@@ -76,6 +76,7 @@ var originTypes = []string{

 	"Project",

 	"User", "UserIdentityMapping",

 	"OAuthClient", "OAuthClientAuthorization", "OAuthAccessToken", "OAuthAuthorizeToken",

+	"Role", "RoleBinding", "Policy", "PolicyBinding",

 }

 // OriginKind returns true if OpenShift owns the kind described in a given apiVersion.

@@ -4,6 +4,7 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+	_ "github.com/openshift/origin/pkg/authorization/api"

 	_ "github.com/openshift/origin/pkg/build/api"

 	_ "github.com/openshift/origin/pkg/config/api"

 	_ "github.com/openshift/origin/pkg/deploy/api"

@@ -18,6 +18,7 @@ import (

 	osapi "github.com/openshift/origin/pkg/api"

 	_ "github.com/openshift/origin/pkg/api/latest"

 	"github.com/openshift/origin/pkg/api/v1beta1"

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 	config "github.com/openshift/origin/pkg/config/api"

 	image "github.com/openshift/origin/pkg/image/api"

 	template "github.com/openshift/origin/pkg/template/api"

@@ -42,6 +43,9 @@ var apiObjectFuzzer = fuzz.New().NilChance(.5).NumElements(1, 1).Funcs(

 		j.APIVersion = ""

 		j.Kind = ""

 	},

+	func(j *runtime.EmbeddedObject, c fuzz.Continue) {

+		// runtime.EmbeddedObject causes a panic inside of fuzz because runtime.Object isn't handled.

+	},

 	func(j *api.ObjectMeta, c fuzz.Continue) {

 		// We have to customize the randomization of TypeMetas because their

 		// APIVersion and Kind must remain blank in memory.

@@ -73,6 +77,13 @@ var apiObjectFuzzer = fuzz.New().NilChance(.5).NumElements(1, 1).Funcs(

 		c.Fuzz(&j.Selector)

 		j.Replicas = int(c.RandUint64())

 	},

+	// Roles and RoleBindings maps are never nil

+	func(j *authorizationapi.Policy, c fuzz.Continue) {

+		j.Roles = make(map[string]authorizationapi.Role)

+	},

+	func(j *authorizationapi.PolicyBinding, c fuzz.Continue) {

+		j.RoleBindings = make(map[string]authorizationapi.RoleBinding)

+	},

 	func(j *template.Template, c fuzz.Continue) {

 		c.Fuzz(&j.ObjectMeta)

 		c.Fuzz(&j.Parameters)

@@ -4,6 +4,7 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+	_ "github.com/openshift/origin/pkg/authorization/api/v1beta1"

 	_ "github.com/openshift/origin/pkg/build/api/v1beta1"

 	_ "github.com/openshift/origin/pkg/config/api/v1beta1"

 	_ "github.com/openshift/origin/pkg/deploy/api/v1beta1"

new file mode 100644

@@ -0,0 +1,23 @@

+package api

+

+import (

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+)

+

+func init() {

+	api.Scheme.AddKnownTypes("",

+		&Role{},

+		&RoleBinding{},

+		&Policy{},

+		&PolicyBinding{},

+		&PolicyList{},

+		&PolicyBindingList{},

+	)

+}

+

+func (*Role) IsAnAPIObject()              {}

+func (*Policy) IsAnAPIObject()            {}

+func (*PolicyBinding) IsAnAPIObject()     {}

+func (*RoleBinding) IsAnAPIObject()       {}

+func (*PolicyList) IsAnAPIObject()        {}

+func (*PolicyBindingList) IsAnAPIObject() {}

new file mode 100644

@@ -0,0 +1,103 @@

+package api

+

+import (

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	kruntime "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+	kutil "github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+)

+

+// Authorization is calculated against

+// 1. all deny RoleBinding PolicyRules in the master namespace - short circuit on match

+// 2. all allow RoleBinding PolicyRules in the master namespace - short circuit on match

+// 3. all deny RoleBinding PolicyRules in the namespace - short circuit on match

+// 4. all allow RoleBinding PolicyRules in the namespace - short circuit on match

+// 5. deny by default

+

+const (

+	// Policy is a singleton and this is its name

+	PolicyName  = "default"

+	ResourceAll = "*"

+	VerbAll     = "*"

+)

+

+// PolicyRule holds information that describes a policy rule, but does not contain information

+// about who the rule applies to or which namespace the rule applies to.

