Describe the bug

The acr purge command cannot be run on ABAC-enabled registries, even if the identity has permissions to (1) list all repositories through the registry catalog API and (2) full permissions to all repositories.

When executing acr purge, the command requests an ACR access token with the scope "registry:catalog:* repository::" (reference code: acr-cli/internal/api/acrsdk.go at main · Azure/acr-cli.

However, the wildcard scope "repository:*:*" is not supported for ABAC-enabled registries.

To Reproduce

Steps to reproduce the behavior:

1. Create a new ABAC-enabled registry or configure an existing registry to be ABAC-enabled via https://aka.ms/acr/auth/abac
2. Ensure the identity has permissions to (1) list all repositories through the registry catalog API and (2) full data plane permissions to all repositories.
3. Run acr purge
4. Observe 401 unauthorized.

Expected Behavior

acr purge should be supported on ABAC-enabled registries.

In-Scope Support for Expected Behavior

To clarify, acr purge should only successfully run if the identity has permissions to (1) list all repositories through the registry catalog API and (2) full data plane permissions to all repositories (defined as all of (content|metadata)/(read|write|delete)).

Out-of-Scope Support for Expected Behavior

This item does not track acr purge support for repository-based purging where the identity only has partial permissions, such as (1) not having permissions to list all repositories through the registry catalog API, or (2) not having full data plane permissions to all repositories (e.g. not having the full (content|metadata)/(read|write|delete)` to any repository).

This is because purge operations, such as acr purge, is still considered a privileged operation that registry owners (who typically have full data plane permissions) should be running.