acr
acr copied to clipboard
Azure
Repo Scoped Permissions: Token support
Repository scoped permissions are now in public preview. However, they are limited to Tokens.
Our plan has been to add repository scoped permissions for IoT scenarios (devices in the wild) and AAD based objects (services and people).
Our first priority was to enable IoT as enabling millions of devices, connecting from remote, or isolated networks was a blocker. Tokens enable near-infinite scale while limiting access to just the registry. We grouped the token feature with repo-scoped permissions.
Additional Investigations
While adding AAD based support, we received feedback that repo scoped permissions are great, but they need to be managed by individual teams. RBAC on folders/subfolders #338
We're currently investigating the following design, validating with customer calls:
TeamA and TeamB both share the contoso.azurecr.io registry. TeamA owns all the repos below:
-
contoso.azurecr.io/teama/-
contoso.azurecr.io/team-a/project-1/web -
contoso.azurecr.io/team-a/project-1/api -
contoso.azurecr.io/team-a/project-2/web -
contoso.azurecr.io/team-a/project-2/queue-processorTeamB owns all the repos below:
-
-
contoso.azurecr.io/team-b/-
contoso.azurecr.io/team-b/project-3/web -
contoso.azurecr.io/team-b/project-3/router -
contoso.azurecr.io/team-b/project-4/web -
contoso.azurecr.io/team-b/project-4/mail-processor
-
Today, the owner or contributor of the registry must assign permissions. This means the managers of TeamA and TeamB either need to be contributors of the entire registry, or they must each ask the contributors of the entire registry to configure permissions.
We acknowledge and recognize this gap and have been doing customer calls/research to understand exactly how teams would like their shared repositories managed.
- Is it just permissions that are delegated?
- Should we isolate audit-logs
- Should Webhook creation be limited to repos owned by the team?
- Should we use AAD groups to manage the teams?
While we appreciate teams are looking for repo-scoped permissions today, the impact to change is significant. Rather than release another preview, where the role names, or group management would likely change, we felt it better to gather more info before making incremental improvements that we believe would change.
Next Steps
With many other commitments on our plate for the spring of 2021, we will spend the late spring researching and validating the new design and queue up development for the fall of 2021.
GA Date & Risk of Changes from Preview
As we re-evaluate the team management aspects, we expect some amount of change to the current token/scope map design. Because of this, we will keep Repo Scoped Permissions for Tokens in preview for at least the rest of 2021.
Production Support for Preview Features
As with all public-preview features, we will provide production support through normal Azure Support Ticket processes.
Risk of Changes
While we may make changes to the preview designs, the Azure Container Registry team is committed to minimizing breaking changes. Any change would be through a new api version with backward compat support for at least 3 months from the point of a new preview change. This also applies to transitioning from preview to GA.
This enables azure cli users and REST api users a way to maintain the api they've been using, with a minimum of 3 months to transition.
Once a feature moves to GA, we follow the 3-year commitment to breaking changes.
For those tracking updates, I've made a few edits to identify that we've had to move this work out another 6 months.
@SteveLasker - is there any further update on this? it's been more than 6 months now :-)
also, is token support for SPs and MIs also impacting release of assigning RBAC permissions using "User principals" to ACR?
thanks!
We are really need this feature. More Enterprise companies are awaiting this feature
@dpaardenkooper and @dhanesh012 We are designing the feature at the moment and expect to have updates at the beginning of next year including tentative timelines.
Hi @dpaardenkooper and @dhanesh012,
Johnson here from the Azure Container Registry team.
We currently have frequent internal syncs on our side as we're marshalling the dev resources to GA this by 1st half of 2023.
As part of our GA efforts, we'll need to make some internal changes. The feature will not have any changes for GA. It will GA with the current set of features and capabilities that are available in Preview, but with possible SKU limit changes.
Hi @johnsonshi Is the Public preview changed to GA? the message in the docs are gone: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-repository-scoped-permissions.
Hope to hear from you. Kind regards,
Dinant Paardenkooper
Hi @dpaardenkooper, the docs and portal have been changed from Public Preview to GA. Some SDKs and REST API docs may still show it as Public Preview.
The target date for GA is end of March 2023. I will be making a GA announcement once it does. I will also update and close this GitHub issue once the feature GAs. Thank you!
ACR Repository Scoped Permissions with Tokens and Scope Maps is now generally available! With the GA of Tokens and Scope Maps, customers are able to use Tokens and Scope Maps to give read or write permissions to specific repositories in an Azure Container Registry.