Fast DDS中提供了两种级别的仿问控制:
1 Domain Governance: 定义域级别的安全策略(全局规则).
2 DomainParticipant Permissions : 定义参与者的具体权限(个体规则)
先说一下Domain Governance,配置文件如下所示:
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd"><domain_access_rules><domain_rule><domains><id_range><min>0</min><max>230</max></id_range></domains><allow_unauthenticated_participants>false</allow_unauthenticated_participants><enable_join_access_control>true</enable_join_access_control><discovery_protection_kind>ENCRYPT</discovery_protection_kind><liveliness_protection_kind>ENCRYPT</liveliness_protection_kind><rtps_protection_kind>ENCRYPT</rtps_protection_kind><topic_access_rules><topic_rule><topic_expression>HelloWorldTopic</topic_expression><enable_discovery_protection>true</enable_discovery_protection><enable_liveliness_protection>false</enable_liveliness_protection><enable_read_access_control>true</enable_read_access_control><enable_write_access_control>true</enable_write_access_control><metadata_protection_kind>ENCRYPT</metadata_protection_kind><data_protection_kind>ENCRYPT</data_protection_kind></topic_rule></topic_access_rules></domain_rule></domain_access_rules>
</dds>
里面定义了域级别的配置,下面是详细解释:
再说一下 DomainParticipant Permissions,里面定义了某个Participant所在的domain ID范围,以及Publish和Suscribe的Topic。如体如下所示
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd"><permissions><grant name="ParticipantPermissions"><subject_name>emailAddress=example@eprosima.com, CN=DomainParticipantName, O=eProsima, ST=MA, C=ES</subject_name><validity><not_before>2013-06-01T13:00:00</not_before><not_after>2038-06-01T13:00:00</not_after></validity><allow_rule><domains><id_range><min>0</min><max>230</max></id_range></domains><publish><topics><topic>HelloWorldTopic</topic></topics></publish></allow_rule><default>DENY</default></grant><!-- Fill the subject name with the information specified in the Participant certificate --><grant name="OtherParticipantPermissions"><subject_name> emailAddress=xxx@eprosima.com, CN=xxx, OU=x, O=x, ST=XX, C=XX</subject_name><validity><not_before>2013-06-01T13:00:00</not_before><not_after>2038-06-01T13:00:00</not_after></validity><allow_rule><domains><id_range><min>0</min><max>230</max></id_range></domains><subscribe><topics><topic>HelloWorldTopic</topic></topics></subscribe></allow_rule><default>DENY</default></grant></permissions>
</dds>)
)
