@@ -7,85 +7,85 @@ import (

 // NEVER TOUCH ANYTHING IN THIS FILE!

 const (

-	// ResourceGroupPrefix is the prefix for indicating that a resource entry is actually a group of resources.  The groups are defined in code and indicate resources that are commonly permissioned together

-	ResourceGroupPrefix = "resourcegroup:"

-	BuildGroupName      = ResourceGroupPrefix + "builds"

-	DeploymentGroupName = ResourceGroupPrefix + "deployments"

-	ImageGroupName      = ResourceGroupPrefix + "images"

-	OAuthGroupName      = ResourceGroupPrefix + "oauth"

-	UserGroupName       = ResourceGroupPrefix + "users"

-	TemplateGroupName   = ResourceGroupPrefix + "templates"

-	SDNGroupName        = ResourceGroupPrefix + "sdn"

-	// PolicyOwnerGroupName includes the physical resources behind the PermissionGrantingGroupName.  Unless these physical objects are created first, users with privileges to PermissionGrantingGroupName will

+	// resourceGroupPrefix is the prefix for indicating that a resource entry is actually a group of resources.  The groups are defined in code and indicate resources that are commonly permissioned together

+	resourceGroupPrefix = "resourcegroup:"

+	buildGroupName      = resourceGroupPrefix + "builds"

+	deploymentGroupName = resourceGroupPrefix + "deployments"

+	imageGroupName      = resourceGroupPrefix + "images"

+	oauthGroupName      = resourceGroupPrefix + "oauth"

+	userGroupName       = resourceGroupPrefix + "users"

+	templateGroupName   = resourceGroupPrefix + "templates"

+	sdnGroupName        = resourceGroupPrefix + "sdn"

+	// policyOwnerGroupName includes the physical resources behind the permissionGrantingGroupName.  Unless these physical objects are created first, users with privileges to permissionGrantingGroupName will

 	// only be able to bind to global roles

-	PolicyOwnerGroupName = ResourceGroupPrefix + "policy"

-	// PermissionGrantingGroupName includes resources that are necessary to maintain authorization roles and bindings.  By itself, this group is insufficient to create anything except for bindings

+	policyOwnerGroupName = resourceGroupPrefix + "policy"

+	// permissionGrantingGroupName includes resources that are necessary to maintain authorization roles and bindings.  By itself, this group is insufficient to create anything except for bindings

 	// to master roles.  If a local Policy already exists, then privileges to this group will allow for modification of local roles.

-	PermissionGrantingGroupName = ResourceGroupPrefix + "granter"

-	// OpenshiftExposedGroupName includes resources that are commonly viewed and modified by end users of the system.  It does not include any sensitive resources that control authentication or authorization

-	OpenshiftExposedGroupName = ResourceGroupPrefix + "exposedopenshift"

-	OpenshiftAllGroupName     = ResourceGroupPrefix + "allopenshift"

-	OpenshiftStatusGroupName  = ResourceGroupPrefix + "allopenshift-status"

+	permissionGrantingGroupName = resourceGroupPrefix + "granter"

+	// openshiftExposedGroupName includes resources that are commonly viewed and modified by end users of the system.  It does not include any sensitive resources that control authentication or authorization

+	openshiftExposedGroupName = resourceGroupPrefix + "exposedopenshift"

+	openshiftAllGroupName     = resourceGroupPrefix + "allopenshift"

+	openshiftStatusGroupName  = resourceGroupPrefix + "allopenshift-status"

-	QuotaGroupName = ResourceGroupPrefix + "quota"

-	// KubeInternalsGroupName includes those resources that should reasonably be viewable to end users, but that most users should probably not modify.  Kubernetes herself will maintain these resources

-	KubeInternalsGroupName = ResourceGroupPrefix + "privatekube"

-	// KubeExposedGroupName includes resources that are commonly viewed and modified by end users of the system.

