ROS Index
|
zenoh_security_tools package from rmw_zenoh repormw_zenoh_cpp zenoh_cpp_vendor zenoh_security_tools |
Package Summary
| Tags | No category tags. |
| Version | 0.5.0 |
| License | Apache License 2.0 |
| Build type | AMENT_CMAKE |
| Use | RECOMMENDED |
Repository Summary
| Description | RMW for ROS 2 using Zenoh as the middleware |
| Checkout URI | https://github.com/ros2/rmw_zenoh.git |
| VCS Type | git |
| VCS Version | rolling |
| Last Updated | 2025-04-08 |
| Dev Status | DEVELOPED |
| CI status | No Continuous Integration |
| Released | RELEASED |
| Tags | No category tags. |
| Contributing |
Help Wanted (0)
Good First Issues (0) Pull Requests to Review (0) |
Package Description
Additional Links
Maintainers
- Alejandro Hernanadez
Authors
zenoh_security_tools
The zenoh_security_tools package contains the generate_configs executable which generates Zenoh session config files with access control, authentication and encryption parameters based on policies and keystores generated using sros2.
Usage
ros2 run zenoh_security_tools generate_configs -h
Generate Zenoh session configs with security artifacts.
Options:
-h,--help Print this help message and exit
-p,--policy TEXT REQUIRED The path to the Access Control Policy file.
-e,--enclaves TEXT The directory with the security enclaves for the various nodes in the policy file.
-d,--ros-domain-id UINT REQUIRED The ROS Domain ID.
-c,--session-config TEXT REQUIRED The path to the Zenoh session config file.
-r,--router-config TEXT REQUIRED The path to the Zenoh router config file.
Example of configuring security rmw_zenoh
The process of setting up security is very similar to this tutorial but instead of relying on security environment variables and passing enclaves to nodes, we’ll
pass Zenoh session configs with the desired security parameters configured to rmw_zenoh.
These modified session configs are generated using the tool above.
Setup
The steps below will walk us through running rmw_zenoh with security enabled for a simple talker-lister system.
First create a directory for security artifacts and configs that will be generated.
mkdir ~/sros2_demo
Generate a keystore
cd ~/sros2_demo
ros2 security create_keystore demo_keystore
Generate the certificates for authentication and encryption
Generate security files for the talker and listener nodes, and the zenohd router respectively.
ros2 security create_enclave demo_keystore /talker_listener/talker
ros2 security create_enclave demo_keystore /talker_listener/listener
ros2 security create_enclave demo_keystore /talker_listener/zenohd
Generate the policy.xml for access control
Launch zenohd
ros2 run rmw_zenoh_cpp rmw_zenohd
Launch the listener
export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp listener
Launch the talker
export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp talker
Now run the policy generator from sros2
ros2 security generate_policy policy_listener_talker.xml
Finally, terminate all processes.
Try access control
Generate security configs without enclaves (only access control).
ros2 run zenoh_security_tools generate_configs \
--policy policy_listener_talker.xml \
--router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
--session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
--ros-domain-id 0
This will generate Zenoh session config files for each node in the policy_listener_talker.xml file.
Run the talker with the new config file
export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker
[INFO] [1740601932.350808475] [talker]: Publishing: 'Hello World: 1'
[INFO] [1740601933.350487483] [talker]: Publishing: 'Hello World: 2'
Run the listener with the new config file
export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 1]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 2]
You can validate access control by remapping the /chatter topic which should result in no messages being published.
export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd
export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker --ros-args -r chatter:=new_topic
export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener --ros-args -r chatter:=new_topic
...
# listener should not receive anything
Try access control, authentication and encryption
This time we generate the configs with authentication and encryption configured using the enclaves generated by sros2.
ros2 run zenoh_security_tools generate_configs \
--policy policy_listener_talker.xml \
--router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
--session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
--ros-domain-id 0
--enclaves ~/sros2_demo/demo_keystore/enclaves/talker_listener
[!NOTE] The executable assumes that the
~/sros2_demo/demo_keystore/enclaves/talker_listenerdirectory contains folders with names matching node names defined in thepolicy_listener_talker.xmlwith the security files present.
Start the zenoh router with the zenohd.json config file.
export ZENOH_ROUTER_CONFIG_URI=zenohd.json5
ros2 rmw_zenoh_cpp rmw_zenohd
Start the talker
export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd
Start the listener without setting the session config.
ros2 run demo_nodes_cpp listener
The listener will not receive any messages.
Restart the listener with the session config.
export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 10]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 11]
The messages are received by the listener.
Wiki Tutorials
Package Dependencies
| Deps | Name |
|---|---|
| ament_lint_auto | |
| ament_lint_common | |
| rcpputils | |
| rcutils | |
| rmw | |
| rmw_security_common | |
| tinyxml2_vendor | |
| zenoh_cpp_vendor |
System Dependencies
| Name |
|---|
| nlohmann-json-dev |