From e4f9c1977285900ab49b41ad54bdd770e07c1832 Mon Sep 17 00:00:00 2001
From: Alexander Mykolaichuk <alexmix3000@gmail.com>
Date: Tue, 22 Sep 2020 20:36:07 +0200
Subject: [PATCH] added permission denied error message (#8044)

---
 agent/acl.go | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/agent/acl.go b/agent/acl.go
index 5463fbf1f..d679d633a 100644
--- a/agent/acl.go
+++ b/agent/acl.go
@@ -105,14 +105,16 @@ func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *
 	service.FillAuthzContext(&authzContext)
 	// Vet the service itself.
 	if authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
-		return acl.ErrPermissionDenied
+		serviceName := service.CompoundServiceName()
+		return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
 	}
 
 	// Vet any service that might be getting overwritten.
 	if existing := a.State.Service(service.CompoundServiceID()); existing != nil {
 		existing.FillAuthzContext(&authzContext)
 		if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
-			return acl.ErrPermissionDenied
+			serviceName := service.CompoundServiceName()
+			return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
 		}
 	}
 
@@ -121,7 +123,7 @@ func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *
 	if service.Kind == structs.ServiceKindConnectProxy {
 		service.FillAuthzContext(&authzContext)
 		if authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
-			return acl.ErrPermissionDenied
+			return acl.PermissionDenied("Missing service:write on %s", service.Proxy.DestinationServiceName)
 		}
 	}
 
@@ -151,7 +153,8 @@ func (a *Agent) vetServiceUpdateWithAuthorizer(authz acl.Authorizer, serviceID s
 	if existing := a.State.Service(serviceID); existing != nil {
 		existing.FillAuthzContext(&authzContext)
 		if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
-			return acl.ErrPermissionDenied
+			serviceName := existing.CompoundServiceName()
+			return acl.PermissionDenied("Missing service:write on %s", serviceName.String())
 		}
 	} else {
 		return fmt.Errorf("Unknown service %q", serviceID)
@@ -229,11 +232,11 @@ func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID struc
 	if existing := a.State.Check(checkID); existing != nil {
 		if len(existing.ServiceName) > 0 {
 			if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
-				return acl.ErrPermissionDenied
+				return acl.PermissionDenied("Missing service:write on %s", existing.ServiceName)
 			}
 		} else {
 			if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
-				return acl.ErrPermissionDenied
+				return acl.PermissionDenied("Missing node:write on %s", a.config.NodeName)
 			}
 		}
 	} else {