persmissions files rules for other participant #916

northPierre · 2024-09-24T16:10:02Z

northPierre
Sep 24, 2024

Dear Fast DDS Team,

I don't understand a configuration in Access control plug-in : DomainParticipant Permissions Document.

The rules specified in the second part of the files, concerning other participant does not seems to apply.

Example of configurations :

Publisher :

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="ParticipantPermissions">
            <subject_name>[email protected], CN=DomainParticipant_1, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </publish>
            </allow_rule>
            <default>DENY</default>
        </grant>

        <!-- Fill the subject name with the information specified in the Participant certificate -->
        <grant name="OtherParticipantPermissions">
            <subject_name> [email protected], CN=DomainParticipant_2, OU=x, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>HelloTopic</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>
                
    </permissions>
</dds>

Subscriber :

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="ParticipantPermissions">
            <subject_name>[email protected], CN=DomainParticipant_2, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>

        <!-- Fill the subject name with the information specified in the Participant certificate -->
        <grant name="OtherParticipantPermissions">
            <subject_name> [email protected], CN=DomainParticipant_1, OU=x, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </publish>
            </allow_rule>
            <default>DENY</default>
        </grant>
    </permissions>
</dds>

The configuration of participant_1 should allow participant_2 to subscribe to HelloTopic but not to GoodByeTopic because the default is DENY.
The participant_2 configuration is in volunteer conflict allowing participant_2 to subscribe to all topics..

In this configuration, participant_2 can access GoodByeTopic.
I would have prefer to get a security log on participant_1.

It is certainly a misunderstanding on my part, Could you be more specific about this?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

persmissions files rules for other participant #916

{{title}}

Replies: 0 comments

Select a reply

persmissions files rules for other participant #916

northPierre Sep 24, 2024

Replies: 0 comments

northPierre
Sep 24, 2024