zenoh_security_tools

This package generates config files to enforce security with Zenoh

• Links
  • Rosindex
• C++ API
  • Class Hierarchy
  • File Hierarchy
  • Full C++ API
• Standard Documents
  • PACKAGE
  • CHANGELOG
  • README

README

zenoh_security_tools

The zenoh_security_tools package contains the generate_configs executable which generates Zenoh session config files with access control, authentication and encryption parameters based on policies and keystores generated using sros2.

Usage

ros2 run zenoh_security_tools generate_configs -h

Generate Zenoh session configs with security artifacts.

Options:
  -h,--help                         Print this help message and exit
  -p,--policy TEXT REQUIRED         The path to the Access Control Policy file.
  -e,--enclaves TEXT                The directory with the security enclaves for the various nodes in the policy file.
  -d,--ros-domain-id UINT REQUIRED  The ROS Domain ID.
  -c,--session-config TEXT REQUIRED         The path to the Zenoh session config file.
  -r,--router-config TEXT REQUIRED  The path to the Zenoh router config file.

Example of configuring security rmw_zenoh

The process of setting up security is very similar to this tutorial but instead of relying on security environment variables and passing enclaves to nodes, we’ll pass Zenoh session configs with the desired security parameters configured to rmw_zenoh. These modified session configs are generated using the tool above.

Setup

The steps below will walk us through running rmw_zenoh with security enabled for a simple talker-lister system.

First create a directory for security artifacts and configs that will be generated.

mkdir ~/sros2_demo

Generate a keystore

cd ~/sros2_demo
ros2 security create_keystore demo_keystore

Generate the certificates for authentication and encryption

Generate security files for the talker and listener nodes, and the zenohd router respectively.

ros2 security create_enclave demo_keystore /talker_listener/talker
ros2 security create_enclave demo_keystore /talker_listener/listener
ros2 security create_enclave demo_keystore /talker_listener/zenohd

Generate the policy.xml for access control

Launch zenohd

ros2 run rmw_zenoh_cpp rmw_zenohd

Launch the listener

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp listener

Launch the talker

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp talker

Now run the policy generator from sros2

ros2 security generate_policy policy_listener_talker.xml

Finally, terminate all processes.

Try access control

Generate security configs without enclaves (only access control).

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0

This will generate Zenoh session config files for each node in the policy_listener_talker.xml file.

Run the talker with the new config file

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker
[INFO] [1740601932.350808475] [talker]: Publishing: 'Hello World: 1'
[INFO] [1740601933.350487483] [talker]: Publishing: 'Hello World: 2'

Run the listener with the new config file

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 1]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 2]

You can validate access control by remapping the /chatter topic which should result in no messages being published.

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker --ros-args -r chatter:=new_topic

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener --ros-args -r chatter:=new_topic
...
# listener should not receive anything

Try access control, authentication and encryption

This time we generate the configs with authentication and encryption configured using the enclaves generated by sros2.

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0
  --enclaves ~/sros2_demo/demo_keystore/enclaves/talker_listener

[!NOTE] The executable assumes that the ~/sros2_demo/demo_keystore/enclaves/talker_listener directory contains folders with names matching node names defined in the policy_listener_talker.xml with the security files present.

Start the zenoh router with the zenohd.json config file.

export ZENOH_ROUTER_CONFIG_URI=zenohd.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the talker

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the listener without setting the session config.

ros2 run demo_nodes_cpp listener

The listener will not receive any messages.

Restart the listener with the session config.

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 10]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 11]

The messages are received by the listener.