add detail to forbidden message

pkg/authorization/authorizer/authorizer.go

@@ -52,7 +52,24 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho
 		return false, "", kerrors.NewAggregate(errs)
 	}
 
-	return false, "denied by default", nil
+	username := "MISSING"
+	if user, userExists := kapi.UserFrom(ctx); userExists {
+		username = user.GetName()
+	}
+
+	denyReason := "denied by default"
+	if passedAttributes.IsNonResourceURL() {
+		denyReason = fmt.Sprintf("%v cannot %v on %v", username, attributes.GetVerb(), attributes.GetURL())
+
+	} else {
+		resourceNamePart := ""
+		if len(attributes.GetResourceName()) > 0 {
+			resourceNamePart = fmt.Sprintf(" with name \"%v\"", attributes.GetResourceName())
+		}
+		denyReason = fmt.Sprintf("%v cannot %v on %v%v in %v", username, attributes.GetVerb(), attributes.GetResource(), resourceNamePart, namespace)
+	}
+
+	return false, denyReason, nil
 }
 
 func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (util.StringSet, util.StringSet, error) {

pkg/authorization/authorizer/authorizer_test.go

@@ -41,7 +41,7 @@ func TestResourceNameDeny(t *testing.T) {
 			ResourceName: "just-a-user",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `just-a-user cannot get on users with name "just-a-user"`,
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.bindings = newDefaultGlobalBinding()
@@ -166,7 +166,7 @@ func TestNonResourceDeny(t *testing.T) {
 			URL:            "not-allowed",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `no-one cannot get on not-allowed`,
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.bindings = newDefaultGlobalBinding()
@@ -183,7 +183,7 @@ func TestHealthDeny(t *testing.T) {
 			URL:            "/healthz",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `no-one cannot get on /healthz`,
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.bindings = newDefaultGlobalBinding()
@@ -215,7 +215,7 @@ func TestDisallowedViewingGlobalPods(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `SomeYahoo cannot get on pods`,
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.bindings = newDefaultGlobalBinding()
@@ -282,7 +282,7 @@ func TestResourceRestrictionsWork(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `Rachel cannot get on pods in adze`,
 	}
 	test2.policies = newDefaultGlobalPolicies()
 	test2.policies = append(test2.policies, newAdzePolicies()...)
@@ -331,7 +331,7 @@ func TestLocalRightsDoNotGrantGlobalRights(t *testing.T) {
 			Resource: "buildConfigs",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `Rachel cannot get on buildConfigs in backsaw`,
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -364,7 +364,7 @@ func TestVerbRestrictionsWork(t *testing.T) {
 			Resource: "buildConfigs",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  `Valerie cannot create on buildConfigs in adze`,
 	}
 	test2.policies = newDefaultGlobalPolicies()
 	test2.policies = append(test2.policies, newAdzePolicies()...)

pkg/authorization/authorizer/bootstrap_policy_test.go

@@ -37,7 +37,7 @@ func TestViewerGetAllowedKindInAdze(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Victor cannot get on pods in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -57,7 +57,7 @@ func TestViewerGetDisallowedKindInMallet(t *testing.T) {
 			Resource: "policies",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Victor cannot get on policies in mallet",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -76,7 +76,7 @@ func TestViewerGetDisallowedKindInAdze(t *testing.T) {
 			Resource: "policies",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Victor cannot get on policies in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -96,7 +96,7 @@ func TestViewerCreateAllowedKindInMallet(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Victor cannot create on pods in mallet",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -115,7 +115,7 @@ func TestViewerCreateAllowedKindInAdze(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Victor cannot create on pods in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -154,7 +154,7 @@ func TestEditorUpdateAllowedKindInAdze(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Edgar cannot update on pods in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -174,7 +174,7 @@ func TestEditorUpdateDisallowedKindInMallet(t *testing.T) {
 			Resource: "roleBindings",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Edgar cannot update on roleBindings in mallet",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -193,7 +193,7 @@ func TestEditorUpdateDisallowedKindInAdze(t *testing.T) {
 			Resource: "roleBindings",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Edgar cannot update on roleBindings in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -232,7 +232,7 @@ func TestEditorGetAllowedKindInAdze(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Edgar cannot get on pods in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -271,7 +271,7 @@ func TestAdminUpdateAllowedKindInAdze(t *testing.T) {
 			Resource: "roleBindings",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Matthew cannot update on roleBindings in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -291,7 +291,7 @@ func TestAdminUpdateDisallowedKindInMallet(t *testing.T) {
 			Resource: "policies",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Matthew cannot update on policies in mallet",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -310,7 +310,7 @@ func TestAdminUpdateDisallowedKindInAdze(t *testing.T) {
 			Resource: "roles",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Matthew cannot update on roles in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)
@@ -349,7 +349,7 @@ func TestAdminGetAllowedKindInAdze(t *testing.T) {
 			Resource: "policies",
 		},
 		expectedAllowed: false,
-		expectedReason:  "denied by default",
+		expectedReason:  "Matthew cannot get on policies in adze",
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)