diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index ea982428e8d..ac38728ef5a 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -279,15 +279,15 @@ func Run(s *options.APIServer) error {
 		var uid = uuid.NewRandom().String()
 		tokens := make(map[string]*user.DefaultInfo)
 		tokens[privilegedLoopbackToken] = &user.DefaultInfo{
-			Name:   "system:apiserver",
+			Name:   user.APIServerUser,
 			UID:    uid,
-			Groups: []string{"system:masters"},
+			Groups: []string{user.SystemPrivilegedGroup},
 		}
 
 		tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
 		apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)
 
-		tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
+		tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
 		apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
 	}
 
diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go
index 3b01269bd46..b7e99fe0eca 100644
--- a/federation/cmd/federation-apiserver/app/server.go
+++ b/federation/cmd/federation-apiserver/app/server.go
@@ -187,15 +187,15 @@ func Run(s *options.ServerRunOptions) error {
 		var uid = uuid.NewRandom().String()
 		tokens := make(map[string]*user.DefaultInfo)
 		tokens[privilegedLoopbackToken] = &user.DefaultInfo{
-			Name:   "system:apiserver",
+			Name:   user.APIServerUser,
 			UID:    uid,
-			Groups: []string{"system:masters"},
+			Groups: []string{user.SystemPrivilegedGroup},
 		}
 
 		tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
 		apiAuthenticator = authenticatorunion.New(tokenAuthenticator, apiAuthenticator)
 
-		tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
+		tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
 		apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
 	}
 
diff --git a/pkg/apiserver/authenticator/authn.go b/pkg/apiserver/authenticator/authn.go
index e415be65aaa..2f306dc02c8 100644
--- a/pkg/apiserver/authenticator/authn.go
+++ b/pkg/apiserver/authenticator/authn.go
@@ -141,7 +141,7 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
 
 	authenticator := union.New(authenticators...)
 
-	authenticator = group.NewGroupAdder(authenticator, []string{"system:authenticated"})
+	authenticator = group.NewGroupAdder(authenticator, []string{user.AllAuthenticated})
 
 	if config.Anonymous {
 		// If the authenticator chain returns an error, return an error (don't consider a bad bearer token anonymous).
diff --git a/pkg/auth/user/user.go b/pkg/auth/user/user.go
index 7e7cc16f68b..c48695b6d54 100644
--- a/pkg/auth/user/user.go
+++ b/pkg/auth/user/user.go
@@ -65,3 +65,13 @@ func (i *DefaultInfo) GetGroups() []string {
 func (i *DefaultInfo) GetExtra() map[string][]string {
 	return i.Extra
 }
+
+// well-known user and group names
+const (
+	SystemPrivilegedGroup = "system:masters"
+	AllUnauthenticated    = "system:unauthenticated"
+	AllAuthenticated      = "system:authenticated"
+
+	Anonymous     = "system:anonymous"
+	APIServerUser = "system:apiserver"
+)
diff --git a/pkg/registry/rbac/clusterrole/policybased/storage.go b/pkg/registry/rbac/clusterrole/policybased/storage.go
index 403b7a5e260..a605ce74517 100644
--- a/pkg/registry/rbac/clusterrole/policybased/storage.go
+++ b/pkg/registry/rbac/clusterrole/policybased/storage.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/rest"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/runtime"
 )
 
@@ -42,15 +43,15 @@ func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRul
 }
 
 func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
-	if user, ok := api.UserFrom(ctx); ok {
-		if s.superUser != "" && user.GetName() == s.superUser {
+	if u, ok := api.UserFrom(ctx); ok {
+		if s.superUser != "" && u.GetName() == s.superUser {
 			return s.StandardStorage.Create(ctx, obj)
 		}
 
 		// system:masters is special because the API server uses it for privileged loopback connections
 		// therefore we know that a member of system:masters can always do anything
-		for _, group := range user.GetGroups() {
-			if group == "system:masters" {
+		for _, group := range u.GetGroups() {
+			if group == user.SystemPrivilegedGroup {
 				return s.StandardStorage.Create(ctx, obj)
 			}
 		}
diff --git a/pkg/registry/rbac/clusterrolebinding/policybased/storage.go b/pkg/registry/rbac/clusterrolebinding/policybased/storage.go
index 06e326374b2..539e97d1250 100644
--- a/pkg/registry/rbac/clusterrolebinding/policybased/storage.go
+++ b/pkg/registry/rbac/clusterrolebinding/policybased/storage.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/rest"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/runtime"
 )
 
@@ -42,15 +43,15 @@ func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRul
 }
 
 func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
-	if user, ok := api.UserFrom(ctx); ok {
-		if s.superUser != "" && user.GetName() == s.superUser {
+	if u, ok := api.UserFrom(ctx); ok {
+		if s.superUser != "" && u.GetName() == s.superUser {
 			return s.StandardStorage.Create(ctx, obj)
 		}
 
 		// system:masters is special because the API server uses it for privileged loopback connections
 		// therefore we know that a member of system:masters can always do anything
-		for _, group := range user.GetGroups() {
-			if group == "system:masters" {
+		for _, group := range u.GetGroups() {
+			if group == user.SystemPrivilegedGroup {
 				return s.StandardStorage.Create(ctx, obj)
 			}
 		}
diff --git a/pkg/registry/rbac/role/policybased/storage.go b/pkg/registry/rbac/role/policybased/storage.go
index 97833ad436a..38ad81decfd 100644
--- a/pkg/registry/rbac/role/policybased/storage.go
+++ b/pkg/registry/rbac/role/policybased/storage.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/rest"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/runtime"
 )
 
