[ros-users] [Discourse.ros.org] [Next Generation ROS] ROS2 Security Working Group Online Meeting

Ross Desmond ros.discourse at gmail.com
Sun Nov 25 19:43:04 UTC 2018

[quote="ruffsl, post:29, topic:6393"]

The mapping for ROS2 actions and parameters to DDS topics spread across elsewhere. Im not sure sure how much has been settled upon; I still dont like the use of tokens for action namespaces: [my comment](https://github.com/ros2/design/pull/193/files/a4397401f83ebbb9dab22c7b04f35902909c950a#r235861311).


Completely agree here, while the documentation is under a design page, every rmw implementation has a very similar structure. My question alludes to the numerous duplicate definitions in each rmw implemention layer instead of defining these constants in the rmw interface layer.

[quote="ruffsl, post:29, topic:6393"]

To improve upon the permission configuration format, Id like to provide users a precise schema definition to help strongly type the security configuration format, yet facilitate successive versioning. As ROS2 already make much use of XML for the package.xml and DDS permissions.xml files, XML seems a logical choice to start with for being both easly machine parsable/verifiable, still human readable but also easly composable and recursive, allowing for more succinct, structured policy profile formats.


I'm interested in a strongly typed, structured permission file as well. However, we also need a timeline for when/what we will be changing is sros2. I would like to enable security by default. In other words, reduce the amount of overhead to develop and deploy ROS2 with security on. [These features are summarized here](https://discourse.ros.org/t/ros2-security-tools-for-development-and-production/6487).

One of these features generates the policy.yaml file from a running ROS system. This allows developers/deployment engineers to use an sros2 command line tool to generate their entire system's policies. The status of this feature is that it currently works with the [node graph implementation](https://github.com/ros2/rcl/pull/333) and secures topics with sros2 create_permission verb. We would like to push these features for ROS2 users sooner rather than later. **@ruffsl do we expect these sros2 changes to occur soon, or should we simply change the yaml definition for now to secure services?**


    Generate an sros2 yaml permissions file with the permissions of every visible node

    on the dds network.


    Example: run the minimal_publisher_lambda node

    Execute: `ros2 security generate_permissions node_policies.yaml`


    It will create the node_policies.yaml file in the current directory:





              allows: rr






              allows: ps


              allows: p


[Visit Topic](https://discourse.ros.org/t/ros2-security-working-group-online-meeting/6393/30) or reply to this email to respond.

More information about the ros-users mailing list