make the MANAGE permission enabled by default

[jtnord]

Removed experimental warning for MANAGE permission and enable it by default.

JEP-223

Fixes #16423
follows up #10183

Testing done

Proposed changelog entries

• Enables the Overall/Manage Permission by default. This permission when granted to users allows them to configure certain parts of Jenkins' global configuration without the ability to execute arbitrary code.

Proposed changelog category

Proposed upgrade guidelines

As the permission is now enabled by default users can uninstall the Overall/Manage permission enabler plugin

Submitter checklist

• The issue, if it exists, is well-described.
• The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples). Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
• There is automated testing or an explanation as to why this change has no tests.
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
• UI changes do not introduce regressions when enforcing the current default rules of Content Security Policy Plugin. In particular, new or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
• For dependency updates, there are links to external changelogs and, if possible, full differentials.
• For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

@mikecirioli

Before the changes are marked as ready-for-merge:

Maintainer checklist

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, be a Bug or Improvement, and either the issue or pull request must be labeled as lts-candidate to be considered.

[timja]

see #4909 (review) from when system read went GA

May not be as bad as its 1 permission instead of 3, but GA and enabled by default are separate things

[jtnord]

I would argue that the permission is already GA (having had the @Beta restriction removed in #10183 but that left the javadoc comment meaning the comment did not match the contract), thus this is really just enabling it by default which matches the PR title.

Whilst I agree that things are different between GA and being enabled by default I do not see a reason to keep this disabled by default as unlike Overall/SystemRead developers have to have opted into this permission.
Whilst SystemRead could have had issues where secrets where unintentionally leaked just by granting someone Overall/SystemRead a developer has to have updated their plugin to make use of Overall/Manage (and core has been adapted as part of creating the Manage permission) so there should not be any security issues arising from enabling this (administrators would still need to grant this permission too!).

Any complaints about "too many permissions" and its too "hard to manage permissions" should be mitigated by properly killing off RunScripts, ConfigureUpdateCenter, and UploadPlugins. Removing the afore mentioned permissions when combined with this PR would have the net effect of reducing the number of permissions by 2.

//cc @daniel-beck as the original author of the comment.

[jglick]

OK I think

[mikecirioli]

thanks @jtnord

[timja]

Is it worth running this through ATH and bom ?

[jtnord]

Is it worth running this through ATH and bom ?

ATH was passing, PRs filed to adapt plugins.

• enable compatability with future Jenkins version bitbucket-branch-source-plugin#1150
• Adapt to enablement of Overall/Manage permission config-file-provider-plugin#421 (released as 1006.vc7366c201f57)
• Adapt to enablement of Overall/Manage permission kubernetes-plugin#1779 (released as 4398.vb_b_33d9e7fe23)
• Adapt to enablement of Overall/Manage permission mailer-plugin#401 (released as 525.v2458b_d8a_1a_71)
• Adapt tests to enablement of Overall/Manage permission role-strategy-plugin#432 (released as 848.va_a_ea_673cf0b_c)

As the adaptions is purely for tests and not production code I would prefer that we would merge this and then skip the affected tests in the BOM until plugins catch up (I can file a PR to exclude them). WDYT?

[timja]

As the adaptions is purely for tests and not production code I would prefer that we would merge this and then skip the affected tests in the BOM until plugins catch up (I can file a PR to exclude them). WDYT?

We can do although lets give them a little bit of time first, there's no rush here as there's a security release next week so there's at least 2 weeks before this can be released.

[jtnord]

We can do although lets give them a little bit of time first, there's no rush here as there's a security release next week so there's at least 2 weeks before this can be released.

I really want this in the next LTS - so to me there is a rush so this lands in this weeks release :)

[daniel-beck]

I really want this in the next LTS - so to me there is a rush so this lands in this weeks release :)

It won't, unless the LTS decision is delayed even further.

[jtnord]

I really want this in the next LTS - so to me there is a rush so this lands in this weeks release :)

It won't, unless the LTS decision is delayed even further.

I don't follow
Whilst it should have already happened, I was under the impression that the decision would now be taken on the 10th.

And yes tomorrow's weekly would not meet the strict 2 week guidelines but that's not stopped us before.

[daniel-beck]

And yes tomorrow's weekly would not meet the strict 2 week guidelines but that's not stopped us before.

This week's weekly is already out. I don't think they were ever released on Wednesdays unless coinciding with a security release.

Since there's going to be security releases next week (TBA properly probably tomorrow), and we never include non-security changes in security fix weeklies, anything currently unreleased will not be released before Dec 16.

[jtnord]

And yes tomorrow's weekly would not meet the strict 2 week guidelines but that's not stopped us before.

This week's weekly is already out. I don't think they were ever released on Wednesdays unless coinciding with a security release.

oh, I don't think I ever noticed that distinction I thought I had another day :(