[JEP-223] Overall/Manage permission

Co-Authored-By: NEsther Alvarez Feijoo <ealvarez@cloudbees.com>
Co-Authored-By: NaHenryJard <ajard@cloudbees.com>
Co-Authored-By: Nmichael cirioli <mikecirioli@gmail.com>

core/src/main/java/hudson/FilePath.java

@@ -2971,7 +2971,7 @@ public final class FilePath implements SerializableOnlyOverRemoting {
     private static void checkPermissionForValidate() {
         AccessControlled subject = Stapler.getCurrentRequest().findAncestorObject(AbstractProject.class);
         if (subject == null)
-            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
+            Jenkins.get().checkPermission(Jenkins.MANAGE);
         else
             subject.checkPermission(Item.CONFIGURE);
     }

core/src/main/java/hudson/Functions.java

@@ -1062,6 +1062,10 @@ public class Functions {
             Descriptor d = c.getInstance();
             if (d.getGlobalConfigPage()==null)  continue;
 
+            if (!Jenkins.get().hasPermission(d.getPermission())) {
+                continue;
+            }
+
             if (predicate.apply(d.getCategory())) {
                 r.add(new Tag(c.ordinal(), d));
             }

core/src/main/java/hudson/model/Descriptor.java

@@ -24,6 +24,7 @@
 package hudson.model;
 
 import hudson.DescriptorExtensionList;
+import hudson.Extension;
 import hudson.PluginWrapper;
 import hudson.RelativePath;
 import hudson.XmlFile;
@@ -31,6 +32,7 @@ import hudson.BulkChange;
 import hudson.ExtensionList;
 import hudson.Util;
 import hudson.model.listeners.SaveableListener;
+import hudson.security.Permission;
 import hudson.util.FormApply;
 import hudson.util.FormValidation.CheckMethod;
 import hudson.util.ReflectionUtils;
@@ -830,6 +832,18 @@ public abstract class Descriptor<T extends Describable<T>> implements Saveable,
         return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Unclassified.class);
     }
 
+    /**
+     * Returns the permission type needed in order to configure the descriptor if and only if it is configured through the global (Unclassified) configuration.
+     * By default, requires {@link Jenkins.ADMINISTER} permission.
+     * Override to return something different if appropriate. The only currently supported alternative return value is {@link Jenkins.MANAGE}.
+     *
+     * @return Permission required to configure this descriptor.
+     */
+    public @Nonnull
+    Permission getPermission() {
+        return Jenkins.ADMINISTER;
+    }
+
     private String getViewPage(Class<?> clazz, String pageName, String defaultValue) {
         return getViewPage(clazz,Collections.singleton(pageName),defaultValue);
     }

core/src/main/java/hudson/model/ManageJenkinsAction.java

@@ -35,7 +35,7 @@ import org.jenkinsci.Symbol;
 @Extension(ordinal=100) @Symbol("manageJenkins")
 public class ManageJenkinsAction implements RootAction {
     public String getIconFileName() {
-        if (Jenkins.get().hasPermission(Jenkins.ADMINISTER))
+        if (Jenkins.get().hasPermission(Jenkins.MANAGE))
             return "gear2.png";
         else
             return null;

core/src/main/java/hudson/model/ManagementLink.java

@@ -115,7 +115,7 @@ public abstract class ManagementLink implements ExtensionPoint, Action {
      * @return permission required for user to access this management link, in addition to {@link Jenkins#ADMINISTER}
      */
     public @CheckForNull Permission getRequiredPermission() {
-        return null;
+        return Jenkins.ADMINISTER;
     }
 
     /**

core/src/main/java/jenkins/management/CliLink.java

@@ -26,8 +26,12 @@ package jenkins.management;
 
 import hudson.Extension;
 import hudson.model.ManagementLink;
+import hudson.security.Permission;
+import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 
+import javax.annotation.CheckForNull;
+
 /**
  * @author <a href="mailto:nicolas.deloof@gmail.com">Nicolas De Loof</a>
  */
@@ -48,6 +52,12 @@ public class CliLink extends ManagementLink {
         return Messages.CliLink_Description();
     }
 
+    @CheckForNull
+    @Override
+    public Permission getRequiredPermission() {
+        return Jenkins.MANAGE;
+    }
+
     @Override
     public String getUrlName() {
         return "cli";

core/src/main/java/jenkins/management/ConfigureLink.java

@@ -26,8 +26,12 @@ package jenkins.management;
 
 import hudson.Extension;
 import hudson.model.ManagementLink;
+import hudson.security.Permission;
+import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 
+import javax.annotation.CheckForNull;
+
 /**
  * @author <a href="mailto:nicolas.deloof@gmail.com">Nicolas De Loof</a>
  */
@@ -48,6 +52,12 @@ public class ConfigureLink extends ManagementLink {
         return Messages.ConfigureLink_Description();
     }
 
