Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add how to use ros2cli with security enclaves. #4900

Merged
merged 1 commit into from
Dec 17, 2024
Merged

add how to use ros2cli with security enclaves. #4900

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 59 additions & 1 deletion source/Tutorials/Advanced/Security/Introducing-ros2-security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,65 @@ Note: You can switch between the C++ (demo_nodes_cpp) and Python (demo_nodes_py)

These nodes are able to communicate because we have created the appropriate keys and certificates for them.

Leave both nodes running as you answer the questions below.
Leave both nodes running as you use ``ros2cli`` and answer the questions below.


6\. Use ``ros2cli`` with security
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To use ``ros2cli`` to iterate with ROS 2 secured network, you need to provide it with override enclave by ``ROS_SECURITY_ENCLAVE_OVERRIDE`` environmental variable.
Open an another terminal and set up the following environmental variables.

.. tabs::

.. group-tab:: Linux

.. code-block:: bash

export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener

.. group-tab:: MacOS

.. code-block:: bash

export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener

.. group-tab:: Windows

.. code-block:: bat

set ROS_SECURITY_KEYSTORE=%cd%/demo_keystore
set ROS_SECURITY_ENABLE=true
set ROS_SECURITY_STRATEGY=Enforce
set ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener


Now you can use ``ros2cli`` to communicate with ROS 2 secured network.

.. code-block:: bash

ros2 node list --no-daemon --spin-time 3
[INFO] [1733862009.410918416] [rcl]: Found security directory: /root/ros2_ws/colcon_ws/demo_keystore/enclaves/talker_listener/talker
/listener
/talker

.. code-block:: bash

ros2 topic list --no-daemon --spin-time 3
[INFO] [1733861998.562163611] [rcl]: Found security directory: /root/ros2_ws/colcon_ws/demo_keystore/enclaves/talker_listener/talker
/chatter
/parameter_events
/rosout

.. note::

Avoid using ros2 daemon because it may not have security enclaves, and enough time duration should be given for the discovery in ROS 2 secured network.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically we can start the ros2 daemon with security enclaves so that user ros2cli can just call xmlrpc to the daemon to get the discovery information. but I believe that using ros2 daemon would be security breach if user is not careful enough, because it inherits the authentication and permissions from administrator and developers who implicitly starts the ros2 daemon. see more details for ros2/sros2#315



Take the Quiz!
Expand Down