Skip to content

Latest commit

 

History

History
100 lines (70 loc) · 3.14 KB

SECURITY_DEMO.md

File metadata and controls

100 lines (70 loc) · 3.14 KB
Raw

Using Performance Test with security enabled

ROS2 security can restrict what nodes can publish and subscribe, or even what topics a node can publish or subscribe to. For an overview of ROS2 security, see the SROS package on github.

Performance Test Security Demo

Performance Test provides a helper script to quickly set up ROS2 security. First, you should be able to build and run performance_test using the steps in the README.md.

Next, to generate keys and enable security, follow the steps below:

cd performance_test/helper_scripts
source security_setup.bash enable ~/demo_keys

This will generate keys for 6 nodes named:

  • performance_test0
  • performance_test1
  • performance_test2
  • performance_test3
  • performance_test4
  • performance_test5

These nodes will be allowed to publish and subscribe to the following topics as specified in performance_test/helper_scripts/policy.xml:

  • Array1k
  • Array4k
  • Array16k
  • Array32k
  • Array60k
  • Array1m
  • Array2m

The performance test tool uses a topic name that matches the data type it was asked to test. That means that after enabling security with the helper script, the performance test tool will only be able to test Array* messages.

Finally, this script changes the environment of the current shell to include:

export ROS_SECURITY_ROOT_DIRECTORY=~/demo_keys
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce

This means that when you run the performance test tool in the same shell, it will run with security enabled.

Observe that only certain node names are valid

If you run:

ros2 run performance_test perf_test -c ROS2 -t Array1k --max_runtime 30

You should observe a failure similar to:

terminate called after throwing an instance of 'rclcpp::exceptions::RCLError'
  what():  failed to initialize rcl node: SECURITY ERROR: directory /home/user/demo_keys/performance_test1662981776 does not exist. Lookup strategy: MATCH_EXACT, at /path/rcl/rcl/src/rcl/security_directory.c:256

This is because by default, perf_test chooses a random node name like performance_test1662981776 and the keys we generated above need to match the node names.

To make the tool select predictable node names, use the --with_security option. This will create nodes with names that match the keys generated by security_setup.bash.

Observe that only certain topic names can be used

If you run:

ros2 run performance_test perf_test -c ROS2 -t Struct16 --max_runtime 30 --with_security

You should observe a failure similar to:

2019-11-05 11:32:16.306 [SECURITY Error] Error checking creation of local writer 9d.8d.94.e3.56.29.ad.53.69.7c.de.da|0.0.1.3 (rt/Struct16 topic not found in allow rule. (/path/Fast-RTPS/src/cpp/security/accesscontrol/Permissions.cpp:11
11))

This is because the policy.xml file used by the security_setup helper scripts only allows publishing and subscribing on certain topic names.

A successful Example

If you run:

ros2 run performance_test perf_test -c ROS2 -t Array1k --max_runtime 30 --with_security

You should see the tool execute successfully with security.