Recently an application was trying to manipulate Koji tags with the editTag2 RPC, but the user account did not have the "tag" permission, so the hub raised ActionNotAllowed from assertPerm("tag").

It was not immediately obvious what was going on, because the application developers use two different system accounts. One account had the "tag" permission, one did not.

When we hit the error in assertPerm(), we only tell the user what permission they are missing, and not the user account:

raise koji.ActionNotAllowed("%s permission required" % name)

I understand the user shares some responsibility to understand what account they are using, but on the other hand when the application is wrapped in several layers (containers, openshift, etc) it's a little hard for new users to debug this.

If session.logged_in is false, it would be really nice to say "user not logged in" in the exception here.

If session.logged_in is true, it would be really nice to include the username in the exception.