luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

acl: gate ACL role write and delete RPC usage on v1.4.0 or greater. (#14908)

This commit is contained in:
James Rasell 2022-10-18 16:46:11 +02:00 committed by GitHub
parent 9923f9e6f3
commit 8e25048f3d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/14908.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
acl: Ensure all federated servers meet v.1.4.0 minimum before ACL roles can be written
```

14
nomad/acl_endpoint.go
View File

@ -1097,6 +1097,13 @@ func (a *ACL) UpsertRoles(
} }
defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_roles"}, time.Now()) defer metrics.MeasureSince([]string{"nomad", "acl", "upsert_roles"}, time.Now())
// ACL roles can only be used once all servers, in all federated regions
// have been upgraded to 1.4.0 or greater.
if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
minACLRoleVersion)
}
// Only tokens with management level permissions can create ACL roles. // Only tokens with management level permissions can create ACL roles.
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
return err return err
@ -1233,6 +1240,13 @@ func (a *ACL) DeleteRolesByID(
} }
defer metrics.MeasureSince([]string{"nomad", "acl", "delete_roles"}, time.Now()) defer metrics.MeasureSince([]string{"nomad", "acl", "delete_roles"}, time.Now())
// ACL roles can only be used once all servers, in all federated regions
// have been upgraded to 1.4.0 or greater.
if !ServersMeetMinimumVersion(a.srv.Members(), AllRegions, minACLRoleVersion, false) {
return fmt.Errorf("all servers should be running version %v or later to use ACL roles",
minACLRoleVersion)
}
// Only tokens with management level permissions can create ACL roles. // Only tokens with management level permissions can create ACL roles.
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil { if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
return err return err

5
nomad/leader.go
View File

@ -49,6 +49,11 @@ var minJobRegisterAtomicEvalVersion = version.Must(version.NewVersion("0.12.1"))
var minOneTimeAuthenticationTokenVersion = version.Must(version.NewVersion("1.1.0")) var minOneTimeAuthenticationTokenVersion = version.Must(version.NewVersion("1.1.0"))
// minACLRoleVersion is the Nomad version at which the ACL role table was
// introduced. It forms the minimum version all federated servers must meet
// before the feature can be used.
var minACLRoleVersion = version.Must(version.NewVersion("1.4.0"))
// minNomadServiceRegistrationVersion is the Nomad version at which the service // minNomadServiceRegistrationVersion is the Nomad version at which the service
// registrations table was introduced. It forms the minimum version all local // registrations table was introduced. It forms the minimum version all local
// servers must meet before the feature can be used. // servers must meet before the feature can be used.