rosbridge, authentication and user roles

asked 2018-01-25 02:41:46 -0500

knxa
811 ●49 ●65 ●72

updated 2018-02-02 02:00:22 -0500

I want to create a web interface for my ROS application.

rosbridge looks promising, however I need to make sure that I can control what a user can interfere with. I am not very experienced in web services.

Does rosbridge come with user authentication and role-dependent access levels?
Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?
ros_auth seems to address some of this, but will it do the job?

(ROS kinetic, Ubuntu 16.04)

edit retag flag offensive close merge delete

add a comment

answered 2018-01-25 03:47:45 -0500

gvdhoorn
86574 ●283 ●1432 ●1054 http://cor.tudelft.nl/

updated 2018-01-31 09:32:26 -0500

1 . Does rosbridge come with user authentication and role-dependent access levels?

No. rosbridge_suite only deals with providing the infrastructure to bridge into a ROS nodegraph, nothing more. It is not a web application itself nor is it exclusively used for that.

2 . Can I limit what rosbridge exposes or is every ROS topic and service available for any (malicious) user?

re: limit: yes, in a way: see the rosapi/readme. rosapi (the component responsible for interfacing with the ROS nodegraph) uses an 'opt-in' list of resources to expose.

This is not linked to any user auth afaik though.

3 . ros_auth seems to address some of this, but will it do the job?

I've not used this myself, but it would seem rosauth provides a way to do authentication for rosbridge_suite. I could not find any documentation on the wiki, but this comment on the issue tracker is rather descriptive:

[..] rosbridge will wait for an auth op code to come in. If this is not the first message to come in, or if an invalid token is given, the connection is dropped.

It does seem to have the concept of user levels, which does not necessarily translate to role, but is a start.

The UI side of all this is out-of-scope of rosbridge_suite though, so that will probably have to be developed. The various rosjs and related libraries can probably help there.

edit flag offensive delete link

Comments

Note that there is no security in ROS 1, it was never a design requirement. To quote Brian at the ROS-I conference in Stuttgart:

If you tell me you've found a security issue in ROS 1, you're lying: there is no security.

As rosbridge_suite is transparent, it'll have to be made secure.

gvdhoorn ( 2018-01-25 03:52:36 -0500 )edit

Some experimental work to remedy this situation can be found in sros.

ROS 2 takes this much further, with full support for (DDS based) security infrastructure such as roles, certificates, authentication and authorisation, access policies etc.

gvdhoorn ( 2018-01-25 03:54:09 -0500 )edit

You might also be interested in the ROSCon17 presentation Reactive web interfaces with Polymer and ROS (slides, video).

gvdhoorn ( 2018-01-25 03:55:45 -0500 )edit

Thanks for your thorough reply (as always, where would this forum be without you). I will need to dig more into this.

knxa ( 2018-01-31 09:30:25 -0500 )edit

add a comment

rosbridge, authentication and user roles

1 Answer

Comments

Question Tools

Stats

Related questions

rosbridge, authentication and user roles edit

1 Answer

Comments

Question Tools

Stats

Related questions

rosbridge, authentication and user roles