@@ -189,7 +189,7 @@ type ResourceAccessReview struct {

 	unversioned.TypeMeta

 	// Action describes the action being tested

-	Action AuthorizationAttributes

+	Action

 }

 // SubjectAccessReviewResponse describes whether or not a user or group can perform an action

@@ -209,7 +209,7 @@ type SubjectAccessReview struct {

 	unversioned.TypeMeta

 	// Action describes the action being tested

-	Action AuthorizationAttributes

+	Action

 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.

 	User string

 	// Groups is optional.  Groups is the list of groups to which the User belongs.

@@ -226,7 +226,7 @@ type LocalResourceAccessReview struct {

 	unversioned.TypeMeta

 	// Action describes the action being tested

-	Action AuthorizationAttributes

+	Action

 }

 // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace

@@ -234,7 +234,7 @@ type LocalSubjectAccessReview struct {

 	unversioned.TypeMeta

 	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.

-	Action AuthorizationAttributes

+	Action

 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.

 	User string

 	// Groups is optional.  Groups is the list of groups to which the User belongs.

@@ -246,8 +246,8 @@ type LocalSubjectAccessReview struct {

 	Scopes []string

 }

-// AuthorizationAttributes describes a request to be authorized

-type AuthorizationAttributes struct {

+// Action describes a request to be authorized

+type Action struct {

 	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces

 	Namespace string

 	// Verb is one of: get, list, watch, create, update, delete

@@ -13,115 +13,54 @@ import (

 	uservalidation "github.com/openshift/origin/pkg/user/api/validation"

 )

-func Convert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in *ResourceAccessReview, out *newer.ResourceAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-

-	return nil

-}

-

-func Convert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in *newer.ResourceAccessReview, out *ResourceAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-

-	return nil

-}

-

-func Convert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in *LocalResourceAccessReview, out *newer.LocalResourceAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-

-	return nil

-}

-

-func Convert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in *newer.LocalResourceAccessReview, out *LocalResourceAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-

-	return nil

-}

-

 func Convert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in *SubjectAccessReview, out *newer.SubjectAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in, out, s); err != nil {

 		return err

 	}

 	out.Groups = sets.NewString(in.GroupsSlice...)

-

 	return nil

 }

 func Convert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in *newer.SubjectAccessReview, out *SubjectAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in, out, s); err != nil {

 		return err

 	}

 	out.GroupsSlice = in.Groups.List()

-

 	return nil

 }

 func Convert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in *LocalSubjectAccessReview, out *newer.LocalSubjectAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in, out, s); err != nil {

 		return err

 	}

 	out.Groups = sets.NewString(in.GroupsSlice...)

-

 	return nil

 }

 func Convert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in *newer.LocalSubjectAccessReview, out *LocalSubjectAccessReview, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

-		return err

-	}

-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in, out, s); err != nil {

 		return err

 	}

 	out.GroupsSlice = in.Groups.List()

-

 	return nil

 }

 func Convert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in *ResourceAccessReviewResponse, out *newer.ResourceAccessReviewResponse, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in, out, s); err != nil {

 		return err

 	}

 	out.Users = sets.NewString(in.UsersSlice...)

 	out.Groups = sets.NewString(in.GroupsSlice...)

-

 	return nil

 }

 func Convert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in *newer.ResourceAccessReviewResponse, out *ResourceAccessReviewResponse, s conversion.Scope) error {

-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {

+	if err := autoConvert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in, out, s); err != nil {

 		return err

 	}

@@ -5,8 +5,8 @@ package v1

 // by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift.

 // ==== DO NOT EDIT THIS FILE MANUALLY ====

-var map_AuthorizationAttributes = map[string]string{

-	"":                   "AuthorizationAttributes describes a request to the API server",

+var map_Action = map[string]string{

+	"":                   "Action describes a request to the API server",

 	"namespace":          "Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces",

 	"verb":               "Verb is one of: get, list, watch, create, update, delete",

 	"resourceAPIGroup":   "Group is the API group of the resource Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined",

@@ -16,8 +16,8 @@ var map_AuthorizationAttributes = map[string]string{

 	"content":            "Content is the actual content of the request for create and update",

 }

-func (AuthorizationAttributes) SwaggerDoc() map[string]string {

-	return map_AuthorizationAttributes

+func (Action) SwaggerDoc() map[string]string {

+	return map_Action

 }

 var map_ClusterPolicy = map[string]string{

@@ -173,8 +173,8 @@ type ResourceAccessReviewResponse struct {

 type ResourceAccessReview struct {

 	unversioned.TypeMeta `json:",inline"`

-	// AuthorizationAttributes describes the action being tested.

