Description of problem:
The message of forbidden without assign permission to create templateinstance is urgly.
Version-Release number of selected component (if applicable):
features: Basic-Auth GSSAPI Kerberos SPNEGO
Steps to Reproduce:
1.Enable template service broker by admin
2.Create a templateinstance with requester.username that is not the requester user
Show below forbidden message:
The TemplateInstance "instance1" is invalid: spec.requester.username: Forbidden: impersonation forbidden: templateinstances.template.openshift.io "" is forbidden: User "xiuwang" cannot "assign" "templateinstances.template.openshift.io" with name "" in project "xiu3"
The forbidden message should be more friendly
This issue has fixed in 
The forbidden info is more friendly.
The TemplateInstance "instance1" is invalid: spec.requester.username: Forbidden: you do not have permission to set username
Will move to verified after bug status change to on_qa
Test with oc version v3.6.135, this issue has been fixed, move this bug to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.