@@ -52,7 +52,24 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho

 		return false, "", kerrors.NewAggregate(errs)

 	}

-	return false, "denied by default", nil

+	username := "MISSING"

+	if user, userExists := kapi.UserFrom(ctx); userExists {

+		username = user.GetName()

+	}

+

+	denyReason := "denied by default"

+	if passedAttributes.IsNonResourceURL() {

+		denyReason = fmt.Sprintf("%v cannot %v on %v", username, attributes.GetVerb(), attributes.GetURL())

+

+	} else {

+		resourceNamePart := ""

+		if len(attributes.GetResourceName()) > 0 {

+			resourceNamePart = fmt.Sprintf(" with name \"%v\"", attributes.GetResourceName())

+		}

+		denyReason = fmt.Sprintf("%v cannot %v on %v%v in %v", username, attributes.GetVerb(), attributes.GetResource(), resourceNamePart, namespace)

+	}

+

+	return false, denyReason, nil

 }

 func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (util.StringSet, util.StringSet, error) {

@@ -41,7 +41,7 @@ func TestResourceNameDeny(t *testing.T) {

 			ResourceName: "just-a-user",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `just-a-user cannot get on users with name "just-a-user"`,

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.bindings = newDefaultGlobalBinding()

@@ -166,7 +166,7 @@ func TestNonResourceDeny(t *testing.T) {

 			URL:            "not-allowed",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `no-one cannot get on not-allowed`,

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.bindings = newDefaultGlobalBinding()

@@ -183,7 +183,7 @@ func TestHealthDeny(t *testing.T) {

 			URL:            "/healthz",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `no-one cannot get on /healthz`,

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.bindings = newDefaultGlobalBinding()

@@ -215,7 +215,7 @@ func TestDisallowedViewingGlobalPods(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `SomeYahoo cannot get on pods`,

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.bindings = newDefaultGlobalBinding()

@@ -282,7 +282,7 @@ func TestResourceRestrictionsWork(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `Rachel cannot get on pods in adze`,

 	}

 	test2.policies = newDefaultGlobalPolicies()

 	test2.policies = append(test2.policies, newAdzePolicies()...)

@@ -331,7 +331,7 @@ func TestLocalRightsDoNotGrantGlobalRights(t *testing.T) {

 			Resource: "buildConfigs",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `Rachel cannot get on buildConfigs in backsaw`,

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -364,7 +364,7 @@ func TestVerbRestrictionsWork(t *testing.T) {

 			Resource: "buildConfigs",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  `Valerie cannot create on buildConfigs in adze`,

 	}

 	test2.policies = newDefaultGlobalPolicies()

 	test2.policies = append(test2.policies, newAdzePolicies()...)

@@ -37,7 +37,7 @@ func TestViewerGetAllowedKindInAdze(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Victor cannot get on pods in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -57,7 +57,7 @@ func TestViewerGetDisallowedKindInMallet(t *testing.T) {

 			Resource: "policies",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Victor cannot get on policies in mallet",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -76,7 +76,7 @@ func TestViewerGetDisallowedKindInAdze(t *testing.T) {

 			Resource: "policies",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Victor cannot get on policies in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -96,7 +96,7 @@ func TestViewerCreateAllowedKindInMallet(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Victor cannot create on pods in mallet",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -115,7 +115,7 @@ func TestViewerCreateAllowedKindInAdze(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Victor cannot create on pods in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -154,7 +154,7 @@ func TestEditorUpdateAllowedKindInAdze(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Edgar cannot update on pods in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -174,7 +174,7 @@ func TestEditorUpdateDisallowedKindInMallet(t *testing.T) {

 			Resource: "roleBindings",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Edgar cannot update on roleBindings in mallet",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -193,7 +193,7 @@ func TestEditorUpdateDisallowedKindInAdze(t *testing.T) {

 			Resource: "roleBindings",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Edgar cannot update on roleBindings in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -232,7 +232,7 @@ func TestEditorGetAllowedKindInAdze(t *testing.T) {

 			Resource: "pods",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Edgar cannot get on pods in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -271,7 +271,7 @@ func TestAdminUpdateAllowedKindInAdze(t *testing.T) {

 			Resource: "roleBindings",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Matthew cannot update on roleBindings in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -291,7 +291,7 @@ func TestAdminUpdateDisallowedKindInMallet(t *testing.T) {

 			Resource: "policies",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Matthew cannot update on policies in mallet",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -310,7 +310,7 @@ func TestAdminUpdateDisallowedKindInAdze(t *testing.T) {

 			Resource: "roles",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Matthew cannot update on roles in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)

@@ -349,7 +349,7 @@ func TestAdminGetAllowedKindInAdze(t *testing.T) {

 			Resource: "policies",

 		},

 		expectedAllowed: false,

-		expectedReason:  "denied by default",

+		expectedReason:  "Matthew cannot get on policies in adze",

 	}

 	test.policies = newDefaultGlobalPolicies()

 	test.policies = append(test.policies, newAdzePolicies()...)