-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`

+	// Action describes the action being tested.

+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`

 }

 // SubjectAccessReviewResponse describes whether or not a user or group can perform an action

@@ -197,8 +197,8 @@ type OptionalScopes []string

 type SubjectAccessReview struct {

 	unversioned.TypeMeta `json:",inline"`

-	// AuthorizationAttributes describes the action being tested.

-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`

+	// Action describes the action being tested.

+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`

 	// User is optional. If both User and Groups are empty, the current authenticated user is used.

 	User string `json:"user" protobuf:"bytes,2,opt,name=user"`

 	// GroupsSlice is optional. Groups is the list of groups to which the User belongs.

@@ -214,16 +214,16 @@ type SubjectAccessReview struct {

 type LocalResourceAccessReview struct {

 	unversioned.TypeMeta `json:",inline"`

-	// AuthorizationAttributes describes the action being tested.  The Namespace element is FORCED to the current namespace.

-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`

+	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.

+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`

 }

 // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace

 type LocalSubjectAccessReview struct {

 	unversioned.TypeMeta `json:",inline"`

-	// AuthorizationAttributes describes the action being tested.  The Namespace element is FORCED to the current namespace.

-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`

+	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.

+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`

 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.

 	User string `json:"user" protobuf:"bytes,2,opt,name=user"`

 	// Groups is optional.  Groups is the list of groups to which the User belongs.

@@ -235,8 +235,8 @@ type LocalSubjectAccessReview struct {

 	Scopes OptionalScopes `json:"scopes" protobuf:"bytes,4,rep,name=scopes"`

 }

-// AuthorizationAttributes describes a request to the API server

-type AuthorizationAttributes struct {

+// Action describes a request to the API server

+type Action struct {

 	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces

 	Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"`

 	// Verb is one of: get, list, watch, create, update, delete

@@ -16,12 +16,12 @@ var _ = kauthorizer.Attributes(AdapterAttributes{})

 type AdapterAttributes struct {

 	namespace               string

 	user                    user.Info

-	authorizationAttributes oauthorizer.AuthorizationAttributes

+	authorizationAttributes oauthorizer.Action

 }

 // OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes

 // Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes

-func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) {

+func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.Action) {

 	// Build a context to hold the namespace and user info

 	ctx := kapi.NewContext()

 	ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())

@@ -55,7 +55,7 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa

 // KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes

 // The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface

-func KubernetesAuthorizerAttributes(namespace string, user user.Info, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes {

+func KubernetesAuthorizerAttributes(namespace string, user user.Info, oattrs oauthorizer.Action) kauthorizer.Attributes {

 	return AdapterAttributes{

 		namespace: namespace,

 		user:      user,

@@ -113,7 +113,7 @@ func TestAttributeIntersection(t *testing.T) {

 	)

 	kattributesType := reflect.TypeOf((*kauthorizer.Attributes)(nil)).Elem()

-	oattributesType := reflect.TypeOf((*oauthorizer.AuthorizationAttributes)(nil)).Elem()

+	oattributesType := reflect.TypeOf((*oauthorizer.Action)(nil)).Elem()

 	kattributesMethods := sets.NewString()

 	for i := 0; i < kattributesType.NumMethod(); i++ {

@@ -21,9 +21,9 @@ type DefaultAuthorizationAttributes struct {

 	URL               string

 }

-// ToDefaultAuthorizationAttributes coerces AuthorizationAttributes to DefaultAuthorizationAttributes.  Namespace is not included

+// ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes.  Namespace is not included

 // because the authorizer takes that information on the context

-func ToDefaultAuthorizationAttributes(in authorizationapi.AuthorizationAttributes) DefaultAuthorizationAttributes {