@@ -42,15 +43,15 @@ func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRul
 }
 
 func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
-	if user, ok := api.UserFrom(ctx); ok {
-		if s.superUser != "" && user.GetName() == s.superUser {
+	if u, ok := api.UserFrom(ctx); ok {
+		if s.superUser != "" && u.GetName() == s.superUser {
 			return s.StandardStorage.Create(ctx, obj)
 		}
 
 		// system:masters is special because the API server uses it for privileged loopback connections
 		// therefore we know that a member of system:masters can always do anything
-		for _, group := range user.GetGroups() {
-			if group == "system:masters" {
+		for _, group := range u.GetGroups() {
+			if group == user.SystemPrivilegedGroup {
 				return s.StandardStorage.Create(ctx, obj)
 			}
 		}
diff --git a/pkg/registry/rbac/rolebinding/policybased/storage.go b/pkg/registry/rbac/rolebinding/policybased/storage.go
index ae48020e4d2..49750d457dc 100644
--- a/pkg/registry/rbac/rolebinding/policybased/storage.go
+++ b/pkg/registry/rbac/rolebinding/policybased/storage.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/rest"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/apis/rbac/validation"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/runtime"
 )
 
@@ -42,15 +43,15 @@ func NewStorage(s rest.StandardStorage, ruleResolver validation.AuthorizationRul
 }
 
 func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, error) {
-	if user, ok := api.UserFrom(ctx); ok {
-		if s.superUser != "" && user.GetName() == s.superUser {
+	if u, ok := api.UserFrom(ctx); ok {
+		if s.superUser != "" && u.GetName() == s.superUser {
 			return s.StandardStorage.Create(ctx, obj)
 		}
 
 		// system:masters is special because the API server uses it for privileged loopback connections
 		// therefore we know that a member of system:masters can always do anything
-		for _, group := range user.GetGroups() {
-			if group == "system:masters" {
+		for _, group := range u.GetGroups() {
+			if group == user.SystemPrivilegedGroup {
 				return s.StandardStorage.Create(ctx, obj)
 			}
 		}
diff --git a/plugin/pkg/auth/authenticator/request/anonymous/anonymous.go b/plugin/pkg/auth/authenticator/request/anonymous/anonymous.go
index 9864722ec7c..4a7a7a0a845 100644
--- a/plugin/pkg/auth/authenticator/request/anonymous/anonymous.go
+++ b/plugin/pkg/auth/authenticator/request/anonymous/anonymous.go
@@ -24,9 +24,9 @@ import (
 )
 
 const (
-	anonymousUser = "system:anonymous"
+	anonymousUser = user.Anonymous
 
-	unauthenticatedGroup = "system:unauthenticated"
+	unauthenticatedGroup = user.AllUnauthenticated
 )
 
 func NewAuthenticator() authenticator.Request {
diff --git a/plugin/pkg/auth/authenticator/request/anonymous/anonymous_test.go b/plugin/pkg/auth/authenticator/request/anonymous/anonymous_test.go
index ca22fb7bfc0..0d095cfc4aa 100644
--- a/plugin/pkg/auth/authenticator/request/anonymous/anonymous_test.go
+++ b/plugin/pkg/auth/authenticator/request/anonymous/anonymous_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	"k8s.io/kubernetes/pkg/auth/authenticator"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/util/sets"
 )
 
@@ -32,10 +33,10 @@ func TestAnonymous(t *testing.T) {
 	if !ok {
 		t.Fatalf("Unexpectedly unauthenticated")
 	}
-	if u.GetName() != "system:anonymous" {
-		t.Fatalf("Expected username %s, got %s", "system:anonymous", u.GetName())
+	if u.GetName() != user.Anonymous {
+		t.Fatalf("Expected username %s, got %s", user.Anonymous, u.GetName())
 	}
-	if !sets.NewString(u.GetGroups()...).Equal(sets.NewString("system:unauthenticated")) {
-		t.Fatalf("Expected group %s, got %v", "system:unauthenticated", u.GetGroups())
+	if !sets.NewString(u.GetGroups()...).Equal(sets.NewString(user.AllUnauthenticated)) {
+		t.Fatalf("Expected group %s, got %v", user.AllUnauthenticated, u.GetGroups())
 	}
 }
diff --git a/test/integration/framework/master_utils.go b/test/integration/framework/master_utils.go
index fd14523e004..a037c7339b9 100644
--- a/test/integration/framework/master_utils.go
+++ b/test/integration/framework/master_utils.go
@@ -165,15 +165,15 @@ func startMasterOrDie(masterConfig *master.Config) (*master.Master, *httptest.Se
 	if masterConfig.GenericConfig.Authenticator != nil {
 		tokens := make(map[string]*user.DefaultInfo)
 		tokens[privilegedLoopbackToken] = &user.DefaultInfo{
-			Name:   "system:apiserver",
+			Name:   user.APIServerUser,
 			UID:    uuid.NewRandom().String(),
-			Groups: []string{"system:masters"},
+			Groups: []string{user.SystemPrivilegedGroup},
 		}
 
 		tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
 		masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, masterConfig.GenericConfig.Authenticator)
 
-		tokenAuthorizer := authorizer.NewPrivilegedGroups("system:masters")
+		tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
 		masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer)
 
 		masterConfig.GenericConfig.LoopbackClientConfig.BearerToken = privilegedLoopbackToken