Merge pull request #17288 from deads2k/admission-01-external-easy

openshift-merge-robot · web-flow · commit c3484c26b3d8 · 2017-11-21T09:04:08.000-08:00
Automatic merge from submit-queue.

switch the easy admission plugins to external types

I also picked up the user change before I realized how far it rippled.
diff --git a/pkg/auth/userregistry/identitymapper/interfaces.go b/pkg/auth/userregistry/identitymapper/interfaces.go
@@ -1,7 +1,7 @@
 package identitymapper
 
 import (
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
 )
 
 type UserToGroupMapper interface {
diff --git a/pkg/authorization/admission/restrictusers/groupcache_test.go b/pkg/authorization/admission/restrictusers/groupcache_test.go
@@ -1,7 +1,7 @@
 package restrictusers
 
 import (
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
 )
 
 type fakeGroupCache struct {
diff --git a/pkg/authorization/admission/restrictusers/restrictusers.go b/pkg/authorization/admission/restrictusers/restrictusers.go
@@ -14,13 +14,13 @@ import (
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 
-	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	authorizationtypedclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset/typed/authorization/internalversion"
+	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/clientset"
+	authorizationtypedclient "github.com/openshift/origin/pkg/authorization/generated/clientset/typed/authorization/v1"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
 	usercache "github.com/openshift/origin/pkg/user/cache"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 )
 
 func Register(plugins *admission.Plugins) {
@@ -72,7 +72,7 @@ func (q *restrictUsersAdmission) SetOpenshiftInternalUserClient(userClient userc
 }
 
 func (q *restrictUsersAdmission) SetUserInformer(userInformers userinformer.SharedInformerFactory) {
-	q.groupCache = usercache.NewGroupCache(userInformers.User().InternalVersion().Groups())
+	q.groupCache = usercache.NewGroupCache(userInformers.User().V1().Groups())
 }
 
 // subjectsDelta returns the relative complement of elementsToIgnore in
diff --git a/pkg/authorization/admission/restrictusers/restrictusers_test.go b/pkg/authorization/admission/restrictusers/restrictusers_test.go
@@ -15,11 +15,11 @@ import (
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 	kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	fakeauthorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset/fake"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
+	fakeauthorizationclient "github.com/openshift/origin/pkg/authorization/generated/clientset/fake"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
-	fakeuserclient "github.com/openshift/origin/pkg/user/generated/internalclientset/fake"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
+	fakeuserclient "github.com/openshift/origin/pkg/user/generated/clientset/fake"
 )
 
 func TestAdmission(t *testing.T) {
diff --git a/pkg/authorization/admission/restrictusers/subjectchecker.go b/pkg/authorization/admission/restrictusers/subjectchecker.go
@@ -9,9 +9,9 @@ import (
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset/typed/user/v1"
 )
 
 // SubjectChecker determines whether rolebindings on a subject (user, group, or
@@ -47,7 +47,7 @@ func (checkers UnionSubjectChecker) Allowed(subject rbac.Subject, ctx *RoleBindi
 // RoleBindingRestrictionContext holds context that is used when determining
 // whether a RoleBindingRestriction allows rolebindings on a particular subject.
 type RoleBindingRestrictionContext struct {
-	userClient userclient.UserInterface
+	userClient userclient.UserV1Interface
 	kclient    kclientset.Interface
 
 	// groupCache maps user name to groups.
@@ -66,7 +66,7 @@ type RoleBindingRestrictionContext struct {
 
 // NewRoleBindingRestrictionContext returns a new RoleBindingRestrictionContext
 // object.
-func NewRoleBindingRestrictionContext(ns string, kc kclientset.Interface, userClient userclient.UserInterface, groupCache GroupCache) (*RoleBindingRestrictionContext, error) {
+func NewRoleBindingRestrictionContext(ns string, kc kclientset.Interface, userClient userclient.UserV1Interface, groupCache GroupCache) (*RoleBindingRestrictionContext, error) {
 	return &RoleBindingRestrictionContext{
 		namespace:       ns,
 		kclient:         kc,
diff --git a/pkg/authorization/admission/restrictusers/subjectchecker_test.go b/pkg/authorization/admission/restrictusers/subjectchecker_test.go
@@ -10,9 +10,9 @@ import (
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
-	userapi "github.com/openshift/origin/pkg/user/apis/user"
-	fakeuserclient "github.com/openshift/origin/pkg/user/generated/internalclientset/fake"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
+	userapi "github.com/openshift/origin/pkg/user/apis/user/v1"
+	fakeuserclient "github.com/openshift/origin/pkg/user/generated/clientset/fake"
 )
 
