@@ -75,16 +75,17 @@ func (a *buildByStrategy) Validate() error {

 	return nil

 }

-func resourceForStrategyType(strategy buildapi.BuildStrategy) unversioned.GroupResource {

+func resourceForStrategyType(strategy buildapi.BuildStrategy) (unversioned.GroupResource, error) {

 	switch {

 	case strategy.DockerStrategy != nil:

-		return buildapi.Resource(authorizationapi.DockerBuildResource)

+		return buildapi.Resource(authorizationapi.DockerBuildResource), nil

 	case strategy.CustomStrategy != nil:

-		return buildapi.Resource(authorizationapi.CustomBuildResource)

+		return buildapi.Resource(authorizationapi.CustomBuildResource), nil

 	case strategy.SourceStrategy != nil:

-		return buildapi.Resource(authorizationapi.SourceBuildResource)

+		return buildapi.Resource(authorizationapi.SourceBuildResource), nil

+	default:

+		return unversioned.GroupResource{}, fmt.Errorf("unrecognized build strategy: %#v", strategy)

 	}

-	return unversioned.GroupResource{}

 }

 func resourceName(objectMeta kapi.ObjectMeta) string {

@@ -96,11 +97,15 @@ func resourceName(objectMeta kapi.ObjectMeta) string {

 func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr admission.Attributes) error {

 	strategy := build.Spec.Strategy

+	resource, err := resourceForStrategyType(strategy)

+	if err != nil {

+		return err

+	}

 	subjectAccessReview := &authorizationapi.LocalSubjectAccessReview{

 		Action: authorizationapi.AuthorizationAttributes{

 			Verb:         "create",

-			Group:        resourceForStrategyType(strategy).Group,

-			Resource:     resourceForStrategyType(strategy).Resource,

+			Group:        resource.Group,

+			Resource:     resource.Resource,

 			Content:      build,

 			ResourceName: resourceName(build.ObjectMeta),

 		},

@@ -112,11 +117,15 @@ func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr ad

 func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.BuildConfig, attr admission.Attributes) error {

 	strategy := buildConfig.Spec.Strategy

+	resource, err := resourceForStrategyType(strategy)

+	if err != nil {

+		return err

+	}

 	subjectAccessReview := &authorizationapi.LocalSubjectAccessReview{

 		Action: authorizationapi.AuthorizationAttributes{

 			Verb:         "create",

-			Group:        resourceForStrategyType(strategy).Group,

-			Resource:     resourceForStrategyType(strategy).Resource,

+			Group:        resource.Group,

+			Resource:     resource.Resource,

 			Content:      buildConfig,

 			ResourceName: resourceName(buildConfig.ObjectMeta),

 		},

@@ -63,6 +63,10 @@ const (

 	RegistryViewerRoleName = "registry-viewer"

 	RegistryEditorRoleName = "registry-editor"

+	BuildStrategyDockerRoleName = "system:build-strategy-docker"

+	BuildStrategyCustomRoleName = "system:build-strategy-custom"

+	BuildStrategySourceRoleName = "system:build-strategy-source"

+

 	ImageAuditorRoleName      = "system:image-auditor"

 	ImagePullerRoleName       = "system:image-puller"

 	ImagePusherRoleName       = "system:image-pusher"

@@ -114,5 +118,9 @@ const (

 	RegistryViewerRoleBindingName    = RegistryViewerRoleName + "s"

 	RegistryEditorRoleBindingName    = RegistryEditorRoleName + "s"

+	BuildStrategyDockerRoleBindingName = BuildStrategyDockerRoleName + "-binding"

+	BuildStrategyCustomRoleBindingName = BuildStrategyCustomRoleName + "-binding"

+	BuildStrategySourceRoleBindingName = BuildStrategySourceRoleName + "-binding"

+

 	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"

 )

@@ -111,6 +111,43 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 		},

 		{

 			ObjectMeta: kapi.ObjectMeta{

+				Name: BuildStrategyDockerRoleName,

+			},

+			Rules: []authorizationapi.PolicyRule{

+				{

+					APIGroups: []string{api.GroupName},

+					Verbs:     sets.NewString("create"),

+					Resources: sets.NewString(authorizationapi.DockerBuildResource),

+				},

+			},

+		},

+		{

+			ObjectMeta: kapi.ObjectMeta{

+				Name: BuildStrategyCustomRoleName,

+			},

+			Rules: []authorizationapi.PolicyRule{

+				{

+					APIGroups: []string{api.GroupName},

+					Verbs:     sets.NewString("create"),

+					Resources: sets.NewString(authorizationapi.CustomBuildResource),

+				},

+			},

+		},

+		{

+			ObjectMeta: kapi.ObjectMeta{

+				Name: BuildStrategySourceRoleName,

+			},

+			Rules: []authorizationapi.PolicyRule{

+				{

+					APIGroups: []string{api.GroupName},

+					Verbs:     sets.NewString("create"),

+					Resources: sets.NewString(authorizationapi.SourceBuildResource),

+				},

+			},

+		},

+

+		{

+			ObjectMeta: kapi.ObjectMeta{

 				Name: AdminRoleName,

 			},

 			Rules: []authorizationapi.PolicyRule{

@@ -132,9 +169,6 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 						authorizationapi.OpenshiftExposedGroupName,

 						authorizationapi.PermissionGrantingGroupName,

 						"projects",

-						authorizationapi.DockerBuildResource,

-						authorizationapi.SourceBuildResource,

-						authorizationapi.CustomBuildResource,

 						"deploymentconfigs/scale",

 						"imagestreams/secrets",

 					),

@@ -196,9 +230,6 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 					Verbs:     sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"),

 					Resources: sets.NewString(

 						authorizationapi.OpenshiftExposedGroupName,

-						authorizationapi.DockerBuildResource,

-						authorizationapi.SourceBuildResource,

-						authorizationapi.CustomBuildResource,

 						"deploymentconfigs/scale",

 						"imagestreams/secrets",

 					),

@@ -942,5 +973,24 @@ func GetBootstrapClusterRoleBindings() []authorizationapi.ClusterRoleBinding {

 				{Kind: authorizationapi.SystemGroupKind, Name: UnauthenticatedGroup},

 			},

 		},

+

+		// Allow all build strategies by default.

+		// Cluster admins can remove these role bindings, and the reconcile-cluster-role-bindings command

+		// run during an upgrade won't re-add the "system:authenticated" group

+		{

+			ObjectMeta: kapi.ObjectMeta{Name: BuildStrategyDockerRoleBindingName},

+			RoleRef:    kapi.ObjectReference{Name: BuildStrategyDockerRoleName},

+			Subjects:   []kapi.ObjectReference{{Kind: authorizationapi.SystemGroupKind, Name: AuthenticatedGroup}},

+		},

+		{

+			ObjectMeta: kapi.ObjectMeta{Name: BuildStrategyCustomRoleBindingName},

+			RoleRef:    kapi.ObjectReference{Name: BuildStrategyCustomRoleName},

+			Subjects:   []kapi.ObjectReference{{Kind: authorizationapi.SystemGroupKind, Name: AuthenticatedGroup}},

+		},

+		{

+			ObjectMeta: kapi.ObjectMeta{Name: BuildStrategySourceRoleBindingName},

+			RoleRef:    kapi.ObjectReference{Name: BuildStrategySourceRoleName},

+			Subjects:   []kapi.ObjectReference{{Kind: authorizationapi.SystemGroupKind, Name: AuthenticatedGroup}},

+		},

 	}

 }

@@ -35,6 +35,28 @@ os::cmd::expect_success_and_not_text 'oc get rolebinding/cluster-admin --no-head

 os::cmd::expect_success 'oc policy remove-group system:unauthenticated'

 os::cmd::expect_success 'oc policy remove-user system:no-user'

+

+os::cmd::expect_success 'oc policy add-role-to-user admin namespaced-user'

+# Ensure the user has create permissions on builds, but that build strategy permissions are granted through the authenticated users group

+os::cmd::try_until_text              'oadm policy who-can create builds' 'namespaced-user'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/docker' 'namespaced-user'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/custom' 'namespaced-user'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/source' 'namespaced-user'

