Skip to content

Commit

Permalink
acl: gate ACL role write and delete RPC usage on v1.4.0 or greater. (#…
Browse files Browse the repository at this point in the history 
…14908)
  • Loading branch information
@jrasell
jrasell committed Oct 18, 2022
1 parent 6c80ccf commit ce9d2e6
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .changelog/14908.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
acl: Ensure all federated servers meet v.1.4.0 minimum before ACL roles can be written
```
14 changes: 14 additions & 0 deletions nomad/acl_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1097,6 +1097,13 @@ func (a *ACL) UpsertRoles(
}
defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_roles"}, time.Now())

// ACL roles can only be used once all servers, in all federated regions
// have been upgraded to 1.4.0 or greater.
if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
minACLRoleVersion)
}

// Only tokens with management level permissions can create ACL roles.
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
return err
Expand Down Expand Up @@ -1233,6 +1240,13 @@ func (a *ACL) DeleteRolesByID(
}
defer metrics.MeasureSince([]string{"nomad", "acl", "delete_roles"}, time.Now())

// ACL roles can only be used once all servers, in all federated regions
// have been upgraded to 1.4.0 or greater.
if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
minACLRoleVersion)
}

// Only tokens with management level permissions can create ACL roles.
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
return err
Expand Down
5 changes: 5 additions & 0 deletions nomad/leader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@ var minJobRegisterAtomicEvalVersion = version.Must(version.NewVersion("0.12.1"))

var minOneTimeAuthenticationTokenVersion = version.Must(version.NewVersion("1.1.0"))

// minACLRoleVersion is the Nomad version at which the ACL role table was
// introduced. It forms the minimum version all federated servers must meet
// before the feature can be used.
var minACLRoleVersion = version.Must(version.NewVersion("1.4.0"))

// minNomadServiceRegistrationVersion is the Nomad version at which the service
// registrations table was introduced. It forms the minimum version all local
// servers must meet before the feature can be used.
Expand Down

0 comments on commit ce9d2e6

Please sign in to comment.