ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question
3

rosbridge, authentication and user roles

asked 2018-01-25 02:41:46 -0600

knxa gravatar image

updated 2018-02-02 02:00:22 -0600

I want to create a web interface for my ROS application.

rosbridge looks promising, however I need to make sure that I can control what a user can interfere with. I am not very experienced in web services.

  1. Does rosbridge come with user authentication and role-dependent access levels?
  2. Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?
  3. ros_auth seems to address some of this, but will it do the job?

(ROS kinetic, Ubuntu 16.04)

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
6

answered 2018-01-25 03:47:45 -0600

gvdhoorn gravatar image

updated 2018-01-31 09:32:26 -0600

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

re: limit: yes, in a way: see the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

edit flag offensive delete link more

Comments

1

Note that there is no security in ROS 1, it was never a design requirement. To quote Brian at the ROS-I conference in Stuttgart:

If you tell me you've found a security issue in ROS 1, you're lying: there is no security.

As rosbridge_suite is transparent, it'll have to be made secure.

gvdhoorn gravatar image gvdhoorn  ( 2018-01-25 03:52:36 -0600 )edit

Some experimental work to remedy this situation can be found in sros.

ROS 2 takes this much further, with full support for (DDS based) security infrastructure such as roles, certificates, authentication and authorisation, access policies etc.

gvdhoorn gravatar image gvdhoorn  ( 2018-01-25 03:54:09 -0600 )edit

You might also be interested in the ROSCon17 presentation Reactive web interfaces with Polymer and ROS (slides, video).

gvdhoorn gravatar image gvdhoorn  ( 2018-01-25 03:55:45 -0600 )edit
1

Thanks for your thorough reply (as always, where would this forum be without you). I will need to dig more into this.

knxa gravatar image knxa  ( 2018-01-31 09:30:25 -0600 )edit
add a comment

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2018-01-25 02:41:46 -0600

Seen: 1,518 times

Last updated: Jan 31 '18

Related questions

How to run a .html file with js including roslibjs

rosbridge CPU usage

rosbridge JSON format for std_msgs/String error

Can rosbridge set the timestamp of stamped messages?

Rosbridge: How to read value in from rostopic and set javascript variable

how to use rosbridge, gscam to load video

rosbridge (dynamic_reconfigure function?)

rosbridge /rosjs/typeStringFromTopic does not work

rosbridge error in ROSProxy.py on Fuerte with roslib.rostime

rosbridge on fuerte closes immediately

ROS Answers is licensed under Creative Commons Attribution 3.0 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2