From ce9d2e6f6bb9e92525b3eb789c1626b2d59680ce Mon Sep 17 00:00:00 2001
From: James Rasell <jrasell@users.noreply.github.com>
Date: Tue, 18 Oct 2022 16:46:11 +0200
Subject: [PATCH] acl: gate ACL role write and delete RPC usage on v1.4.0 or
 greater. (#14908)

---
 .changelog/14908.txt  |  3 +++
 nomad/acl_endpoint.go | 14 ++++++++++++++
 nomad/leader.go       |  5 +++++
 3 files changed, 22 insertions(+)
 create mode 100644 .changelog/14908.txt

diff --git a/.changelog/14908.txt b/.changelog/14908.txt
new file mode 100644
index 000000000000..e3789ef90f81
--- /dev/null
+++ b/.changelog/14908.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+acl: Ensure all federated servers meet v.1.4.0 minimum before ACL roles can be written
+```
diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
index 424e6dd33a4d..21c487ec5334 100644
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@@ -1097,6 +1097,13 @@ func (a *ACL) UpsertRoles(
 	}
 	defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_roles"}, time.Now())
 
+	// ACL roles can only be used once all servers, in all federated regions
+	// have been upgraded to 1.4.0 or greater.
+	if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
+		return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
+			minACLRoleVersion)
+	}
+
 	// Only tokens with management level permissions can create ACL roles.
 	if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
 		return err
@@ -1233,6 +1240,13 @@ func (a *ACL) DeleteRolesByID(
 	}
 	defer metrics.MeasureSince([]string{"nomad", "acl", "delete_roles"}, time.Now())
 
+	// ACL roles can only be used once all servers, in all federated regions
+	// have been upgraded to 1.4.0 or greater.
+	if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
+		return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
+			minACLRoleVersion)
+	}
+
 	// Only tokens with management level permissions can create ACL roles.
 	if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
 		return err
diff --git a/nomad/leader.go b/nomad/leader.go
index 235af5f39636..141b1df1035e 100644
--- a/nomad/leader.go
+++ b/nomad/leader.go
@@ -49,6 +49,11 @@ var minJobRegisterAtomicEvalVersion = version.Must(version.NewVersion("0.12.1"))
 
 var minOneTimeAuthenticationTokenVersion = version.Must(version.NewVersion("1.1.0"))
 
+// minACLRoleVersion is the Nomad version at which the ACL role table was
+// introduced. It forms the minimum version all federated servers must meet
+// before the feature can be used.
+var minACLRoleVersion = version.Must(version.NewVersion("1.4.0"))
+
 // minNomadServiceRegistrationVersion is the Nomad version at which the service
 // registrations table was introduced. It forms the minimum version all local
 // servers must meet before the feature can be used.