Remove unnecessary network call in az acr cache subcommand

`az acr cache create` and `az acr cache update` are used to create and
update cache rules under Azure Container Registry. A _cache rule_ is a
sub resource of a container registry.

Currently, when the above two operations are performed, the code first
makes a GET request to _registry_ resource, only to get the id of the
resource by its name. It needs the registry id in order to create
credential set id which is needed when creating and updating a cache
rule. The credential set id can be determined without making the above
GET request. This GET request is made on the registry resource, which
implies the executing user must have 'Reader' role of the registry. This
could lead to user overprivileging roles, e.g. now they have to give
executing user registry read permissions, in additoinal to cache rule
CRUD permissions.

This commit removed the GET registry request in cache create and cache
update workflow. As a result, a role with only cache rule permissions is
able to execute cache rule create and update. This makes our security
model clearer, and also makes the operation more efficient.

Author: renshao

src/azure-cli/azure/cli/command_modules/acr/_constants.py

@@ -11,6 +11,8 @@
 WEBHOOK_RESOURCE_TYPE = REGISTRY_RESOURCE_TYPE + '/webhooks'
 REPLICATION_RESOURCE_TYPE = REGISTRY_RESOURCE_TYPE + '/replications'
 
+CREDENTIAL_SET_RESOURCE_ID_TEMPLATE = '/subscriptions/{sub_id}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{reg_name}/credentialSets/{cred_set_name}'
+
 TASK_RESOURCE_TYPE = REGISTRY_RESOURCE_TYPE + '/tasks'
 TASK_VALID_VSTS_URLS = ['visualstudio.com', 'dev.azure.com']
 TASK_RESOURCE_ID_TEMPLATE = '/subscriptions/{sub_id}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{reg}/tasks/{name}'

src/azure-cli/azure/cli/command_modules/acr/cache.py

@@ -3,11 +3,12 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
+from ._constants import CREDENTIAL_SET_RESOURCE_ID_TEMPLATE
 from ._utils import get_registry_by_name, get_resource_group_name_by_registry_name
 from azure.cli.core.azclierror import InvalidArgumentValueError
+from azure.cli.core.commands.client_factory import get_subscription_id
 from azure.core.serialization import NULL as AzureCoreNull
 
-
 def acr_cache_show(cmd,
                    client,
                    registry_name,
@@ -54,9 +55,18 @@ def acr_cache_create(cmd,
                      resource_group_name=None,
                      cred_set=None):
 
-    registry, rg = get_registry_by_name(cmd.cli_ctx, registry_name, resource_group_name)
-
-    cred_set_id = AzureCoreNull if not cred_set else f'{registry.id}/credentialSets/{cred_set}'
+    if cred_set:
+        sub_id = get_subscription_id(cmd.cli_ctx)
+        rg = get_resource_group_name_by_registry_name(cmd.cli_ctx, registry_name, resource_group_name)
+        # Format the credential set ID using subscription ID, resource group, registry name, and credential set name
+        cred_set_id = CREDENTIAL_SET_RESOURCE_ID_TEMPLATE.format(
+            sub_id=sub_id,
+            rg=rg,
+            reg_name=registry_name,
+            cred_set_name=cred_set
+        )
+    else:
+        cred_set_id = AzureCoreNull
 
     CacheRuleCreateParameters = cmd.get_models('CacheRule', operation_group='cache_rules')
 
@@ -82,9 +92,18 @@ def acr_cache_update_custom(cmd,
     if cred_set is None and remove_cred_set is False:
         raise InvalidArgumentValueError("You must either update the credential set ID or remove it.")
 
-    registry, _ = get_registry_by_name(cmd.cli_ctx, registry_name, resource_group_name)
-
-    cred_set_id = AzureCoreNull if remove_cred_set else f'{registry.id}/credentialSets/{cred_set}'
+    if remove_cred_set:
+        cred_set_id = AzureCoreNull
+    else:
+        sub_id = get_subscription_id(cmd.cli_ctx)
+        rg = get_resource_group_name_by_registry_name(cmd.cli_ctx, registry_name, resource_group_name)
+        # Format the credential set ID using subscription ID, resource group, registry name, and credential set name
+        cred_set_id = CREDENTIAL_SET_RESOURCE_ID_TEMPLATE.format(
+            sub_id=sub_id,
+            rg=rg,
+            reg_name=registry_name,
+            cred_set_name=cred_set
+        )
 
     instance.credential_set_resource_id = cred_set_id