+type PolicyRule struct {

+	// Deny is true if any request matching this rule should be denied.  If false, any request matching this rule is allowed.

+	Deny bool `json:"deny"`

+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.

+	Verbs []string `json:"verbs"`

+	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.

+	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.

+	AttributeRestrictions kruntime.EmbeddedObject `json:"attributeRestrictions"`

+	// ResourceKinds is a list of kinds this rule applies to.  ResourceAll represents all kinds.

+	ResourceKinds []string `json:"resourceKinds"`

+}

+

+// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.

+type Role struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// Rules holds all the PolicyRules for this Role

+	Rules []PolicyRule `json:"rules"`

+}

+

+// RoleBinding references a Role, but not contain it.  It adds who and namespace information.

+// It can reference any Role in the same namespace or in the global namespace.

+type RoleBinding struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// UserNames holds all the usernames directly bound to the role

+	UserNames []string `json:"userNames"`

+	// GroupNames holds all the groups directly bound to the role

+	GroupNames []string `json:"groupNames"`

+

+	// Since Policy is a singleton, this is sufficient knowledge to locate a role

+	// RoleRefs can only reference the current namespace and the global namespace

+	// If the RoleRef cannot be resolved, the Authorizer must return an error.

+	RoleRef kapi.ObjectReference `json:"roleRef"`

+}

+

+// Policy is a object that holds all the Roles for a particular namespace.  There is at most

+// one Policy document per namespace.

+type Policy struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty" `

+

+	// LastModified is the last time that any part of the Policy was created, updated, or deleted

+	LastModified kutil.Time `json:"lastModified"`

+

+	// Roles holds all the Roles held by this Policy, mapped by Role.Name

+	Roles map[string]Role `json:"roles"`

+}

+

+// PolicyBinding is a object that holds all the RoleBindings for a particular namespace.  There is

+// one PolicyBinding document per referenced Policy namespace

+type PolicyBinding struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// LastModified is the last time that any part of the PolicyBinding was created, updated, or deleted

+	LastModified kutil.Time `json:"lastModified"`

+

+	// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference

+	PolicyRef kapi.ObjectReference `json:"policyRef"`

+	// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name

+	RoleBindings map[string]RoleBinding `json:"roleBindings"`

+}

+

+// PolicyList is a collection of Policies

+type PolicyList struct {

+	kapi.TypeMeta `json:",inline"`

+	kapi.ListMeta `json:"metadata,omitempty"`

+	Items         []Policy `json:"items"`

+}

+

+// PolicyBindingList is a collection of PolicyBindings

+type PolicyBindingList struct {

+	kapi.TypeMeta `json:",inline"`

+	kapi.ListMeta `json:"metadata,omitempty"`

+	Items         []PolicyBinding `json:"items"`

+}

new file mode 100644

@@ -0,0 +1,117 @@

+/*

+Copyright 2014 Google Inc. All rights reserved.

+

+Licensed under the Apache License, Version 2.0 (the "License");

+you may not use this file except in compliance with the License.

+You may obtain a copy of the License at

+

+    http://www.apache.org/licenses/LICENSE-2.0

+

+Unless required by applicable law or agreed to in writing, software

+distributed under the License is distributed on an "AS IS" BASIS,

+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+See the License for the specific language governing permissions and

+limitations under the License.

+*/

+

+package v1beta1

+

+import (

+	"sort"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/conversion"

+

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+	newer "github.com/openshift/origin/pkg/authorization/api"

+)

+

+func init() {

+	err := api.Scheme.AddConversionFuncs(

+		func(in *Policy, out *newer.Policy, s conversion.Scope) error {

+			out.LastModified = in.LastModified

+			out.Roles = make(map[string]newer.Role)

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+		func(in *newer.Policy, out *Policy, s conversion.Scope) error {

+			out.LastModified = in.LastModified

+			out.Roles = make([]NamedRole, 0, 0)

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+		func(in *[]NamedRole, out *map[string]newer.Role, s conversion.Scope) error {

+			for _, curr := range *in {

+				newRole := &newer.Role{}

+				if err := s.Convert(&curr.Role, newRole, 0); err != nil {

+					return err

+				}

+				(*out)[curr.Name] = *newRole

+			}

+

+			return nil

+		},

+		func(in *map[string]newer.Role, out *[]NamedRole, s conversion.Scope) error {

+			allKeys := make([]string, 0, len(*in))

+			for key := range *in {

+				allKeys = append(allKeys, key)

+			}

+			sort.Strings(allKeys)

+

+			for _, key := range allKeys {

+				newRole := (*in)[key]

+				oldRole := &Role{}

+				if err := s.Convert(&newRole, oldRole, 0); err != nil {

+					return err

+				}

+

+				namedRole := NamedRole{key, *oldRole}

+				*out = append(*out, namedRole)

+			}

+

+			return nil

+		},

+		func(in *PolicyBinding, out *newer.PolicyBinding, s conversion.Scope) error {

+			out.LastModified = in.LastModified

+			out.RoleBindings = make(map[string]newer.RoleBinding)

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+		func(in *newer.PolicyBinding, out *PolicyBinding, s conversion.Scope) error {

+			out.LastModified = in.LastModified

+			out.RoleBindings = make([]NamedRoleBinding, 0, 0)

+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)

+		},

+		func(in *[]NamedRoleBinding, out *map[string]newer.RoleBinding, s conversion.Scope) error {

+			for _, curr := range *in {

+				newRoleBinding := &newer.RoleBinding{}

+				if err := s.Convert(&curr.RoleBinding, newRoleBinding, 0); err != nil {

+					return err

+				}

+				(*out)[curr.Name] = *newRoleBinding

+			}

+

+			return nil

+		},

+		func(in *map[string]newer.RoleBinding, out *[]NamedRoleBinding, s conversion.Scope) error {

+			allKeys := make([]string, 0, len(*in))

+			for key := range *in {

+				allKeys = append(allKeys, key)

+			}

+			sort.Strings(allKeys)

+

+			for _, key := range allKeys {

+				newRoleBinding := (*in)[key]

+				oldRoleBinding := &RoleBinding{}

+				if err := s.Convert(&newRoleBinding, oldRoleBinding, 0); err != nil {

+					return err

+				}

+

+				namedRoleBinding := NamedRoleBinding{key, *oldRoleBinding}

+				*out = append(*out, namedRoleBinding)

+			}

+

+			return nil

+		},

+	)

+	if err != nil {

+		// If one of the conversion functions is malformed, detect it immediately.

+		panic(err)

+	}

+}

new file mode 100644

@@ -0,0 +1,23 @@

+package v1beta1

+

+import (

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+)

+

+func init() {

+	api.Scheme.AddKnownTypes("v1beta1",

+		&Role{},

+		&RoleBinding{},

+		&Policy{},

+		&PolicyBinding{},

+		&PolicyList{},

+		&PolicyBindingList{},

+	)

+}

+

+func (*Role) IsAnAPIObject()              {}

+func (*Policy) IsAnAPIObject()            {}

+func (*PolicyBinding) IsAnAPIObject()     {}

+func (*RoleBinding) IsAnAPIObject()       {}

+func (*PolicyList) IsAnAPIObject()        {}

+func (*PolicyBindingList) IsAnAPIObject() {}

new file mode 100644

@@ -0,0 +1,106 @@

+package v1beta1

+

+import (

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api/v1beta3"

+	kruntime "github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

+	kutil "github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+)

+

+// Authorization is calculated against

+// 1. all deny RoleBinding PolicyRules in the master namespace - short circuit on match

+// 2. all allow RoleBinding PolicyRules in the master namespace - short circuit on match

+// 3. all deny RoleBinding PolicyRules in the namespace - short circuit on match

+// 4. all allow RoleBinding PolicyRules in the namespace - short circuit on match

+// 5. deny by default

+

+// PolicyRule holds information that describes a policy rule, but does not contain information

+// about who the rule applies to or which namespace the rule applies to.

+type PolicyRule struct {

+	// Deny is true if any request matching this rule should be denied.  If false, any request matching this rule is allowed.

+	Deny bool `json:"deny"`

+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.

+	Verbs []string `json:"verbs"`

+	// AttributeRestrictions will vary depending on what the Authorizer/AuthorizationAttributeBuilder pair supports.

+	// If the Authorizer does not recognize how to handle the AttributeRestrictions, the Authorizer should report an error.

+	AttributeRestrictions kruntime.RawExtension `json:"attributeRestrictions"`

+	// ResourceKinds is a list of kinds this rule applies to.  ResourceAll represents all kinds.

+	ResourceKinds []string `json:"resourceKinds""`

+}

+

+// Role is a logical grouping of PolicyRules that can be referenced as a unit by RoleBindings.

+type Role struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// Rules holds all the PolicyRules for this Role

+	Rules []PolicyRule `json:"rules"`

+}

+

+// RoleBinding references a Role, but not contain it.  It adds who and namespace information.

+// It can reference any Role in the same namespace or in the global namespace.

+type RoleBinding struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// UserNames holds all the usernames directly bound to the role

+	UserNames []string `json:"userNames"`

+	// GroupNames holds all the groups directly bound to the role

+	GroupNames []string `json:"groupNames"`

+

+	// Since Policy is a singleton, this is sufficient knowledge to locate a role

+	// RoleRefs can only reference the current namespace and the global namespace

+	// If the RoleRef cannot be resolved, the Authorizer must return an error.

+	RoleRef kapi.ObjectReference `json:"roleRef"`

+}

+

+// Policy is a object that holds all the Roles for a particular namespace.  There is at most

+// one Policy document per namespace.

+type Policy struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// LastModified is the last time that any part of the Policy was created, updated, or deleted

+	LastModified kutil.Time `json:"lastModified"`

+

+	// Roles holds all the Roles held by this Policy, mapped by Role.Name

+	Roles []NamedRole `json:"roles"`

+}

+

+// PolicyBinding is a object that holds all the RoleBindings for a particular namespace.  There is

+// one PolicyBinding document per referenced Policy namespace

+type PolicyBinding struct {

+	kapi.TypeMeta   `json:",inline"`

+	kapi.ObjectMeta `json:"metadata,omitempty"`

+

+	// LastModified is the last time that any part of the PolicyBinding was created, updated, or deleted

+	LastModified kutil.Time `json:"lastModified"`

+

+	// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference

+	PolicyRef kapi.ObjectReference `json:"policyRef"`

+	// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name

+	RoleBindings []NamedRoleBinding `json:"roleBindings"`

+}

+

+type NamedRole struct {

+	Name string `json:"name"`

+	Role Role   `json:"role"`

+}

+

+type NamedRoleBinding struct {

+	Name        string      `json:"name"`

+	RoleBinding RoleBinding `json:"roleBinding"`

+}

+

+// PolicyList is a collection of Policies

+type PolicyList struct {

+	kapi.TypeMeta `json:",inline"`

+	kapi.ListMeta `json:"metadata,omitempty"`

+	Items         []Policy `json:"items"`

+}

+

+// PolicyBindingList is a collection of PolicyBindings

+type PolicyBindingList struct {

+	kapi.TypeMeta `json:",inline"`

+	kapi.ListMeta `json:"metadata,omitempty"`

+	Items         []PolicyBinding `json:"items"`

+}

new file mode 100644

@@ -0,0 +1,55 @@

+package validation

+

+import (

+	errs "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/validation"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

+

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

+)

+

+// ValidatePolicyBinding tests required fields for a PolicyBinding.

+func ValidatePolicyBinding(policyBinding *authorizationapi.PolicyBinding) errs.ValidationErrorList {

+	allErrs := errs.ValidationErrorList{}

+

+	if len(policyBinding.Name) == 0 {

+		allErrs = append(allErrs, errs.NewFieldRequired("name", policyBinding.Name))

+	}

+

+	if len(policyBinding.PolicyRef.Namespace) == 0 {

+		allErrs = append(allErrs, errs.NewFieldRequired("policyRef.Namespace", policyBinding.PolicyRef.Namespace))

+	}

+

+	allErrs = append(allErrs, validation.ValidateLabels(policyBinding.Labels, "labels")...)

+	return allErrs

+}

+

+// ValidateRole tests required fields for a Role.

+func ValidateRole(role *authorizationapi.Role) errs.ValidationErrorList {

+	allErrs := errs.ValidationErrorList{}

+

+	if len(role.Name) == 0 {

+		allErrs = append(allErrs, errs.NewFieldRequired("name", role.Name))

+	}

+

+	allErrs = append(allErrs, validation.ValidateLabels(role.Labels, "labels")...)

+	return allErrs

+}

+

+// ValidateRoleBinding tests required fields for a RoleBinding.

+func ValidateRoleBinding(roleBinding *authorizationapi.RoleBinding) errs.ValidationErrorList {

+	allErrs := errs.ValidationErrorList{}

+

+	if len(roleBinding.Name) == 0 {

+		allErrs = append(allErrs, errs.NewFieldRequired("name", roleBinding.Name))

+	}

+

+	if len(roleBinding.RoleRef.Namespace) == 0 {

+		allErrs = append(allErrs, errs.NewFieldRequired("roleRef.namespace", roleBinding.RoleRef.Namespace))

+	} else if !util.IsDNSSubdomain(roleBinding.RoleRef.Namespace) {

+		allErrs = append(allErrs, errs.NewFieldInvalid("roleRef.namespace", roleBinding.RoleRef.Namespace, "roleRef.namespace must be a valid subdomain"))

+	}

+

+	allErrs = append(allErrs, validation.ValidateLabels(roleBinding.Labels, "labels")...)

+	return allErrs

+}

new file mode 100644

@@ -0,0 +1,65 @@

+package validation

+

+import (

+	"testing"

+

+	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

+

+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

+)

+

+func TestRoleValidationSuccess(t *testing.T) {

+	role := &authorizationapi.Role{}

+	role.Name = "my-name"

+	role.Namespace = kapi.NamespaceDefault

+

+	if result := ValidateRole(role); len(result) > 0 {

+		t.Errorf("Unexpected validation error returned %v", result)

+	}

+}

+

+func TestRoleValidationFailure(t *testing.T) {

+	role := &authorizationapi.Role{}

+	role.Namespace = kapi.NamespaceDefault

+	if result := ValidateRole(role); len(result) != 1 {

+		t.Errorf("Unexpected validation result: %v", result)

+	}

+}

+

+func TestRoleBindingValidationSuccess(t *testing.T) {

+	roleBinding := &authorizationapi.RoleBinding{}

+	roleBinding.Name = "my-name"

+	roleBinding.Namespace = kapi.NamespaceDefault

+	roleBinding.RoleRef.Namespace = kapi.NamespaceDefault

+

+	if result := ValidateRoleBinding(roleBinding); len(result) > 0 {

+		t.Errorf("Unexpected validation error returned %v", result)

+	}

+}

+

+func TestRoleBindingValidationFailure(t *testing.T) {

+	roleBinding := &authorizationapi.RoleBinding{}

+	roleBinding.Namespace = kapi.NamespaceDefault

+	if result := ValidateRoleBinding(roleBinding); len(result) != 2 {

+		t.Errorf("Unexpected validation result: %v", result)

+	}

+}

+

+func TestPolicyBindingValidationSuccess(t *testing.T) {

+	policyBinding := &authorizationapi.PolicyBinding{}

+	policyBinding.Name = "my-name"

+	policyBinding.Namespace = kapi.NamespaceDefault

+	policyBinding.PolicyRef.Namespace = "my-name"

+

+	if result := ValidatePolicyBinding(policyBinding); len(result) > 0 {

+		t.Errorf("Unexpected validation error returned %v", result)

+	}

+}

+

+func TestPolicyBindingValidationFailure(t *testing.T) {

+	policyBinding := &authorizationapi.PolicyBinding{}

+	policyBinding.Namespace = kapi.NamespaceDefault

+	if result := ValidatePolicyBinding(policyBinding); len(result) != 2 {

+		t.Errorf("Unexpected validation result: %v", result)

+	}

+}