+func ToDefaultAuthorizationAttributes(in authorizationapi.Action) DefaultAuthorizationAttributes {

 	return DefaultAuthorizationAttributes{

 		Verb:         in.Verb,

 		APIGroup:     in.Group,

@@ -136,8 +136,8 @@ func splitPath(thePath string) []string {

 	return strings.Split(thePath, "/")

 }

-// DefaultAuthorizationAttributes satisfies the AuthorizationAttributes interface

-var _ AuthorizationAttributes = DefaultAuthorizationAttributes{}

+// DefaultAuthorizationAttributes satisfies the Action interface

+var _ Action = DefaultAuthorizationAttributes{}

 func (a DefaultAuthorizationAttributes) GetAPIVersion() string {

 	return a.APIVersion

@@ -16,7 +16,7 @@ func NewAuthorizationAttributeBuilder(contextMapper kapi.RequestContextMapper, i

 	return &openshiftAuthorizationAttributeBuilder{contextMapper, infoResolver}

 }

-func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (AuthorizationAttributes, error) {

+func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (Action, error) {

 	requestInfo, err := a.infoResolver.GetRequestInfo(req)

 	if err != nil {

 		return nil, err

@@ -7,13 +7,13 @@ import (

 )

 func TestAuthorizationAttributes(t *testing.T) {

-	// Wrapper to make sure additions to the AuthorizationAttributes interface get corresponding fields added in api.AuthorizationAttributes

-	// If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.AuthorizationAttributes

-	var _ AuthorizationAttributes = authorizationAttributesAdapter{}

+	// Wrapper to make sure additions to the Action interface get corresponding fields added in api.Action

+	// If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.Action

+	var _ Action = authorizationAttributesAdapter{}

 }

 type authorizationAttributesAdapter struct {

-	attrs authorizationapi.AuthorizationAttributes

+	attrs authorizationapi.Action

 }

 func (a authorizationAttributesAdapter) GetVerb() string {

@@ -37,17 +37,17 @@ func (a authorizationAttributesAdapter) GetResourceName() string {

 }

 func (a authorizationAttributesAdapter) GetRequestAttributes() interface{} {

-	// AuthorizationAttributes doesn't currently support request attributes,

+	// Action doesn't currently support request attributes,

 	// because they cannot be reliably serialized

 	return nil

 }

 func (a authorizationAttributesAdapter) IsNonResourceURL() bool {

-	// AuthorizationAttributes currently only supports resource authorization checks

+	// Action currently only supports resource authorization checks

 	return false

 }

 func (a authorizationAttributesAdapter) GetURL() string {

-	// AuthorizationAttributes currently only supports resource authorization checks

+	// Action currently only supports resource authorization checks

 	return ""

 }

@@ -18,7 +18,7 @@ func NewAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, forbid

 	return &openshiftAuthorizer{ruleResolver, forbiddenMessageMaker}

 }

-func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) {

+func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Action) (bool, string, error) {

 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)

 	// keep track of errors in case we are unable to authorize the action.

@@ -63,7 +63,7 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho

 // If we got an error, then the list of subjects may not be complete, but it does not contain any incorrect names.

 // This is done because policy rules are purely additive and policy determinations

 // can be made on the basis of those rules that are found.

-func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Action) (sets.String, sets.String, error) {

 	errs := []error{}

 	masterContext := kapi.WithNamespace(ctx, kapi.NamespaceNone)

@@ -87,7 +87,7 @@ func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Au

 	return users, groups, kerrors.NewAggregate(errs)

 }

-func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes Action) (sets.String, sets.String, error) {

 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)

 	errs := []error{}

@@ -129,7 +129,7 @@ func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.C

 // authorizeWithNamespaceRules returns isAllowed, reason, and error.  If an error is returned, isAllowed and reason are still valid.  This seems strange

 // but errors are not always fatal to the authorization process.  It is entirely possible to get an error and be able to continue determine authorization

 // status in spite of it.  This is most common when a bound role is missing, but enough roles are still present and bound to authorize the request.

