Open thgossler opened 2 months ago
Hi @thgossler, this is a known limitation of the Catalog API. When using a scope-mapped token, ACR only supports *
scope-mapped tokens when listing all repositories in the Catalog API. Unfortunately, we don't have a timeline to enable a permissions-scoped Catalog API - that is, an experience that will only return the repositories a token has permissions to.
Our use case is a single central container registry for all product groups of our enterprise organization who are shipping containerized software to our customers. The goal is a central place with consistent quality assurance and governance. You can imagine that in such an enterprise context with 10th of product groups and hundreds of repositories it is not advisable to give everyone access to everything. Because the portal is not supporting scope maps, I am trying to put another user interface on it to leverage tokens and scope maps for this purpose. You tell me now that this will also not be possible which makes the Azure container registry unsuitable for our plans. I was assuming that one of the major goals for ACR was to make it suitable for enterprise use cases, because for other cases Docker Hub may already be sufficient.
If, finally, scope maps would be supported with Microsoft Entra security principals in the Azure Portal, that would also solve this issue for us.
Describe the bug Catalog API "/v2/_catalog?n=1000" doesn't return any results with a bearer token "/oauth2/token?service=myregistry.azurecr.io&scope=registry:catalog:" for a limited scope map like "my/repo/". After changing the scope map to "*" all repos are returned.
Expected behavior The catalog API should return all repos that are included in the scope map and covered by the scope of the access token.
Any relevant environment information