+os::cmd::expect_success_and_text     'oadm policy who-can create builds/docker' 'system:authenticated'

+os::cmd::expect_success_and_text     'oadm policy who-can create builds/custom' 'system:authenticated'

+os::cmd::expect_success_and_text     'oadm policy who-can create builds/source' 'system:authenticated'

+# if this method for removing access to docker/custom/source builds changes, docs need to be updated as well

+os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-custom system:authenticated'

+os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated'

+os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-source system:authenticated'

+# ensure build strategy permissions no longer exist

+os::cmd::try_until_failure           'oadm policy who-can create builds/source | grep system:authenticated'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/docker' 'system:authenticated'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/custom' 'system:authenticated'

+os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/source' 'system:authenticated'

+os::cmd::expect_success 'oadm policy reconcile-cluster-role-bindings --confirm'

+

+

 # adjust the cluster-admin role to check defaulting and coverage checks

 # this is done here instead of an integration test because we need to make sure the actual yaml serializations work

 workingdir=$(mktemp -d)

@@ -210,5 +210,44 @@ items:

   - kind: SystemGroup

     name: system:unauthenticated

   userNames: null

+- apiVersion: v1

+  groupNames:

+  - system:authenticated

+  kind: ClusterRoleBinding

+  metadata:

+    creationTimestamp: null

+    name: system:build-strategy-docker-binding

+  roleRef:

+    name: system:build-strategy-docker

+  subjects:

+  - kind: SystemGroup

+    name: system:authenticated

+  userNames: null

+- apiVersion: v1

+  groupNames:

+  - system:authenticated

+  kind: ClusterRoleBinding

+  metadata:

+    creationTimestamp: null

+    name: system:build-strategy-custom-binding

+  roleRef:

+    name: system:build-strategy-custom

+  subjects:

+  - kind: SystemGroup

+    name: system:authenticated

+  userNames: null

+- apiVersion: v1

+  groupNames:

+  - system:authenticated

+  kind: ClusterRoleBinding

+  metadata:

+    creationTimestamp: null

+    name: system:build-strategy-source-binding

+  roleRef:

+    name: system:build-strategy-source

+  subjects:

+  - kind: SystemGroup

+    name: system:authenticated

+  userNames: null

 kind: List

 metadata: {}

@@ -162,6 +162,45 @@ items:

   kind: ClusterRole

   metadata:

     creationTimestamp: null

+    name: system:build-strategy-docker

+  rules:

+  - apiGroups:

+    - ""

+    attributeRestrictions: null

+    resources:

+    - builds/docker

+    verbs:

+    - create

+- apiVersion: v1

+  kind: ClusterRole

+  metadata:

+    creationTimestamp: null

+    name: system:build-strategy-custom

+  rules:

+  - apiGroups:

+    - ""

+    attributeRestrictions: null

+    resources:

+    - builds/custom

+    verbs:

+    - create

+- apiVersion: v1

+  kind: ClusterRole

+  metadata:

+    creationTimestamp: null

+    name: system:build-strategy-source

+  rules:

+  - apiGroups:

+    - ""

+    attributeRestrictions: null

+    resources:

+    - builds/source

+    verbs:

+    - create

+- apiVersion: v1

+  kind: ClusterRole

+  metadata:

+    creationTimestamp: null

     name: admin

   rules:

   - apiGroups:

@@ -203,10 +242,7 @@ items:

     - buildlogs

     - builds

     - builds/clone

-    - builds/custom

-    - builds/docker

     - builds/log

-    - builds/source

     - deploymentconfigrollbacks

     - deploymentconfigs

     - deploymentconfigs/log

@@ -383,10 +419,7 @@ items:

     - buildlogs

     - builds

     - builds/clone

-    - builds/custom

-    - builds/docker

     - builds/log

-    - builds/source

     - deploymentconfigrollbacks

     - deploymentconfigs

     - deploymentconfigs/log

@@ -202,33 +202,30 @@ func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdmin

 func removeBuildStrategyRoleResources(t *testing.T, clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {

 	// remove resources from role so that certain build strategies are forbidden

-	removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.EditRoleName)

-	if err := testutil.WaitForPolicyUpdate(projectEditorClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.DockerBuildResource), false); err != nil {

-		t.Error(err)

+	for _, role := range []string{bootstrappolicy.BuildStrategyCustomRoleName, bootstrappolicy.BuildStrategyDockerRoleName, bootstrappolicy.BuildStrategySourceRoleName} {

+		remove := &policy.RoleModificationOptions{

+			RoleNamespace:       "",

+			RoleName:            role,

+			RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),

+			Groups:              []string{"system:authenticated"},

+		}

+		if err := remove.RemoveRole(); err != nil {

+			t.Fatalf("unexpected error: %v", err)

+		}

 	}

-	removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.AdminRoleName)

-	if err := testutil.WaitForPolicyUpdate(projectAdminClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.DockerBuildResource), false); err != nil {

+	if err := testutil.WaitForPolicyUpdate(projectEditorClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.DockerBuildResource), false); err != nil {

 		t.Error(err)

 	}

-}

-

-func removeBuildStrategyPrivileges(t *testing.T, clusterRoleInterface client.ClusterRoleInterface, roleName string) {

-	role, err := clusterRoleInterface.Get(roleName)

-	if err != nil {

-		t.Errorf("unexpected error: %v", err)

-	}

-

-	for i := range role.Rules {

-		role.Rules[i].Resources.Delete(authorizationapi.DockerBuildResource, authorizationapi.SourceBuildResource, authorizationapi.CustomBuildResource)

+	if err := testutil.WaitForPolicyUpdate(projectEditorClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.SourceBuildResource), false); err != nil {

+		t.Error(err)

 	}

-	if _, err := clusterRoleInterface.Update(role); err != nil {

-		t.Errorf("unexpected error: %v", err)

+	if err := testutil.WaitForPolicyUpdate(projectEditorClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.CustomBuildResource), false); err != nil {

+		t.Error(err)

 	}

-

 }

-func strategyForType(strategy string) buildapi.BuildStrategy {

+func strategyForType(t *testing.T, strategy string) buildapi.BuildStrategy {

 	buildStrategy := buildapi.BuildStrategy{}

 	switch strategy {

 	case "docker":

@@ -239,6 +236,8 @@ func strategyForType(strategy string) buildapi.BuildStrategy {

 	case "source":

 		buildStrategy.SourceStrategy = &buildapi.SourceBuildStrategy{}

 		buildStrategy.SourceStrategy.From.Name = "builderimage:latest"

+	default:

+		t.Fatalf("unknown strategy: %#v", strategy)

 	}

 	return buildStrategy

 }

@@ -246,7 +245,7 @@ func strategyForType(strategy string) buildapi.BuildStrategy {

 func createBuild(t *testing.T, buildInterface client.BuildInterface, strategy string) (*buildapi.Build, error) {

 	build := &buildapi.Build{}

 	build.GenerateName = strings.ToLower(string(strategy)) + "-build-"

-	build.Spec.Strategy = strategyForType(strategy)

+	build.Spec.Strategy = strategyForType(t, strategy)

 	build.Spec.Source.Git = &buildapi.GitBuildSource{URI: "example.org"}

 	return buildInterface.Create(build)

@@ -260,7 +259,7 @@ func updateBuild(t *testing.T, buildInterface client.BuildInterface, build *buil

 func createBuildConfig(t *testing.T, buildConfigInterface client.BuildConfigInterface, strategy string) (*buildapi.BuildConfig, error) {

 	buildConfig := &buildapi.BuildConfig{}

 	buildConfig.GenerateName = strings.ToLower(string(strategy)) + "-buildconfig-"

-	buildConfig.Spec.Strategy = strategyForType(strategy)

+	buildConfig.Spec.Strategy = strategyForType(t, strategy)

 	buildConfig.Spec.Source.Git = &buildapi.GitBuildSource{URI: "example.org"}

 	return buildConfigInterface.Create(buildConfig)