weekface
diff --git a/‎api/openapi-spec/swagger.json
Lines changed: 10 additions & 2 deletions b/‎api/openapi-spec/swagger.json
Lines changed: 10 additions & 2 deletions
diff --git a/‎api/swagger-spec/authorization.k8s.io_v1.json
Lines changed: 5 additions & 1 deletion b/‎api/swagger-spec/authorization.k8s.io_v1.json
Lines changed: 5 additions & 1 deletion
diff --git a/‎api/swagger-spec/authorization.k8s.io_v1beta1.json
Lines changed: 5 additions & 1 deletion b/‎api/swagger-spec/authorization.k8s.io_v1beta1.json
Lines changed: 5 additions & 1 deletion
diff --git a/‎docs/api-reference/authorization.k8s.io/v1/definitions.html
Lines changed: 8 additions & 1 deletion b/‎docs/api-reference/authorization.k8s.io/v1/definitions.html
Lines changed: 8 additions & 1 deletion
diff --git a/‎docs/api-reference/authorization.k8s.io/v1beta1/definitions.html
Lines changed: 8 additions & 1 deletion b/‎docs/api-reference/authorization.k8s.io/v1beta1/definitions.html
Lines changed: 8 additions & 1 deletion
diff --git a/‎pkg/apis/authorization/types.go
Lines changed: 6 additions & 1 deletion b/‎pkg/apis/authorization/types.go
Lines changed: 6 additions & 1 deletion
diff --git a/‎pkg/apis/authorization/v1/zz_generated.conversion.go
Lines changed: 2 additions & 0 deletions b/‎pkg/apis/authorization/v1/zz_generated.conversion.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/apis/authorization/v1beta1/zz_generated.conversion.go
Lines changed: 2 additions & 0 deletions b/‎pkg/apis/authorization/v1beta1/zz_generated.conversion.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/auth/authorizer/abac/abac.go
Lines changed: 3 additions & 3 deletions b/‎pkg/auth/authorizer/abac/abac.go
Lines changed: 3 additions & 3 deletions
@@ -140,8 +140,13 @@ type SelfSubjectAccessReviewSpec struct {
 
 // SubjectAccessReviewStatus
 type SubjectAccessReviewStatus struct {
-	// Allowed is required.  True if the action would be allowed, false otherwise.
+	// Allowed is required. True if the action would be allowed, false otherwise.
 	Allowed bool
+	// Denied is optional. True if the action would be denied, otherwise
+	// false. If both allowed is false and denied is false, then the
+	// authorizer has no opinion on whether to authorize the action. Denied
+	// may not be true if Allowed is true.
+	Denied bool
 	// Reason is optional.  It indicates why a request was allowed or denied.
 	Reason string
 	// EvaluationError is an indication that some error occurred during the authorization check.
 
@@ -221,13 +221,13 @@ func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {
 }
 
 // Authorizer implements authorizer.Authorize
-func (pl policyList) Authorize(a authorizer.Attributes) (bool, string, error) {
+func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
 	for _, p := range pl {
 		if matches(*p, a) {
-			return true, "", nil
+			return authorizer.DecisionAllow, "", nil
 		}
 	}
-	return false, "No policy matched.", nil
+	return authorizer.DecisionNoOpinion, "No policy matched.", nil
 	// TODO: Benchmark how much time policy matching takes with a medium size
 	// policy file, compared to other steps such as encoding/decoding.
 	// Then, add Caching only if needed.
Original file line number	Diff line number	Diff line change
`@@ -221,13 +221,13 @@ func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`// Authorizer implements authorizer.Authorize`
`224`		`-func (pl policyList) Authorize(a authorizer.Attributes) (bool, string, error) {`
	`224`	`+func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {`
`225`	`225`	`for _, p := range pl {`
`226`	`226`	`if matches(*p, a) {`
`227`		`- return true, "", nil`
	`227`	`+ return authorizer.DecisionAllow, "", nil`
`228`	`228`	`}`
`229`	`229`	`}`
`230`		`- return false, "No policy matched.", nil`
	`230`	`+ return authorizer.DecisionNoOpinion, "No policy matched.", nil`
`231`	`231`	`// TODO: Benchmark how much time policy matching takes with a medium size`
`232`	`232`	`// policy file, compared to other steps such as encoding/decoding.`
`233`	`233`	`// Then, add Caching only if needed.`