 func mustNewSubjectChecker(t *testing.T, spec *authorizationapi.RoleBindingRestrictionSpec) SubjectChecker {
diff --git a/pkg/build/admission/strategyrestrictions/admission.go b/pkg/build/admission/strategyrestrictions/admission.go
@@ -8,6 +8,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
+	kapi "k8s.io/kubernetes/pkg/api"
 	kapihelper "k8s.io/kubernetes/pkg/api/helper"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
@@ -17,7 +18,7 @@ import (
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	"github.com/openshift/origin/pkg/authorization/util"
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
-	buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset"
+	buildclient "github.com/openshift/origin/pkg/build/generated/clientset"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	"k8s.io/kubernetes/pkg/apis/authorization"
 )
@@ -182,13 +183,21 @@ func (a *buildByStrategy) checkBuildRequestAuthorization(req *buildapi.BuildRequ
 		if err != nil {
 			return admission.NewForbidden(attr, err)
 		}
-		return a.checkBuildAuthorization(build, attr)
+		internalBuild := &buildapi.Build{}
+		if err := kapi.Scheme.Convert(build, internalBuild, nil); err != nil {
+			return admission.NewForbidden(attr, err)
+		}
+		return a.checkBuildAuthorization(internalBuild, attr)
 	case buildapi.IsResourceOrLegacy("buildconfigs", gr):
-		build, err := a.buildClient.Build().BuildConfigs(attr.GetNamespace()).Get(req.Name, metav1.GetOptions{})
+		buildConfig, err := a.buildClient.Build().BuildConfigs(attr.GetNamespace()).Get(req.Name, metav1.GetOptions{})
 		if err != nil {
 			return admission.NewForbidden(attr, err)
 		}
-		return a.checkBuildConfigAuthorization(build, attr)
+		internalBuildConfig := &buildapi.BuildConfig{}
+		if err := kapi.Scheme.Convert(buildConfig, internalBuildConfig, nil); err != nil {
+			return admission.NewForbidden(attr, err)
+		}
+		return a.checkBuildConfigAuthorization(internalBuildConfig, attr)
 	default:
 		return admission.NewForbidden(attr, fmt.Errorf("Unknown resource type %s for BuildRequest", attr.GetResource()))
 	}
@@ -206,5 +215,19 @@ func (a *buildByStrategy) checkAccess(strategy buildapi.BuildStrategy, subjectAc
 }
 
 func notAllowed(strategy buildapi.BuildStrategy, attr admission.Attributes) error {
-	return admission.NewForbidden(attr, fmt.Errorf("build strategy %s is not allowed", buildapi.StrategyType(strategy)))
+	return admission.NewForbidden(attr, fmt.Errorf("build strategy %s is not allowed", strategyTypeString(strategy)))
+}
+
+func strategyTypeString(strategy buildapi.BuildStrategy) string {
+	switch {
+	case strategy.DockerStrategy != nil:
+		return "Docker"
+	case strategy.CustomStrategy != nil:
+		return "Custom"
+	case strategy.SourceStrategy != nil:
+		return "Source"
+	case strategy.JenkinsPipelineStrategy != nil:
+		return "JenkinsPipeline"
+	}
+	return ""
 }
diff --git a/pkg/build/admission/strategyrestrictions/admission_test.go b/pkg/build/admission/strategyrestrictions/admission_test.go
@@ -11,13 +11,17 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/authentication/user"
 	clientgotesting "k8s.io/client-go/testing"
+	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/authorization"
 	fakekubeclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 	kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
-	fakebuildclient "github.com/openshift/origin/pkg/build/generated/internalclientset/fake"
+	buildapiv1 "github.com/openshift/origin/pkg/build/apis/build/v1"
+	fakebuildclient "github.com/openshift/origin/pkg/build/generated/clientset/fake"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
+
+	_ "github.com/openshift/origin/pkg/build/apis/build/install"
 )
 
