Revision history [back]

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

No. As rosbridge_suite is almost a transparent bridge, any additional (security) features will have to come from somewhere else.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is descriptive):

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself.itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

No. As rosbridge_suite is almost a transparent bridge, any additional (security) features will have to come from somewhere else.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is descriptive):

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

No. As rosbridge_suite is almost a transparent bridge, any additional (security) features will have to come from somewhere else.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is descriptive):rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

No. As rosbridge_suite is almost a transparent bridge, re: limit: yes, in a way: se the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any additional (security) features will have to come from somewhere else.user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

re: limit: yes, in a way: se see the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

re: limit: yes, in a way: see the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.