New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should services servers require both publish & subscribe access to own Request/Reply? #63
Comments
A service Server needs server access only, a service client needs client access only. Since Bouncy all nodes start a service server for parameters ( in Ardent only a service client was automatically started). Some links relevant to starting parameter service automatically in Bouncy ros2/rclcpp#478 and #52. |
here, here!
Ah, looking closely back at Ardent, I was a little perplexed why only client access was needed before. That explances it.
Correct. |
Ok, so the reason we create clients automatically since Ardent is because we introduced the notion of clock in c++ nodes. |
Ah, I see such is the case here: I played around in rclcpp and found that cutting out |
Yeah I had the same feeling when I wrote the previous answer. That is what prompted me to point to the ongoing Time related changes as removing the client may impact it. If the ongoing rclcpp time changes don't require a client, I would recommend removing the default client completely as well as leveraging the server to react to "use_sim_time" param value change, rather than subscribing to and filtering the messages published to the |
For reference WRT security of the |
I believe the original question has been answered so I'm going to close this. I opened ros2/rclcpp#537 to track the current use of the parameter client in rclcpp, and ros2/ros2#432 is still opened to discuss the more generic use of parameter related topics and services |
This issue has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/security-ramifications-of-global-parameter-events/15924/4 |
This issue has been mentioned on ROS Discourse. There might be relevant details there: https://discourse.ros.org/t/security-ramifications-of-global-parameter-events/15924/6 |
While developing on keymint, I attempted to use the same semantic access control profile that I had successfully used in ROS2 Ardent, with the addition of some new subsystem services such as
set_parameters_atomically
. However, this proved insufficient, and through closer inspection using RTI Connext Administration Console, I realised a new change in where ROS2 Bouncy nodes appear to be both publishing and subscribing to all of their own service level DDS topics:IMO, this seem unwarranted given that a service server should not also require client level access, doing so would unecessarly widen the scope of the subject's (service host) access control policy and make it furtherly difficult to enforce asymmetric API access. If there is a good reason why this elevated access requirement for ROS service host has been introduced into Bouncy but was absent from Ardent, I'd be curious to know.
Required Info:
ros-bouncy-sros2/bionic,now 0.5.0-0bionic.20180720.000732 amd64 [installed]
rti-connext-dds-5.3.1/bionic,bionic,now 5.3.1-nc.x64Linux3gcc5.4.0+2 amd64 [installed,automatic]
ros-bouncy-fastrtps/bionic,now 1.6.0-5bionic.20180719.223049 amd64 [installed]
rmw_connext_cpp
rmw_fastrtps_cpp
rclcpp
Steps to reproduce issue
Using the following symantec policy profile, I'd expect the granting the
/talker
node serving the service/talker/describe_parameters
with execute permission would sufficient, i.e. permission to subscribe toRequest
and publish toReply
; as opposed to call permission, i.e. permission to publish toRequest
and subscribe toReply
.Expected comarmor profile.xml
See here for more of an detailed example: https://github.com/ruffsl/ros2_docker_demos/tree/master/sros2
Expected behavior
The following
permission.xml
is the expected minimally permission needed (using the comarmor profile from above), where publish access is granted toReply
topics and subscribe access is given toRequest
topics for a given service server.Expected minimal permissions.xml
Actual behavior
The following
permission.xml
presently works when service Request/Reply topics are all given both publish and subscribe access.Presently needed permissions.xml
Additional information
The DDS implementation
rmw_fastrtps_cpp
still appears to fail at runtime startup when using the same security artifacts that otherwise work fine withrmw_connext_cpp
:Update I tested this again in a container, and seems to be working like
rmw_connext_cpp
, so perhaps I've messed withrmw_fastrtps_cpp
on my host install.The text was updated successfully, but these errors were encountered: