openshift
diff --git a/‎pkg/cmd/server/kubernetes/master/master_config_test.go
Lines changed: 3 additions & 0 deletions b/‎pkg/cmd/server/kubernetes/master/master_config_test.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/cmd/server/origin/master_config.go
Lines changed: 19 additions & 15 deletions b/‎pkg/cmd/server/origin/master_config.go
Lines changed: 19 additions & 15 deletions
diff --git a/‎vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go
Lines changed: 20 additions & 14 deletions b/‎vendor/k8s.io/kubernetes/pkg/kubeapiserver/authenticator/config.go
Lines changed: 20 additions & 14 deletions
diff --git a/‎vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
Lines changed: 11 additions & 2 deletions b/‎vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go
Lines changed: 11 additions & 2 deletions
diff --git a/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
Lines changed: 48 additions & 0 deletions b/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
Lines changed: 48 additions & 0 deletions
diff --git a/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go
Lines changed: 41 additions & 0 deletions b/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go
Lines changed: 41 additions & 0 deletions
diff --git a/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
Lines changed: 54 additions & 0 deletions b/‎vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/token/cache/BUILD
Lines changed: 54 additions & 0 deletions
@@ -140,6 +140,9 @@ func TestAPIServerDefaults(t *testing.T) {
 			},
 			TokenFile: &kubeoptions.TokenFileAuthenticationOptions{},
 			WebHook:   &kubeoptions.WebHookAuthenticationOptions{CacheTTL: 2 * time.Minute},
+
+			TokenSuccessCacheTTL: 10 * time.Second,
+			TokenFailureCacheTTL: 0,
 		},
 		Authorization: &kubeoptions.BuiltInAuthorizationOptions{
 			Mode: "AlwaysAllow",
 
@@ -7,6 +7,7 @@ import (
 	"net"
 	"reflect"
 	"strings"
+	"time"
 
 	"github.com/golang/glog"
 
@@ -27,6 +28,8 @@ import (
 	"k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/authentication/request/websocket"
 	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
+	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
+	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	"k8s.io/apiserver/pkg/authentication/user"
 	kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@@ -672,7 +675,7 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, plu
 
 func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclient.OAuthAccessTokenInterface, tokenGetter serviceaccount.ServiceAccountTokenGetter, userGetter userclient.UserResourceInterface, apiClientCAs *x509.CertPool, groupMapper identitymapper.UserToGroupMapper) (authenticator.Request, error) {
 	authenticators := []authenticator.Request{}
-	tokenAuthenticators := []authenticator.Request{}
+	tokenAuthenticators := []authenticator.Token{}
 
 	// ServiceAccount token
 	if len(config.ServiceAccountConfig.PublicKeyFiles) > 0 {
@@ -685,31 +688,32 @@ func newAuthenticator(config configapi.MasterConfig, accessTokenGetter oauthclie
 			publicKeys = append(publicKeys, readPublicKeys...)
 		}
 		serviceAccountTokenAuthenticator := serviceaccount.JWTTokenAuthenticator(publicKeys, true, tokenGetter)
-		tokenAuthenticators = append(
-			tokenAuthenticators,
-			bearertoken.New(serviceAccountTokenAuthenticator),
-			websocket.NewProtocolAuthenticator(serviceAccountTokenAuthenticator),
-			paramtoken.New("access_token", serviceAccountTokenAuthenticator, true),
-		)
+		tokenAuthenticators = append(tokenAuthenticators, serviceAccountTokenAuthenticator)
 	}
 
 	// OAuth token
 	if config.OAuthConfig != nil {
 		oauthTokenAuthenticator := authnregistry.NewTokenAuthenticator(accessTokenGetter, userGetter, groupMapper)
-		oauthTokenRequestAuthenticators := []authenticator.Request{
-			bearertoken.New(oauthTokenAuthenticator),
-			websocket.NewProtocolAuthenticator(oauthTokenAuthenticator),
-			paramtoken.New("access_token", oauthTokenAuthenticator, true),
-		}
-
 		tokenAuthenticators = append(tokenAuthenticators,
 			// if you have a bearer token, you're a human (usually)
 			// if you change this, have a look at the impersonationFilter where we attach groups to the impersonated user
-			group.NewGroupAdder(union.New(oauthTokenRequestAuthenticators...), []string{bootstrappolicy.AuthenticatedOAuthGroup}))
+			group.NewTokenGroupAdder(oauthTokenAuthenticator, []string{bootstrappolicy.AuthenticatedOAuthGroup}))
 	}
 
 	if len(tokenAuthenticators) > 0 {
-		authenticators = append(authenticators, union.New(tokenAuthenticators...))
+		// Combine all token authenticators
+		tokenAuth := tokenunion.New(tokenAuthenticators...)
+
+		// wrap with short cache on success.
+		// this means a revoked service account token or access token will be valid for up to 10 seconds.
+		// it also means group membership changes on users may take up to 10 seconds to become effective.
+		tokenAuth = tokencache.New(tokenAuth, 10*time.Second, 0)
+
+		authenticators = append(authenticators,
+			bearertoken.New(tokenAuth),
+			websocket.NewProtocolAuthenticator(tokenAuth),
+			paramtoken.New("access_token", tokenAuth, true),
+		)
 	}
 
 	// build cert authenticator