Authorization based on namespace, kind, readonly.

Also, pass Authorizer into master.Config.

pkg/auth/authorizer/interfaces.go

@@ -23,7 +23,20 @@ import (
 // Attributes is an interface used by an Authorizer to get information about a request
 // that is used to make an authorization decision.
 type Attributes interface {
+	// The user string which the request was authenticated as, or empty if
+	// no authentication occured and the request was allowed to proceed.
 	GetUserName() string
+	// TODO: add groups, e.g. GetGroups() []string
+
+	// When IsReadOnly() == true, the request has no side effects, other than
+	// caching, logging, and other incidentals.
+	IsReadOnly() bool
+
+	// The namespace of the object, if a request is for a REST object.
+	GetNamespace() string
+
+	// The kind of object, if a request is for a REST object.
+	GetKind() string
 }
 
 // Authorizer makes an authorization decision based on information gained by making
@@ -35,9 +48,24 @@ type Authorizer interface {
 
 // AttributesRecord implements Attributes interface.
 type AttributesRecord struct {
-	User user.Info
+	User      user.Info
+	ReadOnly  bool
+	Namespace string
+	Kind      string
 }
 
 func (a *AttributesRecord) GetUserName() string {
 	return a.User.GetName()
 }
+
+func (a *AttributesRecord) IsReadOnly() bool {
+	return a.ReadOnly
+}
+
+func (a *AttributesRecord) GetNamespace() string {
+	return a.Namespace
+}
+
+func (a *AttributesRecord) GetKind() string {
+	return a.Kind
+}