Managing ROS2 Security Policy - nps-ros2/nps-ros2-examples GitHub Wiki

In Installing the ROS2 Environment we generated security policy using default security keys. Here we generate keys that use a different security policy by running ros2 security create_permission and providing our specific permission yaml file settings. These steps are adapted from https://github.com/ros2/sros2/blob/master/SROS2_Linux.md#access-control. These steps require the ROS2 environment be set up per Installing the ROS2 Environment.

Specifically, the default security policy provides encryption and authentication between nodes. The alternate security policy defined here additionally enforces access control.

• Create alternate_policy_keys next to the previously created demo_keys under ~/sros2_demo:

  cd ~/sros2_demo
  ros2 security create_keystore alternate_policy_keys
  ros2 security create_key alternate_policy_keys /talker
  ros2 security create_key alternate_policy_keys /listener
  

• Create permissions for the talker and listener using the SROS2 demo policy files which, for your convenience, have been copied to ~/gits/nps-ros2-examples/example_security_policies:

  cd ~/sros2_demo
  ros2 security create_permission alternate_policy_keys /talker ~/gits/nps-ros2-examples/example_security_policies/sample_policy.xml
  ros2 security create_permission alternate_policy_keys /listener ~/gits/nps-ros2-examples/example_security_policies/sample_policy.xml
  

  These permissions enforce access control by additionally requiring that the talker and listener nodes only publish and subscribe to the topic named chatter.

• Before going further, you might want to verify that the default security settings encrypt but do not enforce access control.

  In one terminal type:

  ros2 run demo_nodes_cpp talker chatter:=alternate_chatter
  

  and in another terminal type:

  ros2 run demo_nodes_py listener chatter:=alternate_chatter
  

  Observe the listener working and, if desired, observe encrypted packets using Wireshark.

• Change your security settings in your .bashrc file to point to your alternate policy keys to this:

  # Security
  export ROS_SECURITY_ROOT_DIRECTORY=~/sros2_demo/alternate_policy_keys
  export ROS_SECURITY_ENABLE=true
  #export ROS_SECURITY_ENABLE=false
  export ROS_SECURITY_STRATEGY=Enforce
  

  and restart your command windows so that they use the new security settings.

• Verify that Start the talker and listener using the chatter topic name:

  In one terminal type:

    ros2 run demo_nodes_cpp talker
  

  and in another terminal type:

  ros2 run demo_nodes_py listener
  

• Verify that an alternate topic name is disallowed using alternate_chatter:

  In a terminal type:

  ros2 run demo_nodes_cpp talker chatter:=alternate_chatter
  

  and observe that the talker will fail to start because topic alternate_chatter is not allowed.

  Type:

  ros2 run demo_nodes_py listener chatter:=alternate_chatter
  

  and observe that the listener will also fail to start because topic alternate_chatter is not allowed.