Alternative strategy for users and groups management based on OAuth (initial proposal was based on LDAP).
This proposal is about implementing a tuleap-oauth Jenkins plugin in the same fashion than github-oauth or gitlab-oauth. It, of course, implies that Tuleap should be an OAuth2 and OpenID Connect Server provider first for this to work (epic #14432).
The way of working would be:
- Jenkins servers would delegate to Tuleap the authentication of users (via OpenID Connect Provider).
- Project and Groups defined in Tuleap could be exposed to Jenkins with the appropriate OAuth2 scope (read how it works with github-oauth).
- The Tuleap Groups could be then used in Matrix based permissions (for best backward compatibility)
As a reference, here is a screencap of a Github configuration.
The following is something that can be done as part of a future work but it's not in the scope of this User Story.
The plugin can also provied "pre-wired" permissions based on Tuleap own permission system to help Jenkins admins in the configuration of their server (basically it would mean adding specific permissions Tuleap side to be exposed to Jenkins like "This Tuleap Group has developer capabilities, they are allowed to create jobs" or "This Tuleap Group has jenkins admin capabilities, they can administrate the whole platform".