diff --git a/pkg/auth/authorizer/union/union.go b/pkg/auth/authorizer/union/union.go
index 880d8c79eb3..29a098ab28f 100644
--- a/pkg/auth/authorizer/union/union.go
+++ b/pkg/auth/authorizer/union/union.go
@@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool,
 		errlist    []error
 		reasonlist []string
 	)
+
 	for _, currAuthzHandler := range authzHandler {
 		authorized, reason, err := currAuthzHandler.Authorize(a)
 
 		if err != nil {
 			errlist = append(errlist, err)
-			continue
+		}
+		if len(reason) != 0 {
+			reasonlist = append(reasonlist, reason)
 		}
 		if !authorized {
-			if reason != "" {
-				reasonlist = append(reasonlist, reason)
-			}
 			continue
 		}
 		return true, reason, nil
diff --git a/pkg/genericapiserver/authorizer/authz.go b/pkg/genericapiserver/authorizer/authz.go
index cb22451c7e0..eb76f20fbe6 100644
--- a/pkg/genericapiserver/authorizer/authz.go
+++ b/pkg/genericapiserver/authorizer/authz.go
@@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct {
 }
 
 func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) {
-	for attr_group := range attr.GetUser().GetGroups() {
-		for priv_group := range r.groups {
+	if attr.GetUser() == nil {
+		return false, "Error", errors.New("no user on request.")
+	}
+	for _, attr_group := range attr.GetUser().GetGroups() {
+		for _, priv_group := range r.groups {
 			if priv_group == attr_group {
 				return true, "", nil
 			}
diff --git a/pkg/genericapiserver/authorizer/authz_test.go b/pkg/genericapiserver/authorizer/authz_test.go
index 50d4b7bacdb..48b6f19ba9a 100644
--- a/pkg/genericapiserver/authorizer/authz_test.go
+++ b/pkg/genericapiserver/authorizer/authz_test.go
@@ -20,6 +20,9 @@ import (
 	"testing"
 
 	"k8s.io/kubernetes/pkg/genericapiserver/options"
+
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+	"k8s.io/kubernetes/pkg/auth/user"
 )
 
 // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
@@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestPrivilegedGroupAuthorizer(t *testing.T) {
+	auth := NewPrivilegedGroups("allow-01", "allow-01")
+
+	yes := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "allow-01"}}}
+	no := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "deny-01"}}}
+
+	if authorized, _, _ := auth.Authorize(yes); !authorized {
+		t.Errorf("failed")
+	}
+	if authorized, _, _ := auth.Authorize(no); authorized {
+		t.Errorf("failed")
+	}
+}