Ask Your Question
1

rosbridge, authentication and user roles

asked 2018-01-25 02:41:46 -0600

knxa gravatar image

updated 2018-02-02 02:00:22 -0600

I want to create a web interface for my ROS application.

rosbridge looks promising, however I need to make sure that I can control what a user can interfere with. I am not very experienced in web services.

  1. Does rosbridge come with user authentication and role-dependent access levels?
  2. Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?
  3. ros_auth seems to address some of this, but will it do the job?

(ROS kinetic, Ubuntu 16.04)

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
2

answered 2018-01-25 03:47:45 -0600

gvdhoorn gravatar image

updated 2018-01-31 09:32:26 -0600

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

re: limit: yes, in a way: see the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

edit flag offensive delete link more

Comments

Note that there is no security in ROS 1, it was never a design requirement. To quote Brian at the ROS-I conference in Stuttgart:

If you tell me you've found a security issue in ROS 1, you're lying: there is no security.

As rosbridge_suite is transparent, it'll have to be made secure.

gvdhoorn gravatar imagegvdhoorn ( 2018-01-25 03:52:36 -0600 )edit

Some experimental work to remedy this situation can be found in sros.

ROS 2 takes this much further, with full support for (DDS based) security infrastructure such as roles, certificates, authentication and authorisation, access policies etc.

gvdhoorn gravatar imagegvdhoorn ( 2018-01-25 03:54:09 -0600 )edit

You might also be interested in the ROSCon17 presentation Reactive web interfaces with Polymer and ROS (slides, video).

gvdhoorn gravatar imagegvdhoorn ( 2018-01-25 03:55:45 -0600 )edit
1

Thanks for your thorough reply (as always, where would this forum be without you). I will need to dig more into this.

knxa gravatar imageknxa ( 2018-01-31 09:30:25 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-01-25 02:41:46 -0600

Seen: 390 times

Last updated: Jan 31 '18