Azure
acr purge command: support ABAC-enabled registries if identity has full data plane permissions
Describe the bug
The acr purge command cannot be run on ABAC-enabled registries, even if the identity has permissions to (1) list all repositories through the registry catalog API and (2) full permissions to all repositories.
When executing acr purge, the command requests an ACR access token with the scope "registry:catalog:* repository::" (reference code: acr-cli/internal/api/acrsdk.go at main · Azure/acr-cli.
However, the wildcard scope "repository:*:*" is not supported for ABAC-enabled registries.
To Reproduce
Steps to reproduce the behavior:
- Create a new ABAC-enabled registry or configure an existing registry to be ABAC-enabled via https://aka.ms/acr/auth/abac
- Ensure the identity has permissions to (1) list all repositories through the registry catalog API and (2) full data plane permissions to all repositories.
- Run
acr purge - Observe 401 unauthorized.
Expected Behavior
acr purge should be supported on ABAC-enabled registries.
In-Scope Support for Expected Behavior
To clarify, acr purge should only successfully run if the identity has permissions to (1) list all repositories through the registry catalog API and (2) full data plane permissions to all repositories (defined as all of (content|metadata)/(read|write|delete)).
Out-of-Scope Support for Expected Behavior
This item does not track acr purge support for repository-based purging where the identity only has partial permissions, such as (1) not having permissions to list all repositories through the registry catalog API, or (2) not having full data plane permissions to all repositories (e.g. not having the full (content|metadata)/(read|write|delete)` to any repository).
This is because purge operations, such as acr purge, is still considered a privileged operation that registry owners (who typically have full data plane permissions) should be running.
