Add initial draft for ROS 2 Security Contexts

[ruffsl]

No description provided.

[mikaelarguedas]

Thanks for pushing on this first version.
Some comments and mostly questions inline as this diverges from my understanding of our offline discussion.

[mikaelarguedas]

IIRC this is the approach we settled for offline because ROS namespaces have a very lose correlation to the process/context they will be running in. Could you clarify why this PR is now using node namespaces and not context namespaces?

[ruffsl]

From the offline notes, we visited the idea of forcing users to manually specify context namespaces, as to be comely orthogonal to node namespaces, but concluded that tracking two orthogonal namespaces would be a large mental overhead for users, as well as require much more boilerplate.

In the case of launchfiles: how to specify what gets in what context?
Could force people to provide context attributes everywhere ?
Inconvenient and can duplicate info. Would need "namespace context" but it gets hairy and duality with nodes name and namespaces

Thus we iterated further on the idea of allowing the existing namespace elements in lauchfiles to hint/push the relative context path. However, the user could still override the relative context path using a absolute context path for the node element's context attribute, just like with topics/services/actions:

If context specified use context-prefix/context otherwise can be overridden using absolute context

Perhaps we could also add these additional observations to the alternative section.

[mikaelarguedas]

Suggested change

	As before the use of contexts, multiple nodes composed into a single process where each mapped to a septate participant. Each participant subsequently load an security identity and access control credential prevalent to it's respective node. This composition however would inevitably mean that code compiled to node `foo` could access credentials/permissions only trusted only to node `bar`. This consequence of composition could unintendedly subvert the minimal spanning policy as architected by the designer or measured/generated via ROS 2 tooling/IDL.
	Before the use of contexts, multiple nodes composed into a single process where each mapped to a separate participant.
	Each participant subsequently load an security identity and access control credential prevalent to its' respective node.
	The composition of multiple nodes per context however, inevitably means that code compiled to node `foo` could access credentials/permissions only trusted to node `bar`.
	This consequence of composition could unintendedly subvert the minimal spanning policy as architected by the designer or measured/generated via ROS 2 tooling/IDL.

[mikaelarguedas]

This paragraph seems unrelated to the number of context per process. It is true and a drwaback in the case of single context per process as well

[ruffsl]

I've extended this section with a summarizing clarification in a461e4c
Feel free to suggest additional wording.

[mikaelarguedas]

I'm not sure I got this part. Why would the security guaranties be lost if there are multiple contexts per process?

[ruffsl]

Please comment on a461e4c .

[mikaelarguedas]

Opened #2 with some suggestions.

This design doc will conflict with https://github.com/ros2/design/blob/gh-pages/articles/ros2_dds_security.md and we'll need to merge or deconflict those before merging.
If I'm to add details about how ROS_SECURITY_DIRECTORY_OVERRIDE does this belong in this PR ?

[ruffsl]

Migrating discussion upstream to ros2#274