@@ -25,3 +25,9 @@ type Assertion interface {

 type Client interface {

 	AuthenticateClient(client api.Client) (api.UserInfo, bool, error)

 }

+

+type RequestFunc func(req *http.Request) (api.UserInfo, bool, error)

+

+func (f RequestFunc) AuthenticateRequest(req *http.Request) (api.UserInfo, bool, error) {

+	return f(req)

+}

new file mode 100644

@@ -0,0 +1,31 @@

+package bearertoken

+

+import (

+	"net/http"

+	"strings"

+

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/authenticator"

+)

+

+type Authenticator struct {

+	auth authenticator.Token

+}

+

+func New(auth authenticator.Token) *Authenticator {

+	return &Authenticator{auth}

+}

+

+func (a *Authenticator) AuthenticateRequest(req *http.Request) (api.UserInfo, bool, error) {

+	auth := strings.TrimSpace(req.Header.Get("Authorization"))

+	if auth == "" {

+		return nil, false, nil

+	}

+	parts := strings.Split(auth, " ")

+	if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {

+		return nil, false, nil

+	}

+

+	token := parts[1]

+	return a.auth.AuthenticateToken(token)

+}

deleted file mode 100644

@@ -1,31 +0,0 @@

-package bearertoken

-

-import (

-	"net/http"

-	"strings"

-

-	"github.com/openshift/origin/pkg/auth/api"

-	"github.com/openshift/origin/pkg/auth/authenticator"

-)

-

-type Authenticator struct {

-	auth authenticator.Token

-}

-

-func New(auth authenticator.Token) *Authenticator {

-	return &Authenticator{auth}

-}

-

-func (a *Authenticator) AuthenticateRequest(req *http.Request) (api.UserInfo, bool, error) {

-	auth := strings.TrimSpace(req.Header.Get("Authorization"))

-	if auth == "" {

-		return nil, false, nil

-	}

-	parts := strings.Split(auth, " ")

-	if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {

-		return nil, false, nil

-	}

-

-	token := parts[1]

-	return a.auth.AuthenticateToken(token)

-}

new file mode 100644

@@ -0,0 +1,32 @@

+package group

+

+import (

+	"net/http"

+

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/authenticator"

+)

+

+// GroupAdder wraps a request authenticator, and adds the specified groups to the returned user when authentication succeeds

+type GroupAdder struct {

+	Authenticator authenticator.Request

+	Groups        []string

+}

+

+func (g *GroupAdder) AuthenticateRequest(req *http.Request) (api.UserInfo, bool, error) {

+	user, ok, err := g.Authenticator.AuthenticateRequest(req)

+	if err != nil || !ok {

+		return nil, ok, err

+	}

+	return &api.DefaultUserInfo{

+		Name:   user.GetName(),

+		UID:    user.GetUID(),

+		Groups: append(user.GetGroups(), g.Groups...),

+		Scope:  user.GetScope(),

+		Extra:  user.GetExtra(),

+	}, true, nil

+}

+

+func NewGroupAdder(auth authenticator.Request, groups []string) *GroupAdder {

+	return &GroupAdder{auth, groups}

+}

new file mode 100644

@@ -0,0 +1,26 @@

+package group

+

+import (

+	"net/http"

+	"reflect"

+	"testing"

+

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/authenticator"

+)

+

+func TestGroupAdder(t *testing.T) {

+	adder := authenticator.Request(

+		NewGroupAdder(

+			authenticator.RequestFunc(func(req *http.Request) (api.UserInfo, bool, error) {

+				return &api.DefaultUserInfo{Name: "user", Groups: []string{"original"}}, true, nil

+			}),

+			[]string{"added"},

+		),

+	)

+

+	user, _, _ := adder.AuthenticateRequest(nil)

+	if !reflect.DeepEqual(user.GetGroups(), []string{"original", "added"}) {

+		t.Errorf("Expected original,added groups, got %#v", user.GetGroups())

+	}

+}

@@ -22,9 +22,9 @@ import (

 	"github.com/openshift/origin/pkg/auth/authenticator/password/allowanypassword"

 	"github.com/openshift/origin/pkg/auth/authenticator/password/basicauthpassword"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/basicauthrequest"

+	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/headerrequest"

 	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"

-	"github.com/openshift/origin/pkg/auth/authenticator/token/bearertoken"

 	"github.com/openshift/origin/pkg/auth/authenticator/token/filetoken"

 	"github.com/openshift/origin/pkg/auth/oauth/external"

 	"github.com/openshift/origin/pkg/auth/oauth/external/github"

@@ -391,13 +391,9 @@ func wrapHandlerWithAuthentication(handler http.Handler, authenticator authentic

 		requestsToUsers,

 		authenticator,

 		http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

-			// TODO: make this failure handler actually fail once internal components can get auth tokens to do their job

-			// w.WriteHeader(http.StatusUnauthorized)

-			// return

-

-			// For now, just let us know and continue on your merry way

-			glog.V(2).Infof("Token authentication failed when accessing: %v", req.URL)

-			handler.ServeHTTP(w, req)

+			w.WriteHeader(http.StatusUnauthorized)

+			w.Write([]byte("Unauthorized"))

+			return

 		}),

 		handler)

 }

@@ -27,7 +27,12 @@ import (

 	"github.com/spf13/cobra"

 	"github.com/openshift/origin/pkg/api/latest"

-	"github.com/openshift/origin/pkg/auth/authenticator/token/bearertoken"

+	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/authenticator"

+	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"

+	"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"

+	"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"

+	"github.com/openshift/origin/pkg/auth/group"

 	"github.com/openshift/origin/pkg/cmd/flagtypes"

 	"github.com/openshift/origin/pkg/cmd/server/crypto"

 	"github.com/openshift/origin/pkg/cmd/server/etcd"

@@ -69,6 +74,13 @@ You may also pass --etcd to connect to an external etcd server instead of runnin

 instance.

 `

+const (

+	unauthenticatedUsername = "system:anonymous"

+

+	authenticatedGroup   = "system:authenticated"

+	unauthenticatedGroup = "system:unauthenticated"

+)

+

 // config is a struct that the command stores flag values into.

 type config struct {

 	Docker *docker.Helper

@@ -299,11 +311,12 @@ func start(cfg *config, args []string) error {

 		}

 		// Build token auth for user's OAuth tokens

+		authenticators := []authenticator.Request{}

 		tokenAuthenticator, err := origin.GetTokenAuthenticator(etcdHelper)

 		if err != nil {

 			glog.Fatalf("Error creating TokenAuthenticator: %v", err)

 		}

-		osmaster.Authenticator = bearertoken.New(tokenAuthenticator)

+		authenticators = append(authenticators, group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{authenticatedGroup}))

 		var roots *x509.CertPool

 		if osmaster.TLS {

@@ -355,6 +368,14 @@ func start(cfg *config, args []string) error {

 			for _, root := range ca.Config.Roots {

 				roots.AddCert(root)

 			}

+

+			// build cert authenticator

+			// TODO: add cert users to etcd?

+			// TODO: provider-qualify cert users?

+			opts := x509request.DefaultVerifyOptions()

+			opts.Roots = roots

+			certauth := x509request.New(opts, x509request.CommonNameUserConversion)

+			authenticators = append(authenticators, group.NewGroupAdder(certauth, []string{authenticatedGroup}))

 		} else {

 			// No security, use the same client config for all OpenShift clients

 			osClientConfig := kclient.Config{Host: cfg.MasterAddr.URL.String(), Version: latest.Version}

@@ -362,6 +383,13 @@ func start(cfg *config, args []string) error {

 			osmaster.DeployerOSClientConfig = osClientConfig

 		}

+		// TODO: make anonymous auth optional?

+		// TODO: should this map to a real user persisted in etcd?

+		authenticators = append(authenticators, authenticator.RequestFunc(func(req *http.Request) (api.UserInfo, bool, error) {

+			return &api.DefaultUserInfo{Name: unauthenticatedUsername, Groups: []string{unauthenticatedGroup}}, true, nil

+		}))

+		osmaster.Authenticator = unionrequest.NewUnionAuthentication(authenticators)

+

 		osmaster.BuildClients()

 		osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins)

@@ -35,7 +35,7 @@ func NewCurrentContextFilter(requestPath string, context Context, handler http.H

 		user, found := context.Get(req)

 		if !found {

-			http.Error(w, "Need to be authorized to access this method", http.StatusUnauthorized)

+			http.Error(w, "Need to be authenticated to access this method", http.StatusUnauthorized)

 			return

 		}

@@ -51,7 +51,7 @@ func InstallThisUser(mux mux, endpoint string, requestsToUsers Context, apiHandl

 		func(w http.ResponseWriter, req *http.Request) {

 			user, found := requestsToUsers.Get(req)

 			if !found {

-				http.Error(w, "Need to be authorized to access this method", http.StatusUnauthorized)

+				http.Error(w, "Need to be authenticated to access this method", http.StatusUnauthorized)

 				return

 			}