Enable monitoring in the examples that use the security plugins#752
Open
colmenero wants to merge 14 commits intorticommunity:masterfrom
Open
Enable monitoring in the examples that use the security plugins#752colmenero wants to merge 14 commits intorticommunity:masterfrom
colmenero wants to merge 14 commits intorticommunity:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates secure examples to work with the Security Plugins’ new requirement to have monitoring enabled (notably when dynamically linked and the monitoring library is available), by generating/using a dedicated monitoring participant and consolidating security artifacts.
Changes:
- Extend shared security artifacts (governance/permissions + cert generation) to include additional identities and monitoring permissions.
- Update multiple examples’ QoS profiles to configure monitoring distribution settings with a dedicated participant.
- Remove per-example, manually-generated security artifacts/scripts in favor of CMake-driven generation (where adopted).
Reviewed changes
Copilot reviewed 42 out of 46 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| resources/security/xml/PermissionsM.xml | Adds permissions grant for the monitoring participant on the observability domain. |
| resources/security/xml/Permissions3.xml | Adds a third peer permissions document (new). |
| resources/security/xml/Governance.xml | Updates shared governance and adds an observability-specific domain rule. |
| resources/security/ecdsa01/peerM.cnf | Adds OpenSSL config for monitoring participant identity. |
| resources/security/ecdsa01/peer3.cnf | Adds OpenSSL config for a third peer identity. |
| resources/cmake/Modules/ConnextDdsGenerateSecurityArtifacts.cmake | Extends artifact generation to produce peer3/peerM certs and sign new permissions XMLs. |
| examples/connext_secure/whitelist/security/xml/signed/.gitkeep | Keeps signed XML output directory in source control. |
| examples/connext_secure/whitelist/security/xml/Permissions.xml | Removes example-local permissions (now replaced by generated/shared artifacts). |
| examples/connext_secure/whitelist/security/xml/Governance.xml | Removes example-local governance (now replaced by generated/shared artifacts). |
| examples/connext_secure/whitelist/security/setup_security.py | Removes manual OpenSSL generation script (now replaced by CMake generation). |
| examples/connext_secure/whitelist/security/identities/ParticipantC/ParticipantC.cnf | Removes example-local identity config (now replaced by shared artifacts). |
| examples/connext_secure/whitelist/security/identities/ParticipantA/ParticipantA.cnf | Removes example-local identity config (now replaced by shared artifacts). |
| examples/connext_secure/whitelist/security/ca/private/.gitkeep | Keeps CA private dir in source control. |
| examples/connext_secure/whitelist/security/ca/database/CaSerial | Removes example-local CA serial (now replaced by generated/shared artifacts). |
| examples/connext_secure/whitelist/security/ca/Ca.cnf | Removes example-local CA config (now replaced by shared artifacts). |
| examples/connext_secure/whitelist/c++11/Whitelist_subscriber.cxx | Updates QoS profile names to the new whitelist::... library. |
| examples/connext_secure/whitelist/c++11/Whitelist_publisher.cxx | Updates QoS profile name and whitelisted subject strings to match new cert subjects. |
| examples/connext_secure/whitelist/c++11/USER_QOS_PROFILES.xml | Refactors profiles (common + peers) and adds dedicated monitoring participant profile. |
| examples/connext_secure/whitelist/c++11/README.md | Removes manual security-artifact setup instructions. |
| examples/connext_secure/whitelist/c++11/CMakeLists.txt | Ensures security plugins are available and switches to CMake security artifact generation. |
| examples/connext_secure/lightweight/security/xml/signed/.gitkeep | Keeps signed XML output directory in source control. |
| examples/connext_secure/lightweight/security/xml/permissions.xml | Removes example-local permissions (now replaced by shared artifacts). |
| examples/connext_secure/lightweight/security/setup_security.py | Removes manual OpenSSL generation script (now replaced by CMake generation). |
| examples/connext_secure/lightweight/security/identities/ParticipantB/ParticipantB.cnf | Removes example-local identity config (now replaced by shared artifacts). |
| examples/connext_secure/lightweight/security/identities/ParticipantA/ParticipantA.cnf | Removes example-local identity config (now replaced by shared artifacts). |
| examples/connext_secure/lightweight/security/ca/private/.gitkeep | Keeps CA private dir in source control. |
| examples/connext_secure/lightweight/security/ca/database/CaSerial | Removes example-local CA serial (now replaced by shared artifacts). |
