persmissions files rules for other participant #916

northPierre · 2024-09-24T16:10:02Z

northPierre
Sep 24, 2024

Dear Fast DDS Team,

I don't understand a configuration in Access control plug-in : DomainParticipant Permissions Document.

The rules specified in the second part of the files, concerning other participant does not seems to apply.

Example of configurations :

Publisher :

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="ParticipantPermissions">
            <subject_name>emailAddress=example@eprosima.com, CN=DomainParticipant_1, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </publish>
            </allow_rule>
            <default>DENY</default>
        </grant>

        <!-- Fill the subject name with the information specified in the Participant certificate -->
        <grant name="OtherParticipantPermissions">
            <subject_name> emailAddress==example@eprosima.com, CN=DomainParticipant_2, OU=x, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>HelloTopic</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>
                
    </permissions>
</dds>

Subscriber :

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="ParticipantPermissions">
            <subject_name>emailAddress=example@eprosima.com, CN=DomainParticipant_2, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>

        <!-- Fill the subject name with the information specified in the Participant certificate -->
        <grant name="OtherParticipantPermissions">
            <subject_name> emailAddress==example@eprosima.com, CN=DomainParticipant_1, OU=x, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>HelloTopic</topic>
                        <topic>GoodByeTopic</topic>
                    </topics>
                </publish>
            </allow_rule>
            <default>DENY</default>
        </grant>
    </permissions>
</dds>

The configuration of participant_1 should allow participant_2 to subscribe to HelloTopic but not to GoodByeTopic because the default is DENY.
The participant_2 configuration is in volunteer conflict allowing participant_2 to subscribe to all topics..

In this configuration, participant_2 can access GoodByeTopic.
I would have prefer to get a security log on participant_1.

It is certainly a misunderstanding on my part, Could you be more specific about this?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

persmissions files rules for other participant #916

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

persmissions files rules for other participant #916

Uh oh!

northPierre Sep 24, 2024

Replies: 0 comments

northPierre
Sep 24, 2024