-
Notifications
You must be signed in to change notification settings - Fork 33
Add basic support for security logging plugin #404
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Questions:
|
Yeah, you got it. We want the user to be able to enable/disable security logging on the ROS end without having to care about the DDS implementation they're using.
No, we propose doing the same in rmw_fastrtps. Long-term this should indeed be in RCL, but we felt it needed more design before we got to that point. Security logging is actually something configured on a per-participant basis, so we have an XML file format designed for this that we were thinking would be generated by the SROS2 utilities, but it needs an actual design doc written, and the context work and introduction of enclaves has changed that a bit and we need to revisit. In the short-term, some environment variables to allow people to start playing with this functionality while we properly design the real deal seemed the best path forward. Would you prefer to see this added to RCL and shoved into rmw_security_options_t, even knowing that this isn't the final story?
It is indeed vendor-specific. Regarding Connext, if the security log is enabled, it will no longer show security events on stdout/stderr. Not something we recommend enabling by default as a result. |
It might be nice to introduce it into rcl, even its beta, as even then other rmw vendors could be added to the beta feature mid release. I'd like to rework @ivanpauno or @mikaelarguedas might have more of an option on pushing these log env options up into |
Same here, but note that I'm trying to get this stuff into Foxy. That's why I'm trying to keep it as small as possible and not change API at this late date.
Nothing prevents that, even without changes to RCL, other than the fact that we have a feature freeze. At this point I'm happy to do what will make this land, but we don't have time to change it more than once unless the feature freeze somehow doesn't apply to this? @ivanpauno, @jacobperron please share your thoughts on what we should do here. I can add this to RCL and add a few new items to |
If you think any new additions to |
Thank you @jacobperron, you outlined my position in far less words than I did 😉 . Okay, this is ready for a more thorough review, then. Once we're happy with it I can update ros2/rmw_fastrtps#362 to match. |
rmw_connext_shared_cpp/include/rmw_connext_shared_cpp/security_logging.hpp
Show resolved
Hide resolved
This PR needs a rebase to get the latest changes upstream so that CI will pass. |
A bit late to the party but just to restate publically what happened in passed discussions. End goal is to have a single entry point for configuring logging, that would be an XML file containing only ROS concepts (so not vendor specific and even not DDS-specific). These were too big of changes to be made last minute for Foxy, this PR and corresponding rmw_fastrtps PR are minimal self contained implementation that allow to configure some parts of the logging plugin to allow a minimal use. This was meant as an MVP not touching asny public API, this is why all new functions and defines are private and why the code is duplicated between this PR and the rmw_fastrtps one. +1 for no public API change and not change to rmw_security_options this time around. @kyrofa I thought this change came with an sros2 change to add the relevant pure DDS logging topic to the permissions. Is this change on a branch somewhere to be tested along this ? I haven't been able to test this but hope to do so and review the PRs by tomorrow |
Support setting the security logging properties in Connext by exposing three environment variables: - `ROS_SECURITY_LOG_FILE`: Log security events to the provided file path - `ROS_SECURITY_LOG_PUBLISH`: Publish security events to DDS topic - `ROS_SECURITY_LOG_VERBOSITY`: Control verbosity of logged events Signed-off-by: Kyle Fazzari <kyle@canonical.com>
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
f656ba4
to
2e4fb20
Compare
Done. |
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
Good idea, just pushed that.
I'm working on that now, so not yet. However, this doesn't depend on that so much as that depends on this.
No, but I fully intend to write one, particularly to ensure RMWs that support logging work the same way. I just need to learn my way around them, first 😄 . Other than the unit tests in this PR to ensure we're turning the right knobs, actually ensuring it turns into Connext logging as expected is currently a manual affair. The test_security addition should not be subject to the feature freeze like this is, however, so we should be able to get that in no problem. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gave this a quick try.
It works! logged to file successfully (it always append to the file instead of overwriting which I guess is nice when multiple participants use the same file).
Didnt get a chance to confirm that the logging to topic wors. Surprisingly it didnt complain about missing permissions to do so.
A bit confused with the verbosity levels, a longer comment about it inline
{"ERROR", "3"}, | ||
{"WARNING", "4"}, | ||
{"NOTICE", "5"}, | ||
{"INFORMATIONAL", "6"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBH this has been pretty unexpected and I had to go in the code to figure out what value to put to get this working.
