Implemented abac support for tag and manifest'#599
Implemented abac support for tag and manifest'#599keithy1012 wants to merge 2 commits intoAzure:mainfrom
Conversation
keithy1012
force-pushed
the
t-keithyao/abac-support-manifest-and-tag
branch
from
631fe4a to
9179528
Compare
cmd/acr/tag.go
Outdated
| loginURL := api.LoginURL(registryName) | ||
| // An acrClient is created to make the http requests to the registry. | ||
| acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, tagParams.username, tagParams.password, tagParams.configs) | ||
| acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, tagParams.username, tagParams.password, tagParams.configs, tagParams.repoName) |
There was a problem hiding this comment.
Instead of updating newAcrCLIClientWithBearerAuth and GetAcrCLIClientWithAuth with some duplicate ABAC logic that already exists in RefreshTokenForAbac, can we simplify this by keeping GetAcrCLIClientWithAuth with its original signature, and have the tag/manifest commands call RefreshTokenForAbac after client creation (the same pattern purge already uses)?
like:
// In tag.go / manifest.go:
acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, params.username, params.password, params.configs)
if err != nil {
return err
}
// For ABAC registries, scope the token to the target repository.
if acrClient.IsAbac() {
if err := acrClient.RefreshTokenForAbac(context.Background(), []string{params.repoName}); err != nil {
return err
}
}
cmd/acr/annotate.go
Outdated
| loginURL := api.LoginURL(registryName) | ||
| // An acrClient with authentication is generated, if the authentication cannot be resolved an error is returned. | ||
| acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, annotateParams.username, annotateParams.password, annotateParams.configs) | ||
| acrClient, err := api.GetAcrCLIClientWithAuth(loginURL, annotateParams.username, annotateParams.password, annotateParams.configs, "") |
There was a problem hiding this comment.
I reviewed the cssc and annotate commands, both also call GetAcrTags acorss multiple repositories, so they are have the same ABAC gap and would need the same batch pattern as purge command. That's a larger change though, and cssc command is still in preview. Let's keep this PR focused on tag and manifest command. I will create a separate work item to track ABAC support for annotate and cssc
lizMSFT
left a comment
lizMSFT
left a comment
There was a problem hiding this comment.
overall lgtm. please add the unit tests for the tag and manifest ABAC code path
| } | ||
| // For ABAC registries, scope the token to the target repository. | ||
| if acrClient.IsAbac() { | ||
| if err := acrClient.RefreshTokenForAbac(context.Background(), []string{manifestParams.repoName}); err != nil { |
There was a problem hiding this comment.
nit: the context.Background() is redundant here, move the ctx declaration above the ABAC block and reuse it (same in all 4 call sites)
reference: https://github.com/Azure/acr-cli/blob/main/cmd/acr/purge.go#L133C1-L134C1
| func refreshAcrCLIClientToken(ctx context.Context, c *AcrCLIClient, repoName string) error { | ||
| var scope string | ||
| if c.isAbac { | ||
| // For ABAC registries, build scope from currentRepositories and ensure repoName is included |
There was a problem hiding this comment.
Let's still keep the comment here
2 participants
Purpose of the PR
Fixes #