid plugin policy",
 			nil,
 		},
+		{
+			`sentinel {	policy = "invalid" }`,
+			"Invalid sentinel policy",
+			nil,
+		},
+		{
+			`sentinel { capabilities = ["invalid-capability"] }`,
+			"Invalid sentinel capability",
+			nil,
+		},
 	}
 
 	for idx, tc := range tcases {
diff --git a/command/sentinel_apply.go b/command/sentinel_apply.go
@@ -26,7 +26,7 @@ Usage: nomad sentinel apply [options] <name> <file>
   from stdin by specifying "-".
 
   Sentinel commands are only available when ACLs are enabled. This command
-  requires a management token.
+  requires a token with the sentinel-submit capability.
 
 General Options:
 
diff --git a/command/sentinel_delete.go b/command/sentinel_delete.go
@@ -21,7 +21,7 @@ Usage: nomad sentinel delete [options] <name>
   Delete is used to delete an existing Sentinel policy.
 
   Sentinel commands are only available when ACLs are enabled. This command
-  requires a management token.
+  requires a token with the sentinel-delete capability.
 
 General Options:
 
diff --git a/command/sentinel_list.go b/command/sentinel_list.go
@@ -21,7 +21,7 @@ Usage: nomad sentinel list [options]
   List is used to display all the installed Sentinel policies.
 
   Sentinel commands are only available when ACLs are enabled. This command
-  requires a management token.
+  requires a token with the sentinel-read capability.
 
 General Options:
 
diff --git a/command/sentinel_read.go b/command/sentinel_read.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:improvement
	`2`	+acl (Enterprise): Added `sentinel` policy block to allow managing Sentinel policies without a management token
	`3`	+```