+    @CheckForNull
+    @Override
+    public Permission getRequiredPermission() {
+        return Jenkins.MANAGE;
+    }
+
     @Override
     public String getUrlName() {
         return "configure";

core/src/main/java/jenkins/management/NodesLink.java

@@ -26,9 +26,13 @@ package jenkins.management;
 
 import hudson.Extension;
 import hudson.model.ManagementLink;
+import hudson.security.Permission;
 import jenkins.management.Messages;
+import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 
+import javax.annotation.CheckForNull;
+
 /**
  * @author <a href="mailto:nicolas.deloof@gmail.com">Nicolas De Loof</a>
  */
@@ -49,6 +53,12 @@ public class NodesLink extends ManagementLink {
         return Messages.NodesLink_Description();
     }
 
+    @CheckForNull
+    @Override
+    public Permission getRequiredPermission() {
+        return Jenkins.MANAGE;
+    }
+
     @Override
     public String getUrlName() {
         return "computer";

core/src/main/java/jenkins/management/StatisticsLink.java

@@ -26,8 +26,12 @@ package jenkins.management;
 
 import hudson.Extension;
 import hudson.model.ManagementLink;
+import hudson.security.Permission;
+import jenkins.model.Jenkins;
 import org.jenkinsci.Symbol;
 
+import javax.annotation.CheckForNull;
+
 /**
  * @author <a href="mailto:nicolas.deloof@gmail.com">Nicolas De Loof</a>
  */
@@ -48,6 +52,12 @@ public class StatisticsLink extends ManagementLink {
         return Messages.StatisticsLink_Description();
     }
 
+    @CheckForNull
+    @Override
+    public Permission getRequiredPermission() {
+        return Jenkins.MANAGE;
+    }
+
     @Override
     public String getUrlName() {
         return "load-statistics";

core/src/main/java/jenkins/model/GlobalProjectNamingStrategyConfiguration.java

@@ -24,12 +24,15 @@
 package jenkins.model;
 
 import hudson.Extension;
+import hudson.security.Permission;
 import jenkins.model.ProjectNamingStrategy.DefaultProjectNamingStrategy;
 import net.sf.json.JSONObject;
 
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.StaplerRequest;
 
+import javax.annotation.Nonnull;
+
 /**
  * Configures the project naming strategy.
  * 
@@ -59,4 +62,10 @@ public class GlobalProjectNamingStrategyConfiguration extends GlobalConfiguratio
         }
         return true;
     }
+
+    @Nonnull
+    @Override
+    public Permission getPermission() {
+        return Jenkins.MANAGE;
+    }
 }

core/src/main/java/jenkins/model/GlobalQuietPeriodConfiguration.java

@@ -24,10 +24,12 @@
 package jenkins.model;
 
 import hudson.Extension;
+import hudson.security.Permission;
 import net.sf.json.JSONObject;
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.StaplerRequest;
 
+import javax.annotation.Nonnull;
 import java.io.IOException;
 
 /**
@@ -57,4 +59,10 @@ public class GlobalQuietPeriodConfiguration extends GlobalConfiguration {
             throw new FormException(e,"quietPeriod");
         }
     }
+
+    @Nonnull
+    @Override
+    public Permission getPermission() {
+        return Jenkins.MANAGE;
+    }
 }

core/src/main/java/jenkins/model/GlobalSCMRetryCountConfiguration.java

@@ -24,11 +24,13 @@
 package jenkins.model;
 
 import hudson.Extension;
+import hudson.security.Permission;
 import net.sf.json.JSONException;
 import net.sf.json.JSONObject;
 import org.jenkinsci.Symbol;
 import org.kohsuke.stapler.StaplerRequest;
 
+import javax.annotation.Nonnull;
 import java.io.IOException;
 
 /**
@@ -54,4 +56,10 @@ public class GlobalSCMRetryCountConfiguration extends GlobalConfiguration {
             throw new FormException(e.getMessage(), "quietPeriod");
         }
     }
+
+    @Nonnull
+    @Override
+    public Permission getPermission() {
+        return Jenkins.MANAGE;
+    }
 }

core/src/main/java/jenkins/model/Jenkins.java

@@ -2199,6 +2199,9 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
      * @since 2.64
      */
     public List<AdministrativeMonitor> getActiveAdministrativeMonitors() {
+        if (!Jenkins.get().hasPermission(ADMINISTER)) {
+            return Collections.emptyList();
+        }
         return administrativeMonitors.stream().filter(m -> {
             try {
                 return m.isEnabled() && m.isActivated();
@@ -3762,7 +3765,7 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
     public synchronized void doConfigSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
         BulkChange bc = new BulkChange(this);
         try {
-            checkPermission(ADMINISTER);
+            checkPermission(MANAGE);
 
             JSONObject json = req.getSubmittedForm();
 
