fix loopback authorizer

pkg/auth/authorizer/union/union.go

@@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool,
 		errlist    []error
 		reasonlist []string
 	)
+
 	for _, currAuthzHandler := range authzHandler {
 		authorized, reason, err := currAuthzHandler.Authorize(a)
 
 		if err != nil {
 			errlist = append(errlist, err)
-			continue
 		}
-		if !authorized {
+		if len(reason) != 0 {
-			if reason != "" {
 			reasonlist = append(reasonlist, reason)
 		}
+		if !authorized {
 			continue
 		}
 		return true, reason, nil

pkg/genericapiserver/authorizer/authz.go

@@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct {
 }
 
 func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) {
-	for attr_group := range attr.GetUser().GetGroups() {
+	if attr.GetUser() == nil {
-		for priv_group := range r.groups {
+		return false, "Error", errors.New("no user on request.")
+	}
+	for _, attr_group := range attr.GetUser().GetGroups() {
+		for _, priv_group := range r.groups {
 			if priv_group == attr_group {
 				return true, "", nil
 			}

pkg/genericapiserver/authorizer/authz_test.go

@@ -20,6 +20,9 @@ import (
 	"testing"
 
 	"k8s.io/kubernetes/pkg/genericapiserver/options"
+
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+	"k8s.io/kubernetes/pkg/auth/user"
 )
 
 // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
@@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestPrivilegedGroupAuthorizer(t *testing.T) {
+	auth := NewPrivilegedGroups("allow-01", "allow-01")
+
+	yes := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "allow-01"}}}
+	no := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "deny-01"}}}
+
+	if authorized, _, _ := auth.Authorize(yes); !authorized {
+		t.Errorf("failed")
+	}
+	if authorized, _, _ := auth.Authorize(no); authorized {
+		t.Errorf("failed")
+	}
+}