bug: authorization failures don't tell a user what workspace their request was in

[stevekuznetsov]

Describe the bug

Today, our failures look like this:

cowboys.wildwest.dev is forbidden: User "kcp-admin" cannot list resource "cowboys" in API group "wildwest.dev" in the namespace "default": workspace access not permitted

Steps To Reproduce

Do something you are not allowed to

Expected Behaviour

It would be ideal if we did this:

cowboys.wildwest.dev is forbidden: User "kcp-admin" cannot list resource "cowboys" in API group "wildwest.dev" in the namespace "default" in the workspace "root:whatever": workspace access not permitted

Additional Context

No response

[s-urbaniak]

The best I can come up with without changing major things upstream is:

cowboys.wildwest.dev is forbidden: User "kcp-admin" cannot list resource "cowboys" in API group "wildwest.dev" in the namespace "default": workspace "root:whatever": workspace access not permitted

[kcp-ci-bot]

Issues go stale after 90d of inactivity. After a furter 30 days, they will turn rotten. Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[kcp-ci-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

[kcp-ci-bot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

[kcp-ci-bot]

@kcp-ci-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.