-	KubeExposedGroupName = ResourceGroupPrefix + "exposedkube"

-	KubeAllGroupName     = ResourceGroupPrefix + "allkube"

-	KubeStatusGroupName  = ResourceGroupPrefix + "allkube-status"

+	quotaGroupName = resourceGroupPrefix + "quota"

+	// kubeInternalsGroupName includes those resources that should reasonably be viewable to end users, but that most users should probably not modify.  Kubernetes herself will maintain these resources

+	kubeInternalsGroupName = resourceGroupPrefix + "privatekube"

+	// kubeExposedGroupName includes resources that are commonly viewed and modified by end users of the system.

+	kubeExposedGroupName = resourceGroupPrefix + "exposedkube"

+	kubeAllGroupName     = resourceGroupPrefix + "allkube"

+	kubeStatusGroupName  = resourceGroupPrefix + "allkube-status"

-	// NonEscalatingResourcesGroupName contains all resources that can be viewed without exposing the risk of using view rights to locate a secret to escalate privileges.  For example, view

+	// nonescalatingResourcesGroupName contains all resources that can be viewed without exposing the risk of using view rights to locate a secret to escalate privileges.  For example, view

 	// rights on secrets could be used locate a secret that happened to be  serviceaccount token that has more privileges

-	NonEscalatingResourcesGroupName         = ResourceGroupPrefix + "non-escalating"

-	KubeNonEscalatingViewableGroupName      = ResourceGroupPrefix + "kube-non-escalating"

-	OpenshiftNonEscalatingViewableGroupName = ResourceGroupPrefix + "openshift-non-escalating"

+	nonescalatingResourcesGroupName         = resourceGroupPrefix + "non-escalating"

+	kubeNonEscalatingViewableGroupName      = resourceGroupPrefix + "kube-non-escalating"

+	openshiftNonEscalatingViewableGroupName = resourceGroupPrefix + "openshift-non-escalating"

-	// EscalatingResourcesGroupName contains all resources that can be used to escalate privileges when simply viewed

-	EscalatingResourcesGroupName         = ResourceGroupPrefix + "escalating"

-	KubeEscalatingViewableGroupName      = ResourceGroupPrefix + "kube-escalating"

-	OpenshiftEscalatingViewableGroupName = ResourceGroupPrefix + "openshift-escalating"

+	// escalatingResourcesGroupName contains all resources that can be used to escalate privileges when simply viewed

+	escalatingResourcesGroupName         = resourceGroupPrefix + "escalating"

+	kubeEscalatingViewableGroupName      = resourceGroupPrefix + "kube-escalating"

+	openshiftEscalatingViewableGroupName = resourceGroupPrefix + "openshift-escalating"

 )

 var (

-	GroupsToResources = map[string][]string{

-		BuildGroupName:       {"builds", "buildconfigs", "buildlogs", "buildconfigs/instantiate", "buildconfigs/instantiatebinary", "builds/log", "builds/clone", "buildconfigs/webhooks"},

-		ImageGroupName:       {"imagestreams", "imagestreammappings", "imagestreamtags", "imagestreamimages", "imagestreamimports"},

-		DeploymentGroupName:  {"deploymentconfigs", "generatedeploymentconfigs", "deploymentconfigrollbacks", "deploymentconfigs/log", "deploymentconfigs/scale"},

-		SDNGroupName:         {"clusternetworks", "hostsubnets", "netnamespaces"},

-		TemplateGroupName:    {"templates", "templateconfigs", "processedtemplates"},

-		UserGroupName:        {"identities", "users", "useridentitymappings", "groups"},

-		OAuthGroupName:       {"oauthauthorizetokens", "oauthaccesstokens", "oauthclients", "oauthclientauthorizations"},

-		PolicyOwnerGroupName: {"policies", "policybindings"},

+	groupsToResources = map[string][]string{

+		buildGroupName:       {"builds", "buildconfigs", "buildlogs", "buildconfigs/instantiate", "buildconfigs/instantiatebinary", "builds/log", "builds/clone", "buildconfigs/webhooks"},

+		imageGroupName:       {"imagestreams", "imagestreammappings", "imagestreamtags", "imagestreamimages", "imagestreamimports"},

+		deploymentGroupName:  {"deploymentconfigs", "generatedeploymentconfigs", "deploymentconfigrollbacks", "deploymentconfigs/log", "deploymentconfigs/scale"},

+		sdnGroupName:         {"clusternetworks", "hostsubnets", "netnamespaces"},

+		templateGroupName:    {"templates", "templateconfigs", "processedtemplates"},

+		userGroupName:        {"identities", "users", "useridentitymappings", "groups"},

+		oauthGroupName:       {"oauthauthorizetokens", "oauthaccesstokens", "oauthclients", "oauthclientauthorizations"},

+		policyOwnerGroupName: {"policies", "policybindings"},

 		// RAR and SAR are in this list to support backwards compatibility with clients that expect access to those resource in a namespace scope and a cluster scope.

