From 18d03ea920a01e0fc8e894b65f5f4c03b8db5b2c Mon Sep 17 00:00:00 2001 From: sanjayananthamurthy <139238878+sanjayananthamurthy@users.noreply.github.com> Date: Fri, 1 Aug 2025 10:29:12 +0530 Subject: [PATCH 1/3] updating the RBAC +ABAC scenario of ACR the acrpull wont work if container is configured for ABAC the identity should have the **Container Registry Repository Contributor** role --- .../concept-endpoints-online-auth.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/articles/machine-learning/concept-endpoints-online-auth.md b/articles/machine-learning/concept-endpoints-online-auth.md index 833fe9f0eb..6da2f018af 100644 --- a/articles/machine-learning/concept-endpoints-online-auth.md +++ b/articles/machine-learning/concept-endpoints-online-auth.md @@ -115,6 +115,18 @@ An online deployment runs your user container with the endpoint identity, that i - For a SAI, the identity is created automatically when you create the endpoint, and roles with fundamental permissions, such as the Container Registry pull permission **AcrPull** and the **Storage Blob Data Reader**, are automatically assigned. - For a UAI, you need to create the identity first, and then associate it with the endpoint when you create the endpoint. You're also responsible for assigning proper roles to the UAI as needed. +> [!IMPORTANT] +> If you configure your Container registry to use **[RBAC Registry + ABAC Repository Permissions](https://learn.microsoft.com/azure/container-registry/container-registry-rbac-abac-repository-permissions?tabs=azure-portal)** + +> ![ABAC permission on container](https://learn.microsoft.com/azure/container-registry/media/container-registry-rbac-abac-repository-permissions/rbac-abac-repository-permissions-02-update-registry.png) + +>In this case some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries. + +> For example, the **AcrPull**, **AcrPush**, and **AcrDelete** roles aren't honored in an ABAC-enabled registry. +Instead, in ABAC-enabled registries, use the `Container Registry Repository Reader`, `Container Registry Repository Writer`, and `Container Registry Repository Contributor` roles to grant either registry-wide or repository-specific image permissions. + +> Ensure that the SAI or the UAI of your endpoint has the **Container Registry Repository Contributor** role assigned on the Container registry + ### Automatic role assignment for endpoint identity If the endpoint identity is a SAI, the following roles are assigned to the endpoint identity for convenience. From 40380d4b19950c8e27d54133c304cd500dfa30d5 Mon Sep 17 00:00:00 2001 From: Regan Downer Date: Fri, 8 Aug 2025 10:50:18 -0400 Subject: [PATCH 2/3] Fix issues --- .../concept-endpoints-online-auth.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/articles/machine-learning/concept-endpoints-online-auth.md b/articles/machine-learning/concept-endpoints-online-auth.md index 6da2f018af..f35039b9b1 100644 --- a/articles/machine-learning/concept-endpoints-online-auth.md +++ b/articles/machine-learning/concept-endpoints-online-auth.md @@ -116,16 +116,16 @@ An online deployment runs your user container with the endpoint identity, that i - For a UAI, you need to create the identity first, and then associate it with the endpoint when you create the endpoint. You're also responsible for assigning proper roles to the UAI as needed. > [!IMPORTANT] -> If you configure your Container registry to use **[RBAC Registry + ABAC Repository Permissions](https://learn.microsoft.com/azure/container-registry/container-registry-rbac-abac-repository-permissions?tabs=azure-portal)** - -> ![ABAC permission on container](https://learn.microsoft.com/azure/container-registry/media/container-registry-rbac-abac-repository-permissions/rbac-abac-repository-permissions-02-update-registry.png) - +> If you configure your Container registry to use **[RBAC Registry + ABAC Repository Permissions](/azure/container-registry/container-registry-rbac-abac-repository-permissions?tabs=azure-portal)** +> +> ![Screenshot showing an ABAC permission on container.](/azure/container-registry/media/container-registry-rbac-abac-repository-permissions/rbac-abac-repository-permissions-02-update-registry.png) +> >In this case some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries. - +> > For example, the **AcrPull**, **AcrPush**, and **AcrDelete** roles aren't honored in an ABAC-enabled registry. -Instead, in ABAC-enabled registries, use the `Container Registry Repository Reader`, `Container Registry Repository Writer`, and `Container Registry Repository Contributor` roles to grant either registry-wide or repository-specific image permissions. - -> Ensure that the SAI or the UAI of your endpoint has the **Container Registry Repository Contributor** role assigned on the Container registry +> Instead, in ABAC-enabled registries, use the `Container Registry Repository Reader`, `Container Registry Repository Writer`, and `Container Registry Repository Contributor` roles to grant either registry-wide or repository-specific image permissions. +> +> Ensure that the SAI or the UAI of your endpoint has the **Container Registry Repository Contributor** role assigned on the Container registry. ### Automatic role assignment for endpoint identity From efb7e7fbc6d994a7b7b3b927bc6ae2f5fa284f5d Mon Sep 17 00:00:00 2001 From: sanjayananthamurthy <139238878+sanjayananthamurthy@users.noreply.github.com> Date: Tue, 12 Aug 2025 09:02:19 +0530 Subject: [PATCH 3/3] Update articles/machine-learning/concept-endpoints-online-auth.md Co-authored-by: SeokJin Han <4353157+dem108@users.noreply.github.com> --- articles/machine-learning/concept-endpoints-online-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/machine-learning/concept-endpoints-online-auth.md b/articles/machine-learning/concept-endpoints-online-auth.md index f35039b9b1..06ef5bae42 100644 --- a/articles/machine-learning/concept-endpoints-online-auth.md +++ b/articles/machine-learning/concept-endpoints-online-auth.md @@ -120,7 +120,7 @@ An online deployment runs your user container with the endpoint identity, that i > > ![Screenshot showing an ABAC permission on container.](/azure/container-registry/media/container-registry-rbac-abac-repository-permissions/rbac-abac-repository-permissions-02-update-registry.png) > ->In this case some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries. +>In this case, some existing role assignments aren't honored or will have different effects, because a different set of ACR built-in roles apply to ABAC-enabled registries. > > For example, the **AcrPull**, **AcrPush**, and **AcrDelete** roles aren't honored in an ABAC-enabled registry. > Instead, in ABAC-enabled registries, use the `Container Registry Repository Reader`, `Container Registry Repository Writer`, and `Container Registry Repository Contributor` roles to grant either registry-wide or repository-specific image permissions.