diff --git a/pkg/registry/rbac/validation/BUILD b/pkg/registry/rbac/validation/BUILD
index fb4bd39ac7..ad66407545 100644
--- a/pkg/registry/rbac/validation/BUILD
+++ b/pkg/registry/rbac/validation/BUILD
@@ -36,8 +36,8 @@ go_library(
         "//pkg/apis/rbac:go_default_library",
         "//pkg/apis/rbac/v1:go_default_library",
         "//staging/src/k8s.io/api/rbac/v1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
diff --git a/pkg/registry/rbac/validation/rule.go b/pkg/registry/rbac/validation/rule.go
index 366a9a97b1..833ffc1e6c 100644
--- a/pkg/registry/rbac/validation/rule.go
+++ b/pkg/registry/rbac/validation/rule.go
@@ -20,15 +20,17 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/golang/glog"
 
 	rbacv1 "k8s.io/api/rbac/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 )
 
 type AuthorizationRuleResolver interface {
@@ -65,7 +67,22 @@ func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleReso
 
 	ownerRightsCover, missingRights := Covers(ownerRules, rules)
 	if !ownerRightsCover {
-		return apierrors.NewUnauthorized(fmt.Sprintf("attempt to grant extra privileges: %v user=%v ownerrules=%v ruleResolutionErrors=%v", missingRights, user, ownerRules, ruleResolutionErrors))
+		compactMissingRights := missingRights
+		if compact, err := CompactRules(missingRights); err == nil {
+			compactMissingRights = compact
+		}
+
+		missingDescriptions := sets.NewString()
+		for _, missing := range compactMissingRights {
+			missingDescriptions.Insert(rbacv1helpers.CompactString(missing))
+		}
+
+		msg := fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s", user.GetName(), user.GetGroups(), strings.Join(missingDescriptions.List(), "\n"))
+		if len(ruleResolutionErrors) > 0 {
+			msg = msg + fmt.Sprintf("; resolution errors: %v", ruleResolutionErrors)
+		}
+
+		return errors.New(msg)
 	}
 	return nil
 }