@@ -6,6 +6,7 @@ import (

 	// we have a strong dependency on kube objects for deployments and scale

 	_ "k8s.io/kubernetes/pkg/api/install"

+	_ "k8s.io/kubernetes/pkg/apis/authentication/install"

 	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"

 	_ "k8s.io/kubernetes/pkg/apis/batch/install"

 	_ "k8s.io/kubernetes/pkg/apis/extensions/install"

new file mode 100644

@@ -0,0 +1,52 @@

+package remotetokenreview

+

+import (

+	"errors"

+

+	"k8s.io/kubernetes/pkg/apis/authentication"

+	"k8s.io/kubernetes/pkg/auth/user"

+	unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/unversioned"

+)

+

+type Authenticator struct {

+	authenticationClient unversionedauthentication.TokenReviewsGetter

+}

+

+// NewAuthenticator authenticates by doing a tokenreview

+func NewAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter) (*Authenticator, error) {

+	return &Authenticator{

+		authenticationClient: authenticationClient,

+	}, nil

+}

+

+func (a *Authenticator) AuthenticateToken(value string) (user.Info, bool, error) {

+	if len(value) == 0 {

+		return nil, false, nil

+	}

+	tokenReview := &authentication.TokenReview{}

+	tokenReview.Spec.Token = value

+

+	response, err := a.authenticationClient.TokenReviews().Create(tokenReview)

+	if err != nil {

+		return nil, false, err

+	}

+

+	if len(response.Status.Error) > 0 {

+		return nil, false, errors.New(response.Status.Error)

+	}

+	if !response.Status.Authenticated {

+		return nil, false, nil

+	}

+

+	userInfo := &user.DefaultInfo{

+		Name:   response.Status.User.Username,

+		UID:    response.Status.User.UID,

+		Groups: response.Status.User.Groups,

+		Extra:  map[string][]string{},

+	}

+	for k, v := range response.Status.User.Extra {

+		userInfo.Extra[k] = v

+	}

+

+	return userInfo, true, nil

+}

@@ -15,8 +15,7 @@ var _ = kauthorizer.Attributes(AdapterAttributes{})

 // AdapterAttributes satisfies k8s authorizer.Attributes interfaces

 type AdapterAttributes struct {

 	namespace               string

-	userName                string

-	groups                  []string

+	user                    user.Info

 	authorizationAttributes oauthorizer.AuthorizationAttributes

 }

@@ -26,10 +25,7 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa

 	// Build a context to hold the namespace and user info

 	ctx := kapi.NewContext()

 	ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())

-	ctx = kapi.WithUser(ctx, &user.DefaultInfo{

-		Name:   kattrs.GetUserName(),

-		Groups: kattrs.GetGroups(),

-	})

+	ctx = kapi.WithUser(ctx, kattrs.GetUser())

 	// If we recognize the type, use the embedded type.  Do NOT use it directly, because not all things that quack are ducks.

 	if castAdapterAttributes, ok := kattrs.(AdapterAttributes); ok {

@@ -59,11 +55,10 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa

 // KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes

 // The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface

-func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes {

+func KubernetesAuthorizerAttributes(namespace string, user user.Info, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes {

 	return AdapterAttributes{

-		namespace:               namespace,

-		userName:                userName,

-		groups:                  groups,

+		namespace: namespace,

+		user:      user,

 		authorizationAttributes: oattrs,

 	}

 }

@@ -108,14 +103,8 @@ func (a AdapterAttributes) GetResource() string {

 // GetUserName satisfies the kubernetes authorizer.Attributes interface

 // origin gets this value from the request context

-func (a AdapterAttributes) GetUserName() string {

-	return a.userName

-}

-

-// GetGroups satisfies the kubernetes authorizer.Attributes interface

-// origin gets this value from the request context

-func (a AdapterAttributes) GetGroups() []string {

-	return a.groups

+func (a AdapterAttributes) GetUser() user.Info {

+	return a.user

 }

 // IsReadOnly satisfies the kubernetes authorizer.Attributes interface based on the verb

@@ -6,6 +6,7 @@ import (

 	kapi "k8s.io/kubernetes/pkg/api"

 	kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer"

+	"k8s.io/kubernetes/pkg/auth/user"

 	"k8s.io/kubernetes/pkg/util/sets"

 	oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer"

@@ -28,12 +29,12 @@ func TestRoundTrip(t *testing.T) {

 	}

 	// Convert to kube attributes

-	kattrs := KubernetesAuthorizerAttributes("ns", "myuser", []string{"mygroup"}, oattrs)

-	if kattrs.GetUserName() != "myuser" {

-		t.Errorf("Expected %v, got %v", "myuser", kattrs.GetUserName())