 func TestBuildAdmission(t *testing.T) {
@@ -48,7 +52,7 @@ func TestBuildAdmission(t *testing.T) {
 		{
 			name:                "allowed source build clone",
 			object:              testBuildRequest("test-build"),
-			responseObject:      testBuild(buildapi.BuildStrategy{SourceStrategy: &buildapi.SourceBuildStrategy{}}),
+			responseObject:      asV1Build(testBuild(buildapi.BuildStrategy{SourceStrategy: &buildapi.SourceBuildStrategy{}})),
 			kind:                buildapi.Kind("Build"),
 			resource:            buildapi.Resource("builds"),
 			subResource:         "clone",
@@ -70,7 +74,7 @@ func TestBuildAdmission(t *testing.T) {
 		{
 			name:                "denied docker build clone",
 			object:              testBuildRequest("buildname"),
-			responseObject:      testBuild(buildapi.BuildStrategy{DockerStrategy: &buildapi.DockerBuildStrategy{}}),
+			responseObject:      asV1Build(testBuild(buildapi.BuildStrategy{DockerStrategy: &buildapi.DockerBuildStrategy{}})),
 			kind:                buildapi.Kind("Build"),
 			resource:            buildapi.Resource("builds"),
 			subResource:         "clone",
@@ -101,7 +105,7 @@ func TestBuildAdmission(t *testing.T) {
 		},
 		{
 			name:                "allowed build config instantiate",
-			responseObject:      testBuildConfig(buildapi.BuildStrategy{DockerStrategy: &buildapi.DockerBuildStrategy{}}),
+			responseObject:      asV1BuildConfig(testBuildConfig(buildapi.BuildStrategy{DockerStrategy: &buildapi.DockerBuildStrategy{}})),
 			object:              testBuildRequest("test-buildconfig"),
 			kind:                buildapi.Kind("Build"),
 			resource:            buildapi.Resource("buildconfigs"),
@@ -123,7 +127,7 @@ func TestBuildAdmission(t *testing.T) {
 		},
 		{
 			name:                "forbidden build config instantiate",
-			responseObject:      testBuildConfig(buildapi.BuildStrategy{CustomStrategy: &buildapi.CustomBuildStrategy{}}),
+			responseObject:      asV1BuildConfig(testBuildConfig(buildapi.BuildStrategy{CustomStrategy: &buildapi.CustomBuildStrategy{}})),
 			object:              testBuildRequest("buildname"),
 			kind:                buildapi.Kind("Build"),
 			resource:            buildapi.Resource("buildconfigs"),
@@ -164,7 +168,7 @@ func TestBuildAdmission(t *testing.T) {
 		{
 			name:                "allowed jenkins pipeline build clone",
 			object:              testBuildRequest("test-build"),
-			responseObject:      testBuild(buildapi.BuildStrategy{JenkinsPipelineStrategy: &buildapi.JenkinsPipelineBuildStrategy{}}),
+			responseObject:      asV1Build(testBuild(buildapi.BuildStrategy{JenkinsPipelineStrategy: &buildapi.JenkinsPipelineBuildStrategy{}})),
 			kind:                buildapi.Kind("Build"),
 			resource:            buildapi.Resource("builds"),
 			subResource:         "clone",
@@ -252,6 +256,15 @@ func testBuild(strategy buildapi.BuildStrategy) *buildapi.Build {
 	}
 }
 
+func asV1Build(in *buildapi.Build) *buildapiv1.Build {
+	out := &buildapiv1.Build{}
+	err := kapi.Scheme.Convert(in, out, nil)
+	if err != nil {
+		panic(err)
+	}
+	return out
+}
+
 func testBuildConfig(strategy buildapi.BuildStrategy) *buildapi.BuildConfig {
 	return &buildapi.BuildConfig{
 		ObjectMeta: metav1.ObjectMeta{
@@ -266,6 +279,15 @@ func testBuildConfig(strategy buildapi.BuildStrategy) *buildapi.BuildConfig {
 	}
 }
 
+func asV1BuildConfig(in *buildapi.BuildConfig) *buildapiv1.BuildConfig {
+	out := &buildapiv1.BuildConfig{}
+	err := kapi.Scheme.Convert(in, out, nil)
+	if err != nil {
+		panic(err)
+	}
+	return out
+}
+
 func reviewResponse(allowed bool, msg string) *authorization.SubjectAccessReview {
 	return &authorization.SubjectAccessReview{
 		Status: authorization.SubjectAccessReviewStatus{
diff --git a/pkg/build/apis/build/v1/register.go b/pkg/build/apis/build/v1/register.go
@@ -27,6 +27,17 @@ func Resource(resource string) schema.GroupResource {
 	return SchemeGroupVersion.WithResource(resource).GroupResource()
 }
 
+// LegacyResource takes an unqualified resource and returns back a Group qualified GroupResource
+func LegacyResource(resource string) schema.GroupResource {
+	return LegacySchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// IsResourceOrLegacy checks if the provided GroupResources matches with the given
+// resource by looking up the API group and also the legacy API.
+func IsResourceOrLegacy(resource string, gr schema.GroupResource) bool {
+	return gr == Resource(resource) || gr == LegacyResource(resource)
+}
+
 // addKnownTypes adds types to API group
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
diff --git a/pkg/cmd/server/admission/init.go b/pkg/cmd/server/admission/init.go
@@ -8,8 +8,8 @@ import (
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 	"k8s.io/kubernetes/pkg/quota"
 
-	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset"
+	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/clientset"
+	buildclient "github.com/openshift/origin/pkg/build/generated/clientset"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	imageapi "github.com/openshift/origin/pkg/image/apis/image"
 	imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset"
@@ -19,8 +19,8 @@ import (
 	quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset"
 	securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion"
 	templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 )
 
 type PluginInitializer struct {
diff --git a/pkg/cmd/server/admission/types.go b/pkg/cmd/server/admission/types.go
@@ -7,8 +7,8 @@ import (
 	kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/quota"
 
-	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset"
+	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/clientset"
+	buildclient "github.com/openshift/origin/pkg/build/generated/clientset"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	imageclient "github.com/openshift/origin/pkg/image/generated/internalclientset"
 	"github.com/openshift/origin/pkg/project/cache"
@@ -17,8 +17,8 @@ import (
 	quotaclient "github.com/openshift/origin/pkg/quota/generated/internalclientset"
 	securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion"
 	templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 )
 
 type WantsOpenshiftInternalAuthorizationClient interface {
diff --git a/pkg/cmd/server/origin/admission/plugin_initializer.go b/pkg/cmd/server/origin/admission/plugin_initializer.go
@@ -6,8 +6,8 @@ import (
 	"os"
 	"time"
 
-	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	buildclient "github.com/openshift/origin/pkg/build/generated/internalclientset"
+	authorizationclient "github.com/openshift/origin/pkg/authorization/generated/clientset"
+	buildclient "github.com/openshift/origin/pkg/build/generated/clientset"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master"
@@ -22,8 +22,8 @@ import (
 	securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion"
 	"github.com/openshift/origin/pkg/service"
 	templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
diff --git a/pkg/cmd/server/origin/authenticator.go b/pkg/cmd/server/origin/authenticator.go
@@ -64,7 +64,7 @@ func NewAuthenticator(
 		serviceAccountTokenGetter,
 		userClient.User().Users(),
 		apiClientCAs,
-		usercache.NewGroupCache(informers.GetUserInformers().User().InternalVersion().Groups()),
+		usercache.NewGroupCache(informers.GetUserInformers().User().V1().Groups()),
 	)
 }
 
diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -37,7 +37,7 @@ import (
 	projectcache "github.com/openshift/origin/pkg/project/cache"
 	"github.com/openshift/origin/pkg/quota/controller/clusterquotamapping"
 	quotainformer "github.com/openshift/origin/pkg/quota/generated/informers/internalversion"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 
 	securityinformer "github.com/openshift/origin/pkg/security/generated/informers/internalversion"
 	"github.com/openshift/origin/pkg/service"
@@ -91,7 +91,6 @@ type MasterConfig struct {
 	AuthorizationInformers authorizationinformer.SharedInformerFactory
 	QuotaInformers         quotainformer.SharedInformerFactory
 	SecurityInformers      securityinformer.SharedInformerFactory
-	UserInformers          userinformer.SharedInformerFactory
 }
 
 type InformerAccess interface {
@@ -203,7 +202,6 @@ func BuildMasterConfig(
 		AuthorizationInformers: informers.GetAuthorizationInformers(),
 		QuotaInformers:         informers.GetQuotaInformers(),
 		SecurityInformers:      informers.GetSecurityInformers(),
-		UserInformers:          informers.GetUserInformers(),
 	}
 
 	// ensure that the limit range informer will be started
diff --git a/pkg/cmd/server/start/informers.go b/pkg/cmd/server/start/informers.go
@@ -28,8 +28,8 @@ import (
 	securityclient "github.com/openshift/origin/pkg/security/generated/internalclientset"
 	templateinformer "github.com/openshift/origin/pkg/template/generated/informers/internalversion"
 	templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset"
-	userinformer "github.com/openshift/origin/pkg/user/generated/informers/internalversion"
-	userclient "github.com/openshift/origin/pkg/user/generated/internalclientset"
+	userclient "github.com/openshift/origin/pkg/user/generated/clientset"
+	userinformer "github.com/openshift/origin/pkg/user/generated/informers/externalversions"
 )
 
 // informers is a convenient way for us to keep track of the informers, but
diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
diff --git a/pkg/project/admission/requestlimit/admission.go b/pkg/project/admission/requestlimit/admission.go
diff --git a/pkg/project/admission/requestlimit/admission_test.go b/pkg/project/admission/requestlimit/admission_test.go
diff --git a/pkg/user/cache/groups.go b/pkg/user/cache/groups.go

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package identitymapper`
`2`	`2`
`3`	`3`	`import (`
`4`		`- userapi "github.com/openshift/origin/pkg/user/apis/user"`
	`4`	`+ userapi "github.com/openshift/origin/pkg/user/apis/user/v1"`
`5`	`5`	`)`
`6`	`6`
`7`	`7`	`type UserToGroupMapper interface {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package restrictusers`
`2`	`2`
`3`	`3`	`import (`
`4`		`- userapi "github.com/openshift/origin/pkg/user/apis/user"`
	`4`	`+ userapi "github.com/openshift/origin/pkg/user/apis/user/v1"`
`5`	`5`	`)`
`6`	`6`
`7`	`7`	`type fakeGroupCache struct {`