 		// TODO remove once we have eliminated the namespace scoped resource.

-		PermissionGrantingGroupName: {"roles", "rolebindings", "resourceaccessreviews" /* cluster scoped*/, "subjectaccessreviews" /* cluster scoped*/, "localresourceaccessreviews", "localsubjectaccessreviews"},

-		OpenshiftExposedGroupName:   {BuildGroupName, ImageGroupName, DeploymentGroupName, TemplateGroupName, "routes"},

-		OpenshiftAllGroupName: {OpenshiftExposedGroupName, UserGroupName, OAuthGroupName, PolicyOwnerGroupName, SDNGroupName, PermissionGrantingGroupName, OpenshiftStatusGroupName, "projects",

+		permissionGrantingGroupName: {"roles", "rolebindings", "resourceaccessreviews" /* cluster scoped*/, "subjectaccessreviews" /* cluster scoped*/, "localresourceaccessreviews", "localsubjectaccessreviews"},

+		openshiftExposedGroupName:   {buildGroupName, imageGroupName, deploymentGroupName, templateGroupName, "routes"},

+		openshiftAllGroupName: {openshiftExposedGroupName, userGroupName, oauthGroupName, policyOwnerGroupName, sdnGroupName, permissionGrantingGroupName, openshiftStatusGroupName, "projects",

 			"clusterroles", "clusterrolebindings", "clusterpolicies", "clusterpolicybindings", "images" /* cluster scoped*/, "projectrequests", "builds/details", "imagestreams/secrets",

 			"selfsubjectrulesreviews"},

-		OpenshiftStatusGroupName: {"imagestreams/status", "routes/status", "deploymentconfigs/status"},

+		openshiftStatusGroupName: {"imagestreams/status", "routes/status", "deploymentconfigs/status"},

-		QuotaGroupName:         {"limitranges", "resourcequotas", "resourcequotausages"},

-		KubeExposedGroupName:   {"pods", "replicationcontrollers", "serviceaccounts", "services", "endpoints", "persistentvolumeclaims", "pods/log", "configmaps"},

-		KubeInternalsGroupName: {"minions", "nodes", "bindings", "events", "namespaces", "persistentvolumes", "securitycontextconstraints"},

-		KubeAllGroupName:       {KubeInternalsGroupName, KubeExposedGroupName, QuotaGroupName},

-		KubeStatusGroupName:    {"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status"},

+		quotaGroupName:         {"limitranges", "resourcequotas", "resourcequotausages"},

+		kubeExposedGroupName:   {"pods", "replicationcontrollers", "serviceaccounts", "services", "endpoints", "persistentvolumeclaims", "pods/log", "configmaps"},

+		kubeInternalsGroupName: {"minions", "nodes", "bindings", "events", "namespaces", "persistentvolumes", "securitycontextconstraints"},

+		kubeAllGroupName:       {kubeInternalsGroupName, kubeExposedGroupName, quotaGroupName},

+		kubeStatusGroupName:    {"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status"},

-		OpenshiftEscalatingViewableGroupName: {"oauthauthorizetokens", "oauthaccesstokens", "imagestreams/secrets"},

-		KubeEscalatingViewableGroupName:      {"secrets"},

-		EscalatingResourcesGroupName:         {OpenshiftEscalatingViewableGroupName, KubeEscalatingViewableGroupName},

+		openshiftEscalatingViewableGroupName: {"oauthauthorizetokens", "oauthaccesstokens", "imagestreams/secrets"},

+		kubeEscalatingViewableGroupName:      {"secrets"},

+		escalatingResourcesGroupName:         {openshiftEscalatingViewableGroupName, kubeEscalatingViewableGroupName},