+	kattrs := KubernetesAuthorizerAttributes("ns", &user.DefaultInfo{Name: "myuser", Groups: []string{"mygroup"}}, oattrs)

+	if kattrs.GetUser().GetName() != "myuser" {

+		t.Errorf("Expected %v, got %v", "myuser", kattrs.GetUser().GetName())

 	}

-	if !reflect.DeepEqual(kattrs.GetGroups(), []string{"mygroup"}) {

-		t.Errorf("Expected %v, got %v", []string{"mygroup"}, kattrs.GetGroups())

+	if !reflect.DeepEqual(kattrs.GetUser().GetGroups(), []string{"mygroup"}) {

+		t.Errorf("Expected %v, got %v", []string{"mygroup"}, kattrs.GetUser().GetGroups())

 	}

 	if kattrs.GetVerb() != "get" {

 		t.Errorf("Expected %v, got %v", "get", kattrs.GetVerb())

@@ -104,7 +105,7 @@ func TestAttributeIntersection(t *testing.T) {

 	// Everything in this list should be used by OriginAuthorizerAttributes or derivative (like IsReadOnly)

 	expectedKubernetesOnly := sets.NewString(

 		// used to build context in OriginAuthorizerAttributes

-		"GetGroups", "GetUserName", "GetNamespace",

+		"GetUser", "GetNamespace",

 		// Based on verb, derivative

 		"IsReadOnly",

 		// Non-matching, but used

@@ -14,6 +14,7 @@ import (

 	utilruntime "k8s.io/kubernetes/pkg/util/runtime"

 	"k8s.io/kubernetes/pkg/util/sets"

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 	"github.com/openshift/origin/pkg/authorization/authorizer"

 )

@@ -144,6 +145,7 @@ func cacheKey(ctx kapi.Context, a authorizer.AuthorizationAttributes) (string, e

 	if user, ok := kapi.UserFrom(ctx); ok {

 		keyData["user"] = user.GetName()

 		keyData["groups"] = user.GetGroups()

+		keyData["scopes"] = user.GetExtra()[authorizationapi.ScopesKey]

 	}

 	key, err := json.Marshal(keyData)

@@ -48,7 +48,7 @@ func TestCacheKey(t *testing.T) {

 				NonResourceURL:    true,

 				URL:               "/abc",

 			},

-			ExpectedKey: `{"apiGroup":"ag","apiVersion":"av","groups":["group1","group2"],"namespace":"myns","nonResourceURL":true,"resource":"r","resourceName":"rn","url":"/abc","user":"me","verb":"v"}`,

+			ExpectedKey: `{"apiGroup":"ag","apiVersion":"av","groups":["group1","group2"],"namespace":"myns","nonResourceURL":true,"resource":"r","resourceName":"rn","scopes":null,"url":"/abc","user":"me","verb":"v"}`,

 		},

 	}

@@ -39,21 +39,23 @@ var (

 	// exposed externally.

 	DeadOpenShiftStorageVersionLevels = []string{"v1beta1", "v1beta3"}

-	APIGroupKube        = ""

-	APIGroupExtensions  = "extensions"

-	APIGroupAutoscaling = "autoscaling"

-	APIGroupBatch       = "batch"

-	APIGroupPolicy      = "policy"

-	APIGroupApps        = "apps"

-	APIGroupFederation  = "federation"

+	APIGroupKube           = ""

+	APIGroupExtensions     = "extensions"

+	APIGroupAutoscaling    = "autoscaling"

+	APIGroupAuthentication = "authentication.k8s.io"

+	APIGroupBatch          = "batch"

+	APIGroupPolicy         = "policy"

+	APIGroupApps           = "apps"

+	APIGroupFederation     = "federation"

 	// Map of group names to allowed REST API versions

 	KubeAPIGroupsToAllowedVersions = map[string][]string{

-		APIGroupKube:        {"v1"},

-		APIGroupExtensions:  {"v1beta1"},

-		APIGroupAutoscaling: {"v1"},

-		APIGroupBatch:       {"v1", "v2alpha1"},

-		APIGroupApps:        {"v1alpha1"},

+		APIGroupKube:           {"v1"},

+		APIGroupExtensions:     {"v1beta1"},

+		APIGroupAutoscaling:    {"v1"},

+		APIGroupAuthentication: {"v1beta1"},

+		APIGroupBatch:          {"v1", "v2alpha1"},

+		APIGroupApps:           {"v1alpha1"},

 		// TODO: enable as part of a separate binary

 		//APIGroupFederation:  {"v1beta1"},

 	}

@@ -154,6 +154,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 				// permissions to check access.  These creates are non-mutating

 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",

 					"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(),

+				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),

 				// Allow read access to node metrics

 				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource).RuleOrDie(),

 				// Allow read access to stats

@@ -543,6 +544,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

 			},

 			Rules: []authorizationapi.PolicyRule{

 				// Needed to check API access.  These creates are non-mutating

+				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),

 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),

 				// Needed to build serviceLister, to populate env vars for services

 				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("services").RuleOrDie(),

@@ -21,6 +21,7 @@ import (

 	"k8s.io/kubernetes/pkg/apis/batch"

 	"k8s.io/kubernetes/pkg/apis/extensions"

 	"k8s.io/kubernetes/pkg/apiserver"

+	"k8s.io/kubernetes/pkg/auth/authenticator"

 	kclient "k8s.io/kubernetes/pkg/client/unversioned"

 	"k8s.io/kubernetes/pkg/cloudprovider"

 	"k8s.io/kubernetes/pkg/genericapiserver"

@@ -53,7 +54,7 @@ type MasterConfig struct {

 	Informers shared.InformerFactory

 }

-func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextMapper kapi.RequestContextMapper, kubeClient *kclient.Client, informers shared.InformerFactory, admissionControl admission.Interface) (*MasterConfig, error) {

+func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextMapper kapi.RequestContextMapper, kubeClient *kclient.Client, informers shared.InformerFactory, admissionControl admission.Interface, originAuthenticator authenticator.Request) (*MasterConfig, error) {

 	if options.KubernetesMasterConfig == nil {

 		return nil, errors.New("insufficient information to build KubernetesMasterConfig")

 	}

@@ -197,6 +198,7 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM

 			PublicAddress: publicAddress,

 			ReadWritePort: port,

+			Authenticator:    originAuthenticator, // this is used to fulfill the tokenreviews endpoint which is used by node authentication

 			Authorizer:       apiserver.NewAlwaysAllowAuthorizer(),

 			AdmissionControl: admissionControl,

@@ -11,7 +11,7 @@ import (

 	"k8s.io/kubernetes/pkg/auth/authenticator"

 	kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer"

 	"k8s.io/kubernetes/pkg/auth/user"

-	"k8s.io/kubernetes/pkg/client/restclient"

+	unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/unversioned"

 	oauthenticator "github.com/openshift/origin/pkg/auth/authenticator"

 	"github.com/openshift/origin/pkg/auth/authenticator/anonymous"

@@ -19,7 +19,7 @@ import (

 	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"

 	authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache"

-	authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotemaster"

+	authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview"

 	"github.com/openshift/origin/pkg/auth/group"

 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 	oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer"

@@ -30,7 +30,7 @@ import (

 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"

 )

-func newAuthenticator(clientCAs *x509.CertPool, anonymousConfig restclient.Config, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) {

+func newAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) {

 	authenticators := []oauthenticator.Request{}

 	// API token auth

@@ -39,7 +39,7 @@ func newAuthenticator(clientCAs *x509.CertPool, anonymousConfig restclient.Confi

 		err                error

 	)

 	// Authenticate against the remote master

-	tokenAuthenticator, err = authnremote.NewAuthenticator(anonymousConfig)

+	tokenAuthenticator, err = authnremote.NewAuthenticator(authenticationClient)

 	if err != nil {

 		return nil, err

 	}

@@ -107,8 +107,6 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt

 	}

 	namespace := ""

-	userName := u.GetName()

-	groups := u.GetGroups()

 	apiVerb := ""

 	switch r.Method {

@@ -139,9 +137,9 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt

 	}

 	// TODO: handle other things like /healthz/*? not sure if "non-resource" urls on the kubelet make sense to authorize against master non-resource URL policy

-	glog.V(2).Infof("Node request attributes: namespace=%s, user=%s, groups=%v, attrs=%#v", namespace, userName, groups, attrs)

+	glog.V(2).Infof("Node request attributes: namespace=%s, user=%#v, attrs=%#v", namespace, u, attrs)

-	return authzadapter.KubernetesAuthorizerAttributes(namespace, userName, groups, attrs)

+	return authzadapter.KubernetesAuthorizerAttributes(namespace, u, attrs)

 }

 func newAuthorizer(c *oclient.Client, cacheTTL time.Duration, cacheSize int) (kauthorizer.Authorizer, error) {

@@ -31,7 +31,6 @@ import (

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

 	"github.com/openshift/origin/pkg/cmd/server/crypto"

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

-	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

 	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"

 	"github.com/openshift/origin/pkg/cmd/util/variable"

 	"github.com/openshift/origin/pkg/dns"

@@ -82,7 +81,7 @@ type NodeConfig struct {

 }

 func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enableDNS bool) (*NodeConfig, error) {

-	originClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)

+	originClient, _, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)

 	if err != nil {

 		return nil, err

 	}

@@ -213,7 +212,7 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enable

 	if err != nil {

 		return nil, err

 	}

-	authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)

+	authn, err := newAuthenticator(cfg.KubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize)

 	if err != nil {

 		return nil, err

 	}

@@ -336,7 +336,7 @@ func BuildKubernetesMasterConfig(openshiftConfig *origin.MasterConfig) (*kuberne

 	if openshiftConfig.Options.KubernetesMasterConfig == nil {

 		return nil, nil

 	}

-	kubeConfig, err := kubernetes.BuildKubernetesMasterConfig(openshiftConfig.Options, openshiftConfig.RequestContextMapper, openshiftConfig.KubeClient(), openshiftConfig.Informers, openshiftConfig.KubeAdmissionControl)

+	kubeConfig, err := kubernetes.BuildKubernetesMasterConfig(openshiftConfig.Options, openshiftConfig.RequestContextMapper, openshiftConfig.KubeClient(), openshiftConfig.Informers, openshiftConfig.KubeAdmissionControl, openshiftConfig.Authenticator)

 	return kubeConfig, err

 }

@@ -12,10 +12,13 @@ import (

 	"k8s.io/kubernetes/pkg/client/restclient"

 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"

+	"github.com/openshift/origin/pkg/authorization/authorizer/scope"

 	"github.com/openshift/origin/pkg/cmd/admin/policy"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"

+	"github.com/openshift/origin/pkg/cmd/server/origin"

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

+	oauthapi "github.com/openshift/origin/pkg/oauth/api"

 	testutil "github.com/openshift/origin/test/util"

 	testserver "github.com/openshift/origin/test/util/server"

 )

@@ -71,6 +74,25 @@ func TestNodeAuth(t *testing.T) {

 		t.Fatalf("unexpected error: %v", err)

 	}

+	// create a scoped token for bob that is only good for getting user info

+	bobUser, err := bobClient.Users().Get("~")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	whoamiOnlyBobToken := &oauthapi.OAuthAccessToken{

+		ObjectMeta: kapi.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit"},

+		ClientName: origin.OpenShiftCLIClientID,

+		ExpiresIn:  200,

+		Scopes:     []string{scope.UserIndicator + scope.UserInfo},

+		UserName:   bobUser.Name,

+		UserUID:    string(bobUser.UID),

+	}

+	if _, err := originAdminClient.OAuthAccessTokens().Create(whoamiOnlyBobToken); err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	_, _, bobWhoamiOnlyConfig, err := testutil.GetClientForUser(*adminConfig, "bob")

+	bobWhoamiOnlyConfig.BearerToken = whoamiOnlyBobToken.Name

+

 	// Grant sa1 system:cluster-reader, which should let them read metrics and stats

 	addSA1 := &policy.RoleModificationOptions{

 		RoleName:            bootstrappolicy.ClusterReaderRoleName,

@@ -133,6 +155,11 @@ func TestNodeAuth(t *testing.T) {

 			KubeletClientConfig: kubeletClientConfig(bobConfig),

 			NodeViewer:          true,

 		},

+		// bob is normally a viewer, but when using a scoped token, he should end up denied

+		"bob-scoped": {

+			KubeletClientConfig: kubeletClientConfig(bobWhoamiOnlyConfig),

+			Forbidden:           true,

+		},

 		"alice": {

 			KubeletClientConfig: kubeletClientConfig(aliceConfig),

 			Forbidden:           true,

@@ -225,7 +252,7 @@ func TestNodeAuth(t *testing.T) {

 			}

 			resp.Body.Close()

 			if resp.StatusCode != r.Result {

-				t.Errorf("%s: %s: expected %d, got %d", k, r.Path, r.Result, resp.StatusCode)

+				t.Errorf("%s: token=%s %s: expected %d, got %d", k, tc.KubeletClientConfig.BearerToken, r.Path, r.Result, resp.StatusCode)

 				continue

 			}

 		}

@@ -288,6 +288,13 @@ items:

     verbs:

     - create

   - apiGroups:

+    - authentication.k8s.io

+    attributeRestrictions: null

+    resources:

+    - tokenreviews

+    verbs:

+    - create

+  - apiGroups:

     - ""

     attributeRestrictions: null

     resources:

@@ -1729,6 +1736,13 @@ items:

     name: system:node

   rules:

   - apiGroups:

+    - authentication.k8s.io

+    attributeRestrictions: null

+    resources:

+    - tokenreviews

+    verbs:

+    - create

+  - apiGroups:

     - ""

     attributeRestrictions: null

     resources: