Provide some granularity for individual topic protection #130
Comments
|
@jacobperron @mjcarroll friendly 🛎️ , any comment on this and connected PR ? |
|
I think that this makes sense, I'll have to think about the trade-offs a bit more. I believe that @ruffsl or @emersonknapp may have some additional thoughts/opinions as well. |
|
This approach seems sensible to me, but as you point out, exposing this ability also brings along a fair bit of complexity. I'm struggling to come up with solid use-cases for this that outweigh that maintenance cost, particularly considering that this (what I would call "advanced") use-case is already possible by manually tweaking the governance file. |
|
I’ve been thinking about this and how to interleave protection configuration for a while, specifically in terms of the composability aspect. After I opened the sros2 policy design document PR ros2/design#246 , @mikaelarguedas and I spoke a little offline about approaching this. A particular concern I wrote about in that design doc was on the separation of concern, and how mixing permissions and governance configuration could lead to interferences or limit composability. However, I think I have a decent approach that would retain both simplicity and flexibility. An idea would be to introduce protection as an optional attribute to permissions as well as profiles, that could be used to set/override the scope defined by parent elements within the XML document tree. This allows permissions or entire unaltered profiles to inherit scopes of protection settings over the policy, while still allowing for specific element to be fine tuned. <?xml version="1.0" encoding="UTF-8"?>
<policy version="0.2.0"
xmlns:xi="http://www.w3.org/2001/XInclude">
<!-- Scope default profiles protection (required) -->
<profiles protection="ENCRYPT">
<!-- Override profiles protection within profile scope (optional) -->
<profile ns="/" node="talker" protection="SIGN">
<!-- Override profile protection within permission scope (optional) -->
<topics publish="ALLOW" protection="ENCRYPT">
<topic>chatter</topic>
</topics>
<include package="sros2_common_assets"
href="profile/node.xml"
xpointer="xpointer(/profile/*)"/>
</profile>
<!-- Retain profiles protection within profile scope (optional) -->
<profile ns="/" node="listener">
<!-- Retain profile protection within permission scope (optional) -->
<topics subscribe="ALLOW" >
<topic>chatter</topic>
</topics>
<include package="sros2_common_assets"
href="profile/node.xml"
xpointer="xpointer(/profile/*)"/>
</profile>
<!-- Scope override in conditional upon imported attributes -->
<include package="sros2_common_assets"
href="profiles/sros2_common_policies.xml"
xpointer="xpointer(/profiles/*)"/>
<include package="sros2_common_assets"
href="profiles/add_two_ints.xml"
xpointer="xpointer(/profiles/*)"/>
</profiles>
</policy>In terms of how this maps to Secure DDS governance, I think it would be simplest, while satisfying most average use cases, if we use the projected protection scopes to set However, that approach wouldn't afford any means of setting
Given that ORIGIN_AUTHENTICATION can't be used without setting properties like |
Link the reference implementation to ros2/sros2#130. Also a few minor grammar updates. Signed-off-by: Sid Faber <[email protected]>
* Add vulnerability remediation procedure Signed-off-by: Sid Faber <[email protected]> * Add hint to check package.xml to find maintainer Also two minor formatting updates Signed-off-by: Sid Faber <[email protected]> * Add minutes for 24 Nov 2020 meeting Signed-off-by: Sid Faber <[email protected]> * Clarify G-Turtle simulation goal Link the reference implementation to ros2/sros2#130. Also a few minor grammar updates. Signed-off-by: Sid Faber <[email protected]> * Minor wording changes Signed-off-by: Sid Faber <[email protected]> * Add meeting minutes for 15 Dec 2020 Signed-off-by: Sid Faber <[email protected]> * Fix bad date in meeting minutes Co-authored-by: Kyle Fazzari <[email protected]>
Feature request
Feature description
While DDS allows to pick any protection kind for the topics and associated discovery, it is currently not exposed by sros2 that uses a static governance file. Currently all data / discovery / liveliness is encrypted by default.
Generating the governance file at the same time as generating the permission files would allow to pick the type of protection desired on a per-topic basis.
Implementation considerations
Modifying the SROS2 policy format to take an extra attribute
protectionfor each topic/service/action list would allow to specify that information and leverage it to generate governance topic rules accordingly.Then create a governance.xsl template that would create an governance file with a
TopicRulefor each topic specified in the policy.Trade-offs:
Providing full granularity of the governance parameters will be cumbersome and complex for maintainers to support and for users to use. At which point writing it by hand may be easier. The goal here would be to allow users to specify the protection of their topic in the high level policy file and generate a consistent set of governance/permission.
Example of node configuration:
Some parameters apply to the participant globally and will impact the usefulness of setting other parameters on a per topic basis, some specific use-cases to explore (very sparse list):
rtps_protection_kindtoENCRYPT, would require the node to perform heavy cryptographic operations for all the rtps traffic. -> keeping the default asSIGNThis is a draft to gather initial feedback, if the approach seems sensible, the use cases to consider and trade-offs can be expanded later on.
Example of policy and governance files
Policy:
Governance:
The text was updated successfully, but these errors were encountered: