hashicorp · calvn · Jan 23, 2018 · Jan 23, 2018 · Jan 23, 2018 · Jan 23, 2018
diff --git a/builtin/logical/database/dbplugin/server.go b/builtin/logical/database/dbplugin/server.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 
 	"github.com/hashicorp/go-plugin"
+	"github.com/hashicorp/vault/helper/pluginutil"
 )
 
 // Serve is called from within a plugin and wraps the provided
@@ -23,10 +24,16 @@ func ServeConfig(db Database, tlsProvider func() (*tls.Config, error)) *plugin.S
 		"database": dbPlugin,
 	}
 
-	return &plugin.ServeConfig{
+	conf := &plugin.ServeConfig{
 		HandshakeConfig: handshakeConfig,
 		Plugins:         pluginMap,
 		TLSProvider:     tlsProvider,
 		GRPCServer:      plugin.DefaultGRPCServer,
 	}
+
+	if !pluginutil.GRPCSupport() {
+		conf.GRPCServer = nil
+	}
+
+	return conf
 }
diff --git a/helper/pluginutil/runner.go b/helper/pluginutil/runner.go
@@ -12,6 +12,7 @@ import (
 	plugin "github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/wrapping"
+	"github.com/hashicorp/vault/version"
 	log "github.com/mgutz/logxi/v1"
 )
 
@@ -70,6 +71,7 @@ func (r *PluginRunner) runCommon(ctx context.Context, wrapper RunnerUtil, plugin
 	if wrapper.MlockEnabled() {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
 	}
+	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version))
 
 	// Create logger for the plugin client
 	clogger := &hclogFaker{

diff --git a/helper/pluginutil/version.go b/helper/pluginutil/version.go
@@ -0,0 +1,40 @@
+package pluginutil
+
+import (
+	"os"
+
+	"github.com/hashicorp/go-version"
+)
+
+var (
+	// PluginVaultVersionEnv is the ENV name used to pass the version of the
+	// vault server to the plugin
+	PluginVaultVersionEnv = "VAULT_VERSION"
+)
+
+// GRPCSupport defaults to returning true, unless VAULT_VERSION is missing or
+// it fails to meet the version constraint.
+func GRPCSupport() bool {
+	verString := os.Getenv(PluginVaultVersionEnv)
+
+	// If the env var is empty, we fall back to netrpc for backward compatibility.
+	if verString == "" {
+		return false
+	}
+
+	if verString != "unknown" {
+		ver, err := version.NewVersion(verString)
+		if err != nil {
+			return true
+		}
+
+		constraint, err := version.NewConstraint(">= 0.9.2")
+		if err != nil {
+			return true
+		}
+
+		return constraint.Check(ver)
+	}
+
+	return true
+}
diff --git a/helper/pluginutil/version_test.go b/helper/pluginutil/version_test.go
@@ -0,0 +1,57 @@
+package pluginutil
+
+import (
+	"os"
+	"testing"
+)
+
+func TestGRPCSupport(t *testing.T) {
+	cases := []struct {
+		envVersion string
+		expected   bool
+	}{
+		{
+			"0.8.3",
+			false,
+		},
+		{
+			"0.9.2",
+			true,
+		},
+		{
+			"0.9.2+ent",
+			true,
+		},
+		{
+			"0.9.2-beta",
+			false,
+		},
+		{
+			"0.9.3",
+			true,
+		},
+		{
+			"unknown",
+			true,
+		},
+		{
+			"",
+			false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.envVersion, func(t *testing.T) {
+			err := os.Setenv(PluginVaultVersionEnv, tc.envVersion)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			result := GRPCSupport()
+
+			if result != tc.expected {
+				t.Fatalf("got: %t, expected: %t", result, tc.expected)
+			}
+		})
+	}
+}
diff --git a/logical/plugin/serve.go b/logical/plugin/serve.go
@@ -47,16 +47,22 @@ func Serve(opts *ServeOpts) error {
 		return err
 	}
 
-	// If FetchMetadata is true, run without TLSProvider
-	plugin.Serve(&plugin.ServeConfig{
+	serveOpts := &plugin.ServeConfig{
 		HandshakeConfig: handshakeConfig,
 		Plugins:         pluginMap,
 		TLSProvider:     opts.TLSProviderFunc,
 		Logger:          logger,
 
 		// A non-nil value here enables gRPC serving for this plugin...
 		GRPCServer: plugin.DefaultGRPCServer,
-	})
+	}
+
+	if !pluginutil.GRPCSupport() {
+		serveOpts.GRPCServer = nil
+	}
+
+	// If FetchMetadata is true, run without TLSProvider
+	plugin.Serve(serveOpts)
 
 	return nil
 }