Simplifying agent-to-controller security

[Daniel Beck]

Hi everyone,


While it's not yet quite there in terms of JEP process, feedback is already welcome for this JEP and the corresponding core PRs:

https://github.com/jenkinsci/jep/pull/381

Abstract: The agent-to-controller security subsystem is greatly simplified: it is always enabled and exceptions defined in 2014 for backwards compatibility with plugins are gone.

The implementation of this JEP is filed as draft PRs to core, and this has the specification and justification.

Ideally we'd merge the core changes before the next LTS baseline (~2.331) to minimize how long we'll have to deal with the current implementation -- ideally a lot earlier to have more time to adapt any affected plugins.


Regards
Daniel

[Daniel Beck]

On Sat, Nov 20, 2021 at 12:03 AM 'Daniel Beck' via Jenkins Developers <jenkin...@googlegroups.com> wrote:

https://github.com/jenkinsci/jep/pull/381

Abstract: The agent-to-controller security subsystem is greatly simplified: it is always enabled and exceptions defined in 2014 for backwards compatibility with plugins are gone.

The implementation of this JEP is filed as draft PRs to core, and this has the specification and justification.

Ideally we'd merge the core changes before the next LTS baseline (~2.331) to minimize how long we'll have to deal with the current implementation -- ideally a lot earlier to have more time to adapt any affected plugins.

I've continually updated the PR with the results from telemetry. A handful of plugins are now known to be affected. About 25k instances reported data so far, of which less than 200 reported potential problems.

If you have questions, concerns, or other feedback, please comment on the JEP, or JENKINS-67173. Thanks!