I epected one of the following to work:
- what's in the spec:
- INFO_LEVEL
- INFORMATIONAL_LEVEL
- What I saw in most DDS examples (Connext, CoreDX): numbers between 0 and 7
- The ROS severity levels https://github.com/ros2/rcutils/blob/a357b67e7d9f00f8fbfe306491438cd1e8ee5219/rcutils/logging.py#L17
And NONE worked...
I believe we need those to be both more visible, with a more informative error message than:
failed to set security logging verbosity: 7 is not a supported verbosity
We need to either accept more values, or pick ones that are already agreed on elsewhere, either the numbers or string matching the
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both Fast RTPS and Connext follow the enum in section 9.6 of DDS-Security... mostly. Connext uses the numeric value of the enum in 5.3, but deprecated that in v6 to use the strings instead, sans the "_LEVEL", which was really the model for this. Fast RTPS follows 9.6 exactly, including the "_LEVEL." However, given that:
- We want all RMWs to work the same way, even given that this is temporary, and
- We want this to be more of a ROS abstraction than a DDS-level thing
We settled on the more clear and less "go read the spec" ish option. You're right though-- would it help to simply print all the supported verbosities in the error message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I'd be happy to use the ROS verbosities instead if that seems more clear. I think that's a pretty good idea. There aren't quite as many levels though so we'll need to agree on a mapping. Maybe:
ROS verbosity | DDS verbosity |
---|---|
FATAL | EMERGENCY |
(also ERROR) | ALERT |
(also ERROR) | CRITICAL |
ERROR | ERROR |
WARN | WARNING |
(also INFO) | NOTICE |
INFO | INFORMATIONAL |
DEBUG | DEBUG |
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't feel very strongly either way as this is temporary, as long as we make it more visible.
For the longer term, we'll need to decide what to put in the XML file exposed to users.
As that XML file aim to have only ROS concepts, maybe we should use ROS verbosity levels in the XML.
So for consistency I'd say let's use that here too.
The mapping in the table above looks good to me 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't really make my mind on whether we should map or not. I see the benefit of sticking to ROS verbosities but can't yet foresee the cons of having less levels. And the specs does not help much here, from section 9.6:
EMERGENCY_LEVEL, // System is unusable. Should not continue use.
ALERT_LEVEL, // Should be corrected immediately
CRITICAL_LEVEL, // A failure in primary application.
ERROR_LEVEL, // General error conditions
WARNING_LEVEL, // May indicate future error if action not taken.
NOTICE_LEVEL, // Unusual, but nor erroneous event or condition.
INFORMATIONAL_LEVEL, // Normal operational. Requires no action.
DEBUG_LEVEL
I guess either way is fine for now so we should prefer the most user friendly solution and that'd be using ROS verbosities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, just pushed a change to use ROS verbosities, as well as a nicer error message when an unsupported one is selected. Take another look?
Co-Authored-By: Mikael Arguedas <mikael.arguedas@gmail.com> Signed-off-by: Kyle Fazzari <kyle@canonical.com>
Also print more helpful error message when unsupported verbosity is requested. Signed-off-by: Kyle Fazzari <kyle@canonical.com>
3390020
to
8662aac
Compare
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
FYI, I'm able to confirm that logging to DDS works via the RTI admin console. That doesn't seem to be in accordance with my (nor your, it appears) reading of the spec, but it means that the sros2 profile tweak isn't required at this time. This will need some more investigation to fully understand, but it shouldn't stand in the way of this PR. |
(ros2/rmw_fastrtps#362 has been updated to function the same way as this PR) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the ROS verbosity mapping. Could use a round of CI for a final check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm with green CI
The fact that these warnings appear in this PR that uses
aarch failure is expected 👍 there is no connext deb for arm |
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
I was hoping maybe the visibility macro was the hidden magic here, but apparently not: Note that ros2/rmw_fastrtps#362, which is super similar code, does not have a warning. I'm at a loss here. @sloretz any chance you have an idea? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one small fix, otherwise LGTM!
No idea. Maybe the issue can be avoided for now by using the |
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
Signed-off-by: Kyle Fazzari <kyle@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with green CI
Excellent, all green now! No idea what was going on, but I like this better anyway. |
Support setting the security logging properties in Connext by exposing three environment variables:
ROS_SECURITY_LOG_FILE
: Log security events to the provided file pathROS_SECURITY_LOG_PUBLISH
: Publish security events to DDS topicROS_SECURITY_LOG_VERBOSITY
: Control verbosity of logged eventscc @mikaelarguedas and @artivis