-		NonEscalatingResourcesGroupName: {OpenshiftNonEscalatingViewableGroupName, KubeNonEscalatingViewableGroupName},

+		nonescalatingResourcesGroupName: {openshiftNonEscalatingViewableGroupName, kubeNonEscalatingViewableGroupName},

 	}

 )

 func init() {

 	// set the non-escalating groups

-	GroupsToResources[OpenshiftNonEscalatingViewableGroupName] = NormalizeResources(sets.NewString(GroupsToResources[OpenshiftAllGroupName]...)).

-		Difference(NormalizeResources(sets.NewString(GroupsToResources[OpenshiftEscalatingViewableGroupName]...))).List()

+	groupsToResources[openshiftNonEscalatingViewableGroupName] = NormalizeResources(sets.NewString(groupsToResources[openshiftAllGroupName]...)).

+		Difference(NormalizeResources(sets.NewString(groupsToResources[openshiftEscalatingViewableGroupName]...))).List()

-	GroupsToResources[KubeNonEscalatingViewableGroupName] = NormalizeResources(sets.NewString(GroupsToResources[KubeAllGroupName]...)).

-		Difference(NormalizeResources(sets.NewString(GroupsToResources[KubeEscalatingViewableGroupName]...))).List()

+	groupsToResources[kubeNonEscalatingViewableGroupName] = NormalizeResources(sets.NewString(groupsToResources[kubeAllGroupName]...)).

+		Difference(NormalizeResources(sets.NewString(groupsToResources[kubeEscalatingViewableGroupName]...))).List()

 }

@@ -7,8 +7,8 @@ import (

 )

 func TestEscalating(t *testing.T) {

-	escalatingResources := NormalizeResources(sets.NewString(GroupsToResources[EscalatingResourcesGroupName]...))

-	nonEscalatingResources := NormalizeResources(sets.NewString(GroupsToResources[NonEscalatingResourcesGroupName]...))

+	escalatingResources := NormalizeResources(sets.NewString(groupsToResources[escalatingResourcesGroupName]...))

+	nonEscalatingResources := NormalizeResources(sets.NewString(groupsToResources[nonescalatingResourcesGroupName]...))

 	if len(nonEscalatingResources) <= len(escalatingResources) {

 		t.Errorf("groups look bad: escalating=%v nonescalating=%v", escalatingResources.List(), nonEscalatingResources.List())

 	}

@@ -23,7 +23,7 @@ func TestNormalizeResources(t *testing.T) {

 		{"capA", "capA", "capa"},

 		{"capH", "capH", "caph"},

 		{"capZ", "capZ", "capz"},

-		{"group", BuildGroupName, "builds"},

+		{"group", buildGroupName, "builds"},

 	}

 	for _, test := range tests {

@@ -52,7 +52,7 @@ func TestNeedsNormalization(t *testing.T) {

 		{"/", "/", false},

 		{"-", "-", false},

 		{".", ".", false},

-		{ResourceGroupPrefix, ResourceGroupPrefix, true},

+		{resourceGroupPrefix, resourceGroupPrefix, true},

 	}

 	for _, test := range tests {

@@ -44,12 +44,12 @@ func NormalizeResources(rawResources sets.String) sets.String {

 		}

 		visited.Insert(currResource)

-		if !strings.HasPrefix(currResource, ResourceGroupPrefix) {

+		if !strings.HasPrefix(currResource, resourceGroupPrefix) {

 			ret.Insert(strings.ToLower(currResource))

 			continue

 		}

-		if resourceTypes, exists := GroupsToResources[currResource]; exists {

+		if resourceTypes, exists := groupsToResources[currResource]; exists {

 			toVisit = append(toVisit, resourceTypes...)

 		}

 	}

@@ -58,7 +58,7 @@ func NormalizeResources(rawResources sets.String) sets.String {

 }

 func needsNormalizing(in string) bool {

-	if strings.HasPrefix(in, ResourceGroupPrefix) {

+	if strings.HasPrefix(in, resourceGroupPrefix) {

 		return true

 	}

 	for _, r := range in {

@@ -52,15 +52,10 @@ func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Ro

 				Namespace: openshiftNamespace,

 			},

 			Rules: []authorizationapi.PolicyRule{

-				{

-					Verbs:     sets.NewString("get", "list"),

-					Resources: sets.NewString("templates", authorizationapi.ImageGroupName),

-				},

-				{

-					// so anyone can pull from openshift/* image streams

-					Verbs:     sets.NewString("get"),

-					Resources: sets.NewString("imagestreams/layers"),

-				},

+				authorizationapi.NewRule(read...).Groups(templateGroup).Resources("templates").RuleOrDie(),

+				authorizationapi.NewRule(read...).Groups(imageGroup).Resources("imagestreams", "imagestreamtags", "imagestreamimages").RuleOrDie(),

+				// so anyone can pull from openshift/* image streams

+				authorizationapi.NewRule("get").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),

 			},

 		},

 	}

@@ -2,7 +2,6 @@ package origin

 import (

 	"reflect"

-	"strings"

 	"testing"

 	"k8s.io/kubernetes/pkg/api"

@@ -11,11 +10,9 @@ import (

 	"k8s.io/kubernetes/pkg/genericapiserver"

 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"

 	etcdstorage "k8s.io/kubernetes/pkg/storage/etcd"

-	"k8s.io/kubernetes/pkg/util/sets"

 	_ "github.com/openshift/origin/pkg/api/install"

 	"github.com/openshift/origin/pkg/api/validation"

-	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 	"github.com/openshift/origin/pkg/util/restoptions"

 )

@@ -228,7 +228,7 @@ func TestAuthorizationResolution(t *testing.T) {

 	roleWithGroup.Name = "with-group"

 	roleWithGroup.Rules = append(roleWithGroup.Rules, authorizationapi.PolicyRule{

 		Verbs:     sets.NewString("list"),

-		Resources: sets.NewString(authorizationapi.BuildGroupName),

+		Resources: sets.NewString("resourcegroup:builds"),

 	})

 	if _, err := clusterAdminClient.ClusterRoles().Create(roleWithGroup); err != nil {

 		t.Fatalf("unexpected error: %v", err)

@@ -1143,7 +1143,7 @@ func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) {

 		expectedResponse := &authorizationapi.ResourceAccessReviewResponse{

 			Namespace: namespace,

 			Users:     sets.NewString("harold", "system:serviceaccount:hammer-project:builder", "system:serviceaccount:openshift-infra:namespace-controller", "system:admin"),

-			Groups:    sets.NewString("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),

+			Groups:    sets.NewString("system:cluster-admins", "system:masters", "system:cluster-readers", "system:serviceaccounts:hammer-project"),

 		}

 		if (actualResponse.Namespace != expectedResponse.Namespace) ||

 			!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||

@@ -1170,7 +1170,7 @@ func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) {

 		expectedResponse := &authorizationapi.ResourceAccessReviewResponse{

 			Namespace: namespace,

 			Users:     sets.NewString("harold", "system:serviceaccount:hammer-project:builder", "system:serviceaccount:openshift-infra:namespace-controller", "system:admin"),

-			Groups:    sets.NewString("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),

+			Groups:    sets.NewString("system:cluster-admins", "system:masters", "system:cluster-readers", "system:serviceaccounts:hammer-project"),

 		}

 		if (actualResponse.Namespace != expectedResponse.Namespace) ||

 			!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||

@@ -7,19 +7,28 @@ items:

     name: shared-resource-viewer

     namespace: openshift

   rules:

-  - apiGroups: null

+  - apiGroups:

+    - ""

+    attributeRestrictions: null

+    resources:

+    - templates

+    verbs:

+    - get

+    - list

+    - watch

+  - apiGroups:

+    - ""

     attributeRestrictions: null

     resources:

     - imagestreamimages

-    - imagestreamimports

-    - imagestreammappings

     - imagestreams

     - imagestreamtags

-    - templates

     verbs:

     - get

     - list

-  - apiGroups: null

+    - watch

+  - apiGroups:

+    - ""

     attributeRestrictions: null

     resources:

     - imagestreams/layers