-func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) {

+func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes Action) (bool, string, error) {

 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)

 	allRules, ruleRetrievalError := a.ruleResolver.GetEffectivePolicyRules(ctx)

@@ -153,7 +153,7 @@ func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, pass

 // TODO this may or may not be the behavior we want for managing rules.  As a for instance, a verb might be specified

 // that our attributes builder will never satisfy.  For now, I think gets us close.  Maybe a warning message of some kind?

-func CoerceToDefaultAuthorizationAttributes(passedAttributes AuthorizationAttributes) *DefaultAuthorizationAttributes {

+func CoerceToDefaultAuthorizationAttributes(passedAttributes Action) *DefaultAuthorizationAttributes {

 	attributes, ok := passedAttributes.(*DefaultAuthorizationAttributes)

 	if !ok {

 		attributes = &DefaultAuthorizationAttributes{

@@ -60,7 +60,7 @@ func NewAuthorizer(a authorizer.Authorizer, ttl time.Duration, cacheSize int) (a

 	}, nil

 }

-func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) {

+func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.Action) (allowed bool, reason string, err error) {

 	key, err := cacheKey(ctx, a)

 	if err != nil {

 		glog.V(5).Infof("could not build cache key for %#v: %v", a, err)

@@ -92,7 +92,7 @@ func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.Authorization

 	return allowed, reason, err

 }

-func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) {

 	key, err := cacheKey(ctx, attributes)

 	if err != nil {

 		glog.V(5).Infof("could not build cache key for %#v: %v", attributes, err)

@@ -123,7 +123,7 @@ func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes author

 	return users, groups, err

 }

-func cacheKey(ctx kapi.Context, a authorizer.AuthorizationAttributes) (string, error) {

+func cacheKey(ctx kapi.Context, a authorizer.Action) (string, error) {

 	if a.GetRequestAttributes() != nil {

 		// TODO: see if we can serialize this?

 		return "", errors.New("cannot cache request attributes")

@@ -21,7 +21,7 @@ func TestAuthorizer(t *testing.T) {

 func TestCacheKey(t *testing.T) {

 	tests := map[string]struct {

 		Context kapi.Context

-		Attrs   authorizer.AuthorizationAttributes

+		Attrs   authorizer.Action

 		ExpectedKey string

 		ExpectedErr bool

@@ -80,7 +80,7 @@ func TestCacheKeyFields(t *testing.T) {

 	// These are results we don't expect to be in the cache key

 	expectedMissingKeys := sets.NewString("requestattributes")

-	attrType := reflect.TypeOf((*authorizer.AuthorizationAttributes)(nil)).Elem()

+	attrType := reflect.TypeOf((*authorizer.Action)(nil)).Elem()

 	for i := 0; i < attrType.NumMethod(); i++ {

 		name := attrType.Method(i).Name

 		name = strings.TrimPrefix(name, "Get")

@@ -10,19 +10,19 @@ import (

 )

 type Authorizer interface {

-	Authorize(ctx kapi.Context, a AuthorizationAttributes) (allowed bool, reason string, err error)

-	GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (sets.String, sets.String, error)

+	Authorize(ctx kapi.Context, a Action) (allowed bool, reason string, err error)

+	GetAllowedSubjects(ctx kapi.Context, attributes Action) (sets.String, sets.String, error)

 }

 type AuthorizationAttributeBuilder interface {

-	GetAttributes(request *http.Request) (AuthorizationAttributes, error)

+	GetAttributes(request *http.Request) (Action, error)

 }

 type RequestInfoResolver interface {

 	GetRequestInfo(req *http.Request) (kapiserver.RequestInfo, error)

 }

-type AuthorizationAttributes interface {

+type Action interface {

 	GetVerb() string

 	GetAPIVersion() string

 	GetAPIGroup() string

@@ -46,5 +46,5 @@ type ForbiddenMessageMaker interface {

 type MessageContext struct {

 	User       user.Info

 	Namespace  string

-	Attributes AuthorizationAttributes

+	Attributes Action

 }

@@ -12,7 +12,7 @@ import (

 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"

 )

-func IsPersonalAccessReview(a AuthorizationAttributes) (bool, error) {

+func IsPersonalAccessReview(a Action) (bool, error) {

 	switch extendedAttributes := a.GetRequestAttributes().(type) {

 	case *http.Request:

 		return isPersonalAccessReviewFromRequest(a, extendedAttributes)

@@ -30,7 +30,7 @@ func IsPersonalAccessReview(a AuthorizationAttributes) (bool, error) {

 }

 // isPersonalAccessReviewFromRequest this variant handles the case where we have an httpRequest

-func isPersonalAccessReviewFromRequest(a AuthorizationAttributes, req *http.Request) (bool, error) {

+func isPersonalAccessReviewFromRequest(a Action, req *http.Request) (bool, error) {

 	// TODO once we're integrated with the api installer, we should have direct access to the deserialized content

 	// for now, this only happens on subjectaccessreviews with a personal check, pay the double retrieve and decode cost

 	body, err := ioutil.ReadAll(req.Body)

@@ -30,7 +30,7 @@ func NewAuthorizer(client RemoteAuthorizerClient) (authorizer.Authorizer, error)

 	return &RemoteAuthorizer{client}, nil

 }

-func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (bool, string, error) {

+func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.Action) (bool, string, error) {

 	var (

 		result *authzapi.SubjectAccessReviewResponse

 		err    error

@@ -70,7 +70,7 @@ func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.Authorizatio

 	return result.Allowed, result.Reason, nil

 }

-func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) {

 	var (

 		result *authzapi.ResourceAccessReviewResponse

 		err    error

@@ -92,8 +92,8 @@ func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes autho

 	return result.Users, result.Groups, nil

 }

-func getAction(namespace string, attributes authorizer.AuthorizationAttributes) authzapi.AuthorizationAttributes {

-	return authzapi.AuthorizationAttributes{

+func getAction(namespace string, attributes authorizer.Action) authzapi.Action {

+	return authzapi.Action{

 		Namespace:    namespace,

 		Verb:         attributes.GetVerb(),

 		Group:        attributes.GetAPIGroup(),

@@ -101,10 +101,10 @@ func getAction(namespace string, attributes authorizer.AuthorizationAttributes)

 		Resource:     attributes.GetResource(),

 		ResourceName: attributes.GetResourceName(),

-		// TODO: missing from authorizer.AuthorizationAttributes:

+		// TODO: missing from authorizer.Action:

 		// Content

-		// TODO: missing from authzapi.AuthorizationAttributes

+		// TODO: missing from authzapi.Action

 		// RequestAttributes (unserializable?)

 		// IsNonResourceURL

 		// URL (doesn't make sense for remote authz?)

@@ -23,7 +23,7 @@ func NewAuthorizer(delegate defaultauthorizer.Authorizer, clusterPolicyGetter cl

 	return &scopeAuthorizer{delegate: delegate, clusterPolicyGetter: clusterPolicyGetter, forbiddenMessageMaker: forbiddenMessageMaker}

 }

-func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.AuthorizationAttributes) (bool, string, error) {

+func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.Action) (bool, string, error) {

 	user, exists := kapi.UserFrom(ctx)

 	if !exists {

 		return false, "", fmt.Errorf("user missing from context")

@@ -67,6 +67,6 @@ func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultau

 // TODO remove this. We don't logically need it, but it requires splitting our interface

 // GetAllowedSubjects returns the subjects it knows can perform the action.

-func (a *scopeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *scopeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.Action) (sets.String, sets.String, error) {

 	return a.delegate.GetAllowedSubjects(ctx, attributes)

 }

@@ -113,11 +113,11 @@ type fakeAuthorizer struct {

 	called  bool

 }

-func (a *fakeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.AuthorizationAttributes) (bool, string, error) {

+func (a *fakeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.Action) (bool, string, error) {

 	a.called = true

 	return a.allowed, "", nil

 }

-func (a *fakeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *fakeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.Action) (sets.String, sets.String, error) {

 	return nil, nil, nil

 }

@@ -27,7 +27,7 @@ type testAuthorizer struct {

 	actualAttributes authorizer.DefaultAuthorizationAttributes

 }

-func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) {

+func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) {

 	// allow the initial check for "can I run this RAR at all"

 	if attributes.GetResource() == "localresourceaccessreviews" {

 		return true, "", nil

@@ -35,7 +35,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Autho

 	return false, "", errors.New("Unsupported")

