generate_artifacts not creating ros_discovery_info topic permissions under CycloneDDS rmw

[marcoag]

Bug report

Required Info:

• Operating System: Ubuntu 20.04 LTS (focal)
• Installation type: Binaries, although also tested with cyclone dds sources using the foxy branch from https://github.com/ros2/rmw_cyclonedds (master wouldn't compile out of the box) and the master branch from https://github.com/eclipse-cyclonedds/cyclonedds as explained in https://index.ros.org/doc/ros2/Installation/DDS-Implementations/Working-with-Eclipse-CycloneDDS/
• Version or commit hash: Using the latest commit of the master branch in this repo for testing but I see the issue happening with my own policies.xml
• DDS implementation: Tested Fast-RTPS (from binary) vs CycloneDDS (binary and source)
• Client library (if applicable): rclcpp

Steps to reproduce issue

$ source /opt/ros/foxy/setup.bash
$ mkdir testissue
$ cd testissue
$ svn checkout https://github.com/ros2/sros2/trunk/sros2/test/policies
$ mkdir keys
$ export ROS_SECURITY_KEYSTORE=~/testissue/keys/
$ export ROS_SECURITY_ENABLE=true
$ export ROS_SECURITY_STRATEGY=Enforce
$ export ROS_DOMAIN_ID=42
$ export RMW_IMPLEMENTATION=rmw_cyclonedds_cpp
$ ros2 security generate_artifacts -k keys/ -p policies/sample.policy.xml
$ ros2 run demo_nodes_cpp talker --ros-args -e /talker_listener/talker
[INFO] [1600243385.118237248] [rcl]: Found security directory: /home/marcogg/testissue/keys//enclaves/talker_listener/talker

>>> [rcutils|error_handling.c:108] rcutils_set_error_state()
This error state is being overwritten:

  'failed to create topic, at /home/marcogg/rmf_demos_ws/src/ros2/rmw_cyclonedds/rmw_cyclonedds_cpp/src/rmw_node.cpp:1777, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:276'

with this new error message:

  'rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:428'

rcutils_reset_error() should be called after error handling to avoid this.
<<<
[ERROR] [1600243385.126523301] [rcl]: Failed to fini publisher for node: 1
terminate called after throwing an instance of 'rclcpp::exceptions::RCLError'
  what():  failed to initialize rcl node: rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:428

Also when trying to run with these keys under FastRTPS:

$ export RMW_IMPLEMENTATION=rmw_fastrtps_cpp
$ ros2 run demo_nodes_cpp talker --ros-args -e /talker_listener/talker
[INFO] [1600243906.394963273] [rcl]: Found security directory: /home/marcogg/testissue/keys//enclaves/talker_listener/talker
2020-09-16 08:11:46.401 [SECURITY Error] ros_discovery_info topic not found in allow rule. (/tmp/binarydeb/ros-foxy-fastrtps-2.0.1/src/cpp/security/accesscontrol/Permissions.cpp:1131) -> Function check_create_datawriter
2020-09-16 08:11:46.401 [SECURITY Error] Error checking creation of local writer da.f7.10.ce.d9.77.a4.52.9.61.a4.4d|0.0.1.3 (ros_discovery_info topic not found in allow rule. (/tmp/binarydeb/ros-foxy-fastrtps-2.0.1/src/cpp/security/accesscontrol/Permissions.cpp:1131))
 -> Function register_local_writer
2020-09-16 08:11:46.401 [PARTICIPANT Error] Problem creating associated Writer -> Function createPublisher

>>> [rcutils|error_handling.c:108] rcutils_set_error_state()
This error state is being overwritten:

  'create_publisher() could not create publisher, at /tmp/binarydeb/ros-foxy-rmw-fastrtps-cpp-1.2.0/src/publisher.cpp:145, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:276'

with this new error message:

  'rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:428'

rcutils_reset_error() should be called after error handling to avoid this.
<<<
[ERROR] [1600243906.402216755] [rcl]: Failed to fini publisher for node: 1
terminate called after throwing an instance of 'rclcpp::exceptions::RCLError'
  what():  failed to initialize rcl node: rcl node's rmw handle is invalid, at /tmp/binarydeb/ros-foxy-rcl-1.1.7/src/rcl/node.c:428

However there's no issue when generating with FastRTPS enabled:

$ export RMW_IMPLEMENTATION=rmw_fastrtps_cpp
$ ros2 security generate_artifacts -k keys/ -p policies/sample.policy.xml
$ ros2 run demo_nodes_cpp talker --ros-args -e /talker_listener/talker
[INFO] [1600244030.875602324] [rcl]: Found security directory: /home/marcogg/testissue/keys//enclaves/talker_listener/talker
[INFO] [1600244031.887165678] [talker]: Publishing: 'Hello World: 1'
[INFO] [1600244032.886927396] [talker]: Publishing: 'Hello World: 2'
...

Expected behavior

This permissions should be generated to match the behavior of RMW_IMPLEMENTATION=rmw_fastrtps_cpp so rclcpp can create the ros_discovery_info publisher and suscriber. This are the extra permissions that are generated when RMW_IMPLEMENTATION=rmw_fastrtps_cpp and not generated when RMW_IMPLEMENTATION=rmw_cyclonedds_cpp during the generate_artifacts command:

      <allow_rule>
        <domains>
          <id>42</id>
        </domains>
        <publish>
          <topics>
            <topic>ros_discovery_info</topic>
          </topics>
        </publish>
        <subscribe>
          <topics>
            <topic>ros_discovery_info</topic>
          </topics>
        </subscribe>
      </allow_rule>

Actual behavior

The ros_discovery_info topic publish and suscribe permissions are not generated using ros2 security generate_artifacts when RMW_IMPLEMENTATION=rmw_cyclonedds_cpp. This results in an error when trying to run the node with the generated keys.

[mikaelarguedas]

Thanks for reporting the issue, this will be addressed by https://github.com/ros2/sros2/pull/238 that has been approved and will be merged and released shortly

[marcoag]

Great to know, thanks @mikaelarguedas!

[mikaelarguedas]

Release pending https://github.com/ros/rosdistro/pull/26580