Proposal: Deprecate Jenkins.RUN_SCRIPTS, PluginManager.UPLOAD_PLUGINS, && PluginManager.CONFIGURE_UPDATECENTER permission types

[Michael Cirioli]

These permissions have been effectively hidden (unless specifically enabled) since 2017-4-10 see -> SECURITY-410).  Work is underway to introduce a more sensible permission segregation that allows the delegation of limited administrative capabilities in a secure manner (see https://github.com/jenkinsci/jep/pull/249),  and it seems reasonable to officially begin to phase out the usage of these permissions.

A WIP PR is available for review (https://github.com/jenkinsci/jenkins/pull/4365), as well as an associated issues (https://issues.jenkins-ci.org/browse/JENKINS-60406).  If this PR is accepted, I expect to create an additional PR against the matrix-auth plugin that removes support for enabling the legacy behavior described in SECURITY-410:

 If you want to retain the old, unsafe behavior, set the system property hudson.security.GlobalMatrixAuthorizationStrategy.dangerousPermissions to true.

The plugin retains permissions configured before upgrading, so there should be no changes in behavior afterwards.

[Oleg Nenashev]

I am +1 for deprecating them.

All major plugins already hide them by default, and we have a security advisory for it.

https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions and below

BR, Oleg

[Michael Cirioli]

I am currently working through a few remaining test failures and will take the PR out of draft status once they are fixed