When a remote Juju user with read access only attempts to deploy a charm (e.g. 'apache2') the following text is printed:
ERROR storing charm for URL "cs:apache2-26": delegatable macaroon cannot be obtained for public entities
This can be improved.
When the user is granted write access the charm is deployed successfully.
Interestingly, when the read-only user attempts to scale an application (`add-unit`) the messaging is more meaningful:
You do not have permission to add a unit.
You may ask an administrator to grant you access with "juju grant".
ERROR permission denied (unauthorized access)
However, when the user attempts to run an action (`run-action`), remove an application (`remove-application`), or remove a machine (`remove-machine`) the error is simply:
ERROR permission denied (unauthorized access)
When trying to remove a model (`destroy-model`) the error is:
Destroying model
ERROR failed to destroy model "admin/aws-alpha"
ERROR cannot destroy model: permission denied
When trying to remove a controller (`destroy-controller` or `kill-controller`) without superuser access the error is:
ERROR getting controller environ: getting model config from API: permission denied (unauthorized access)
So we might want to be more consistent and direct with all this messaging.
See also bug 1571855.