[JEP-223] Deprecate permissions RUN_SCRIPTS, UPLOAD_PLUGINS, and CONFIGURE_UPDATECENTER #4365
Conversation
oleg-nenashev
added
the
work-in-progress
Co-Authored-By: Jesse Glick <[email protected]>
Co-Authored-By: Tim Jacomb <[email protected]>
Co-Authored-By: Tim Jacomb <[email protected]>
Co-Authored-By: Tim Jacomb <[email protected]>
This reverts commit aa0f378.
…(effectively) what they are.
Jenkins.ADMINISTER
…that is (effectively)" This change broke existing tests involving the matrix-auth plugin when legacy behavior for SECURITY-410 is enabled. This reverts commit e7bc69d.
| @@ -317,6 +317,7 @@ public void testDoScript() throws Exception { | |||
| wc.withBasicApiToken(User.getById("bob", true)); | |||
| wc.assertFails("script", HttpURLConnection.HTTP_FORBIDDEN); | |||
|
|
|||
| //TODO: remove once RUN_SCRIPTS is finally retired | |||
There was a problem hiding this comment.
It is unclear why the permission above was changed, and why this comment is necessary.
There was a problem hiding this comment.
The permission was changed back to RUN_SCRIPTS because that part of the test doesn't make sense if charlie has Jenkins.ADMINISTER. Since RUN_SCRIPTS still technically exists I thought it made more sense to leave the test as-is for now, and to add the comment to remove that block when its properly retired.
There was a problem hiding this comment.
changed back … leave the test as-is for now
But then this PR wouldn't show a difference…?
There was a problem hiding this comment.
Ah, now I get it.
It probably makes sense to convert this test to demonstrate that granting RUN_SCRIPTS does not allow accessing the script console anymore, since all the permission checks are now looking at ADMINISTER instead.
There was a problem hiding this comment.
It probably makes sense to convert this test to demonstrate
… which is exactly what this does now 🤦♂
| @@ -1634,7 +1634,7 @@ public HttpResponse doProxyConfigure(StaplerRequest req) throws IOException, Ser | |||
| @RequirePOST | |||
| public HttpResponse doUploadPlugin(StaplerRequest req) throws IOException, ServletException { | |||
| try { | |||
| Jenkins.get().checkPermission(UPLOAD_PLUGINS); | |||
| Jenkins.get().checkPermission(Jenkins.ADMINISTER); | |||
There was a problem hiding this comment.
Strictly speaking, none of the permission checks in this file matter, but if System Read is about to land, it probably makes sense to keep them.
daniel-beck
added
squash-merge-me
Co-Authored-By: Daniel Beck <[email protected]>
Co-Authored-By: Daniel Beck <[email protected]>
Co-Authored-By: Daniel Beck <[email protected]>
|
Please remove all localizations of |
daniel-beck
changed the title
|
@daniel-beck apparently my local system munged the italian localization. I will see if i can fix that up in the morning |
Do the editing in a very basic text editor, not an IDE that understands the properties format. |
daniel-beck
added
the
needs-comments-resolved
|
Should be good now @daniel-beck |
timja
added
ready-for-merge
daniel-beck
added
the
upgrade-guide-needed
|
FYI upgrade guide work has been planned separately from this PR |
|
FYI: jenkinsci/matrix-auth-plugin#77 to update admin monitors shown to users who currently have these permissions enabled |
See JENKINS-60406, JEP-223
The permissions
RUN_SCRIPTS,UPLOAD_PLUGINS, andCONFIGURE_UPDATECENTERare effectively the same asJenkins.ADMINISTER. This PR flags these permissions as deprecated, and updates jenkins core to instead check forJenkins.ADMINISTER. This is intended to be a first example and that over time other plugins will follow suit.The usage of these permissions is confusing, and has been effectively hidden (unless specifically enabled) since 2017-4-10 (https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions).
Along with this change, jenkinsci/matrix-auth-plugin#77 is proposed to help prepare any users who currently have these permissions enabled.
Proposed changelog entries
Submitter checklist
* Use the
Internal:prefix if the change has no user-visible impact (API, test frameworks, etc.)Desired reviewers
@daniel-beck
@jglick