Managing ROS2 Security Policy - nps-ros2/nps-ros2-examples GitHub Wiki
In Installing the ROS2 Environment we generated security policy using default security keys. Here we generate keys that use a different security policy by running ros2 security create_permission
and providing our specific permission yaml file settings. These steps are adapted from https://github.com/ros2/sros2/blob/master/SROS2_Linux.md#access-control. These steps require the ROS2 environment be set up per Installing the ROS2 Environment.
Specifically, the default security policy provides encryption and authentication between nodes. The alternate security policy defined here additionally enforces access control.
-
Create
alternate_policy_keys
next to the previously createddemo_keys
under~/sros2_demo
:cd ~/sros2_demo ros2 security create_keystore alternate_policy_keys ros2 security create_key alternate_policy_keys /talker ros2 security create_key alternate_policy_keys /listener
-
Create permissions for the talker and listener using the SROS2 demo policy files which, for your convenience, have been copied to
~/gits/nps-ros2-examples/example_security_policies
:cd ~/sros2_demo ros2 security create_permission alternate_policy_keys /talker ~/gits/nps-ros2-examples/example_security_policies/sample_policy.xml ros2 security create_permission alternate_policy_keys /listener ~/gits/nps-ros2-examples/example_security_policies/sample_policy.xml
These permissions enforce access control by additionally requiring that the
talker
andlistener
nodes only publish and subscribe to the topic namedchatter
. -
Before going further, you might want to verify that the default security settings encrypt but do not enforce access control.
In one terminal type:
ros2 run demo_nodes_cpp talker chatter:=alternate_chatter
and in another terminal type:
ros2 run demo_nodes_py listener chatter:=alternate_chatter
Observe the listener working and, if desired, observe encrypted packets using Wireshark.
-
Change your security settings in your
.bashrc
file to point to your alternate policy keys to this:# Security export ROS_SECURITY_ROOT_DIRECTORY=~/sros2_demo/alternate_policy_keys export ROS_SECURITY_ENABLE=true #export ROS_SECURITY_ENABLE=false export ROS_SECURITY_STRATEGY=Enforce
and restart your command windows so that they use the new security settings.
-
Verify that Start the talker and listener using the
chatter
topic name:In one terminal type:
ros2 run demo_nodes_cpp talker
and in another terminal type:
ros2 run demo_nodes_py listener
-
Verify that an alternate topic name is disallowed using
alternate_chatter
:In a terminal type:
ros2 run demo_nodes_cpp talker chatter:=alternate_chatter
and observe that the talker will fail to start because topic
alternate_chatter
is not allowed.Type:
ros2 run demo_nodes_py listener chatter:=alternate_chatter
and observe that the listener will also fail to start because topic
alternate_chatter
is not allowed.