@@ -5236,7 +5239,25 @@ public class Jenkins extends AbstractCIBase implements DirectlyModifiableTopLeve
     private static final Logger LOGGER = Logger.getLogger(Jenkins.class.getName());
 
     public static final PermissionGroup PERMISSIONS = Permission.HUDSON_PERMISSIONS;
+    /**
+     * Grants ability to configure any and all aspects of the Jenkins instance
+     */
     public static final Permission ADMINISTER = Permission.HUDSON_ADMINISTER;
+
+    /**
+     * Allows non-privilege escalating configuration permission for a Jenkins instance.  Actions which could result
+     * in a privilege  escalation (such as RUN_SCRIPTS) require explicit ADMINISTER permission.
+     *
+     * As an experimental feature, making the manage permission able to be disabled by default (keep as ADMINISTER), can
+     * be enabled with "jenkins.security.ManagePermission" system property.
+     */
+    public static final Permission MANAGE = new Permission(PERMISSIONS, "Manage",
+            Messages._Jenkins_Manage_Description(),
+            ADMINISTER,
+            SystemProperties.getBoolean("jenkins.security.ManagePermission"),
+            new PermissionScope[]{PermissionScope.JENKINS});
+
+
     public static final Permission READ = new Permission(PERMISSIONS,"Read",Messages._Hudson_ReadPermission_Description(),Permission.READ,PermissionScope.JENKINS);
     public static final Permission RUN_SCRIPTS = new Permission(PERMISSIONS, "RunScripts", Messages._Hudson_RunScriptsPermission_Description(),ADMINISTER,PermissionScope.JENKINS);
 

core/src/main/resources/hudson/PluginManager/sidepanel.groovy

@@ -28,7 +28,7 @@ l.header()
 l.side_panel {
     l.tasks {
         l.task(icon:"icon-up icon-md", href:rootURL+'/', title:_("Back to Dashboard"))
-        l.task(icon:"icon-gear2 icon-md", href:"${rootURL}/manage", title:_("Manage Jenkins"), permission:app.ADMINISTER, it:app)
+        l.task(icon:"icon-gear2 icon-md", href:"${rootURL}/manage", title:_("Manage Jenkins"), permission:app.MANAGE, it:app)
         if (!app.updateCenter.jobs.isEmpty()) {
             l.task(icon:"icon-plugin icon-md", href:"${rootURL}/updateCenter/", title:_("Update Center"))
         }

core/src/main/resources/hudson/model/ComputerSet/sidepanel.jelly

@@ -32,7 +32,7 @@ THE SOFTWARE.
     <j:getStatic var="createPermission" className="hudson.model.Computer" field="CREATE"/>
     <l:tasks>
       <l:task href="${rootURL}/" icon="icon-up icon-md" title="${%Back to Dashboard}"/>
-      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.ADMINISTER}" title="${%Manage Jenkins}"/>
+      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.MANAGE}" title="${%Manage Jenkins}"/>
       <l:task href="new" icon="icon-new-computer icon-md" permission="${createPermission}" title="${%New Node}"/>
       <l:task href="${rootURL}/configureClouds" icon="icon-health-40to59 icon-md" permission="${app.ADMINISTER}" title="${%Configure Clouds}"/>
       <l:task href="configure" icon="icon-gear2 icon-md" permission="${app.ADMINISTER}" title="${%Node Monitoring}"/>

core/src/main/resources/hudson/model/Messages.properties

@@ -163,6 +163,10 @@ Hudson.AdministerPermission.Description=\
   This permission grants the ability to make system-wide configuration changes, \
   as well as perform highly sensitive operations that amounts to full local system access \
   (within the scope granted by the underlying OS.)
+Jenkins.Manage.Description=\
+  This permission grants the ability to make non Permission escalating system \
+  configuration changes. \
+  System configuration which would allow the execution of arbitrary commands or code on the master requires Administer.
 Hudson.ReadPermission.Description=\
   The read permission is necessary for viewing almost all pages of Jenkins. \
   This permission is useful when you don\u2019t want unauthenticated users to see \

core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/sidepanel.jelly

@@ -28,7 +28,7 @@ THE SOFTWARE.
   <l:side-panel>
     <l:tasks>
       <l:task href="${rootURL}/" icon="icon-up icon-md" title="${%Back to Dashboard}"/>
-      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.ADMINISTER}" title="${%Manage Jenkins}"/>
+      <l:task href="${rootURL}/manage" icon="icon-gear2 icon-md" permission="${app.MANAGE}" title="${%Manage Jenkins}"/>
       <l:task href="addUser" icon="icon-new-user icon-md" permission="${app.ADMINISTER}" title="${%Create User}"/>
     </l:tasks>
   </l:side-panel>

core/src/main/resources/jenkins/model/Jenkins/configure.jelly

@@ -27,7 +27,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-<l:layout norefresh="true" permission="${it.ADMINISTER}" title="${%Configure System}">
+<l:layout norefresh="true" permission="${it.MANAGE}" title="${%Configure System}">
   <st:include page="sidepanel.jelly" />
   <f:breadcrumb-config-outline />
   <l:main-panel>

core/src/main/resources/jenkins/model/Jenkins/manage.jelly

@@ -27,7 +27,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-<l:layout title="${%Manage Jenkins}" xmlns:local="local" permission="${app.ADMINISTER}">
+<l:layout title="${%Manage Jenkins}" xmlns:local="local" permission="${app.MANAGE}">
 
   <l:header>
      <link rel="stylesheet" href="${resURL}/bootstrap/css/bootstrap.min.css" type="text/css" />