 }

-func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) {

 	attributes, ok := passedAttributes.(authorizer.DefaultAuthorizationAttributes)

 	if !ok {

 		return nil, nil, errors.New("unexpected type for test")

@@ -54,7 +54,7 @@ func TestNoNamespace(t *testing.T) {

 			err: "namespace is required on this type: ",

 		},

 		reviewRequest: &authorizationapi.LocalResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "",

 				Verb:      "get",

 				Resource:  "pods",

@@ -68,7 +68,7 @@ func TestNoNamespace(t *testing.T) {

 func TestConflictingNamespace(t *testing.T) {

 	authorizer := &testAuthorizer{}

 	reviewRequest := &authorizationapi.LocalResourceAccessReview{

-		Action: authorizationapi.AuthorizationAttributes{

+		Action: authorizationapi.Action{

 			Namespace: "foo",

 			Verb:      "get",

 			Resource:  "pods",

@@ -93,7 +93,7 @@ func TestEmptyReturn(t *testing.T) {

 			groups: sets.String{},

 		},

 		reviewRequest: &authorizationapi.LocalResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "get",

 				Resource:  "pods",

@@ -111,7 +111,7 @@ func TestNoErrors(t *testing.T) {

 			groups: sets.NewString("three", "four"),

 		},

 		reviewRequest: &authorizationapi.LocalResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "delete",

 				Resource:  "deploymentConfig",

@@ -32,7 +32,7 @@ type testAuthorizer struct {

 	actualUserInfo   user.Info

 }

-func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) {

+func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.Action) (allowed bool, reason string, err error) {

 	a.actualUserInfo, _ = kapi.UserFrom(ctx)

 	// allow the initial check for "can I run this SAR at all"

@@ -52,7 +52,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer

 	}

 	return a.allowed, a.reason, errors.New(a.err)

 }

-func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) {

 	return sets.String{}, sets.String{}, nil

 }

@@ -63,7 +63,7 @@ func TestNoNamespace(t *testing.T) {

 			err:     "namespace is required on this type: ",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "",

 				Verb:      "get",

 				Resource:  "pods",

@@ -81,7 +81,7 @@ func TestConflictingNamespace(t *testing.T) {

 		allowed: false,

 	}

 	reviewRequest := &authorizationapi.LocalSubjectAccessReview{

-		Action: authorizationapi.AuthorizationAttributes{

+		Action: authorizationapi.Action{

 			Namespace: "foo",

 			Verb:      "get",

 			Resource:  "pods",

@@ -108,7 +108,7 @@ func TestEmptyReturn(t *testing.T) {

 			reason:  "because reasons",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "get",

 				Resource:  "pods",

@@ -133,7 +133,7 @@ func TestNoErrors(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "delete",

 				Resource:  "deploymentConfigs",

@@ -156,7 +156,7 @@ func TestErrors(t *testing.T) {

 			err: "some-random-failure",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "get",

 				Resource:  "pods",

@@ -176,7 +176,7 @@ func TestRegularWithScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "delete",

 				Resource:  "deploymentConfigs",

@@ -205,7 +205,7 @@ func TestSelfWithDefaultScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "delete",

 				Resource:  "deploymentConfigs",

@@ -233,7 +233,7 @@ func TestSelfWithClearedScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "unittest",

 				Verb:      "delete",

 				Resource:  "deploymentConfigs",

@@ -27,7 +27,7 @@ type testAuthorizer struct {

 	actualAttributes authorizer.DefaultAuthorizationAttributes

 }

-func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) {

+func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) {

 	// allow the initial check for "can I run this RAR at all"

 	if attributes.GetResource() == "localresourceaccessreviews" {

 		if len(a.deniedNamespaces) != 0 && a.deniedNamespaces.Has(kapi.NamespaceValue(ctx)) {

@@ -39,7 +39,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Autho

 	return false, "", errors.New("unsupported")

