ROS2 security can restrict what nodes can publish and subscribe, or even what topics a node can publish or subscribe to. For an overview of ROS2 security, see the SROS package on github.
Performance Test provides a helper script to quickly set up ROS2 security.
First, you should be able to build and run performance_test
using the steps in
the README.md.
Next, to generate keys and enable security, follow the steps below:
cd performance_test/helper_scripts
source security_setup.bash enable ~/demo_keys
This will generate keys for 6 nodes named:
performance_test0
performance_test1
performance_test2
performance_test3
performance_test4
performance_test5
These nodes will be allowed to publish and subscribe to the following topics as specified
in performance_test/helper_scripts/policy.xml
:
- Array1k
- Array4k
- Array16k
- Array32k
- Array60k
- Array1m
- Array2m
The performance test tool uses a topic name that matches the data type it was asked to test.
That means that after enabling security with the helper script, the performance test tool
will only be able to test Array*
messages.
Finally, this script changes the environment of the current shell to include:
export ROS_SECURITY_ROOT_DIRECTORY=~/demo_keys
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
This means that when you run the performance test tool in the same shell, it will run with security enabled.
If you run:
ros2 run performance_test perf_test -c rclcpp-single-threaded-executor --msg Array1k --max-runtime 30
You should observe a failure similar to:
terminate called after throwing an instance of 'rclcpp::exceptions::RCLError'
what(): failed to initialize rcl node: SECURITY ERROR: directory /home/user/demo_keys/performance_test1662981776 does not exist. Lookup strategy: MATCH_EXACT, at /path/rcl/rcl/src/rcl/security_directory.c:256
This is because by default, perf_test
chooses a random node name like performance_test1662981776
and the keys we generated above need to match the node names.
To make the tool select predictable node names, use the --with-security
option.
This will create nodes with names that match the keys generated by security_setup.bash
.
If you run:
ros2 run performance_test perf_test -c rclcpp-single-threaded-executor --msg Struct16 --max-runtime 30 --with-security
You should observe a failure similar to:
2019-11-05 11:32:16.306 [SECURITY Error] Error checking creation of local writer 9d.8d.94.e3.56.29.ad.53.69.7c.de.da|0.0.1.3 (rt/Struct16 topic not found in allow rule. (/path/Fast-RTPS/src/cpp/security/accesscontrol/Permissions.cpp:11
11))
This is because the policy.xml
file used by the security_setup
helper scripts only allows publishing and subscribing on certain topic names.
If you run:
ros2 run performance_test perf_test -c rclcpp-single-threaded-executor --msg Array1k --max-runtime 30 --with-security
You should see the tool execute successfully with security.