DDS-SECURITY 1.1 RTF Avatar
  1. OMG Issue

DDSSEC11 — Clarify conditions for calling the operations on AccessControlPlugin

  • Key: DDSSEC11-14
  • Status: closed  
  • Source: Real-Time Innovations ( Dr. Gerardo Pardo-Castellote, Ph.D.)
  • Summary:

    Table 21 (Description of the ParticipantSecurityAttributes) entry on "ParticipantSecurityAttributes :is_access_protected" mentions allowing matching of participants without having "authorization" from the AccessControl. This is underspecified. It should state what this means in terms of the access control plugin operations are called (or not called) and how their return values are handled.

    Specifically. Is register_matched_remote_participant still called? Is validate_remote_permissions still called?

    Conceptually saying ParticipantSecurityAttributes::is_access_protected=FALSE only means we allow open access to the DomainId, but that does not imply open access to all the Topics...

    This fact is implied by the rules in 8.8.7 (AccessControl behavior with remote domain entity discovery) which permit "Unauthenticated" participants to only join domains that have ParticipantSecurityAttributes::is_access_protected=FALSE but only read/write the topics with EndpointSecurityAttributes::is_access_protected==FALSE.

  • Reported: DDS-SECURITY 1.0 — Tue, 24 May 2016 01:11 GMT
  • Disposition: Resolved — DDS-SECURITY 1.1
  • Disposition Summary:

    Changes to Clarify the Behavior of the AccessControl Plugin with Different Participant Security Attributes

    This will clarify how the Participant and Endpoint Security interact with the plugins behavior.

  • Updated: Tue, 19 Dec 2017 20:03 GMT