 }

-func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) {

 	attributes, ok := passedAttributes.(authorizer.DefaultAuthorizationAttributes)

 	if !ok {

 		return nil, nil, errors.New("unexpected type for test")

@@ -61,7 +61,7 @@ func TestDeniedNamespace(t *testing.T) {

 			deniedNamespaces: sets.NewString("foo"),

 		},

 		reviewRequest: &authorizationapi.ResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "foo",

 				Verb:      "get",

 				Resource:  "pods",

@@ -79,7 +79,7 @@ func TestEmptyReturn(t *testing.T) {

 			groups: sets.String{},

 		},

 		reviewRequest: &authorizationapi.ResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "get",

 				Resource: "pods",

 			},

@@ -96,7 +96,7 @@ func TestNoErrors(t *testing.T) {

 			groups: sets.NewString("three", "four"),

 		},

 		reviewRequest: &authorizationapi.ResourceAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "delete",

 				Resource: "deploymentConfig",

 			},

@@ -32,7 +32,7 @@ type testAuthorizer struct {

 	actualUserInfo   user.Info

 }

-func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) {

+func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.Action) (allowed bool, reason string, err error) {

 	a.actualUserInfo, _ = kapi.UserFrom(ctx)

 	// allow the initial check for "can I run this SAR at all"

@@ -56,7 +56,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer

 	}

 	return a.allowed, a.reason, errors.New(a.err)

 }

-func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) {

+func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) {

 	return sets.String{}, sets.String{}, nil

 }

@@ -68,7 +68,7 @@ func TestDeniedNamespace(t *testing.T) {

 			deniedNamespaces: sets.NewString("foo"),

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Namespace: "foo",

 				Verb:      "get",

 				Resource:  "pods",

@@ -88,7 +88,7 @@ func TestEmptyReturn(t *testing.T) {

 			reason:  "because reasons",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "get",

 				Resource: "pods",

 			},

@@ -112,7 +112,7 @@ func TestNoErrors(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "delete",

 				Resource: "deploymentConfigs",

 			},

@@ -134,7 +134,7 @@ func TestErrors(t *testing.T) {

 			err: "some-random-failure",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "get",

 				Resource: "pods",

 			},

@@ -153,7 +153,7 @@ func TestRegularWithScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "delete",

 				Resource: "deploymentConfigs",

 			},

@@ -181,7 +181,7 @@ func TestSelfWithDefaultScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "delete",

 				Resource: "deploymentConfigs",

 			},

@@ -208,7 +208,7 @@ func TestSelfWithClearedScopes(t *testing.T) {

 			reason:  "because good things",

 		},

 		reviewRequest: &authorizationapi.SubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:     "delete",

 				Resource: "deploymentConfigs",

 			},

@@ -104,7 +104,7 @@ func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr ad

 	}

 	subjectAccessReview := authorizationapi.AddUserToLSAR(attr.GetUserInfo(),

 		&authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:         "create",

 				Group:        resource.Group,

 				Resource:     resource.Resource,

@@ -123,7 +123,7 @@ func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.Bu

 	}

 	subjectAccessReview := authorizationapi.AddUserToLSAR(attr.GetUserInfo(),

 		&authorizationapi.LocalSubjectAccessReview{

-			Action: authorizationapi.AuthorizationAttributes{

+			Action: authorizationapi.Action{

 				Verb:         "create",

 				Group:        resource.Group,

 				Resource:     resource.Resource,

@@ -117,7 +117,7 @@ func (o DiagnosticsOptions) makeClusterClients(rawConfig *clientcmdapi.Config, c

 		o.Logger.Debug("CED1006", fmt.Sprintf("Error creating client for context '%s':\n%v", contextName, err))

 		return nil, nil, false, "", nil

 	} else {

-		subjectAccessReview := authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{

+		subjectAccessReview := authorizationapi.SubjectAccessReview{Action: authorizationapi.Action{

 			// if you can do everything, you're the cluster admin.

 			Verb:     "*",

 			Group:    "*",

@@ -139,7 +139,7 @@ func (o *canIOptions) Run() (bool, error) {

 	}