| examples/connext_secure/lightweight/security/ca/Ca.cnf | Removes example-local CA config (now replaced by shared artifacts). |
| examples/connext_secure/lightweight/c++11/governance_lws.xml | Updates governance schema reference and domain tags. |
| examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml | Refactors profiles (common + peers) and adds dedicated monitoring participant profile. |
| examples/connext_secure/lightweight/c++11/README.md | Removes manual security-artifact setup instructions. |
| examples/connext_secure/lightweight/c++11/CMakeLists.txt | Ensures security plugins are available, generates artifacts, and adds S/MIME signing step. |
| examples/connext_secure/dynamic_permissions/c++11/USER_QOS_PROFILES.xml | Refactors to a common profile and adds dedicated monitoring participant profile. |
| examples/connext_secure/certificate_revocation_list/security/xml/Permissions.xml | Adds permissions grant for monitoring participant. |
| examples/connext_secure/certificate_revocation_list/security/xml/Governance.xml | Updates governance schema reference and domain tags. |
| examples/connext_secure/certificate_revocation_list/security/setup_security.py | Updates CA generation and adds ParticipantM cert generation. |
| examples/connext_secure/certificate_revocation_list/security/identities/ParticipantM/ParticipantM.cnf | Fixes ParticipantM subject fields. |
| examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml | Refactors profiles and adds dedicated monitoring participant profile. |
| examples/connext_secure/certificate_revocation_list/c++11/Crl_subscriber.cxx | Updates QoS library/profile name to crl::.... |
| examples/connext_secure/certificate_revocation_list/c++11/Crl_publisher.cxx | Updates QoS library/profile name to crl::.... |
| examples/connext_secure/cds/c++11/USER_QOS_PROFILES.xml | Enables monitoring distribution settings for the CDS lightweight-security profile. |
| examples/connext_secure/cds/c++11/CMakeLists.txt | Adds component-gating for CDS build dependencies. |
| examples/connext_dds/real_time_wan_transport/c++98/USER_QOS_PROFILES.xml | Adds monitoring distribution settings and introduces shared security-common + monitor profiles. |
| examples/connext_dds/real_time_wan_transport/c++98/CLOUD_DISCOVERY_SERVICE.xml | Updates CDS security properties to use RTPS PSK passphrase configuration. |
| examples/connext_dds/network_capture/04_advanced_api/c/USER_QOS_PROFILES.xml | Refactors to a common profile and adds dedicated monitoring participant profile. |
| examples/connext_dds/network_capture/03_security/c/USER_QOS_PROFILES.xml | Refactors to a common profile and adds dedicated monitoring participant profile. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
examples/connext_secure/lightweight/c++11/USER_QOS_PROFILES.xml
Outdated
Show resolved
Hide resolved
examples/connext_secure/certificate_revocation_list/c++11/USER_QOS_PROFILES.xml
Show resolved
Hide resolved
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
alvfdz
requested changes
Apr 6, 2026
Contributor
alvfdz
left a comment
alvfdz
left a comment
There was a problem hiding this comment.
Some of my comments (like the usage of profiles as snippets) apply to several USER_QOS_PROFILES.xml files. I didn't add the comment to all of them but, please, apply the fix to all.
| --> | ||
| <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.0.0/rti_dds_qos_profiles.xsd"> | ||
| xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.6.0/rti_dds_qos_profiles.xsd"> |
Contributor
There was a problem hiding this comment.
Should this be 7.7.0 already?
| <qos_profile name="network_capture_ProfileMonitor"> | ||
| <base_name> | ||
| <element>network_capture_Library::network_capture_ProfileCommon</element> | ||
| <element>BuiltinQosLib::Generic.Monitoring2</element> |
Contributor
There was a problem hiding this comment.
I think this composition goes against our best practices. See: Best Practices for Inheritance and Composition: Use QoS Profiles for inheritance only, never composition. None of these two are snippets.
If you want to follow this approach, I would use base_name="BuiltinQosLib::Generic.Monitoring2" here and create a snippet with just the Security properties,
| 8192 | ||
| </participant_property_string_max_length> | ||
| <participant_property_list_max_length> | ||
| 40 |
Contributor
There was a problem hiding this comment.
Do we really need 40 properties here? That seems too much.
| <qos_profile name="Monitor_Security"> | ||
| <base_name> | ||
| <element>RWT_Library::security_Common</element> | ||
| <element>BuiltinQosLib::Generic.Monitoring2</element> |
Contributor
There was a problem hiding this comment.
This time, you just need to move BuiltinQosLib::Generic.Monitoring2 to base_name, because RWT_Library::security_Common is a QoS snippet.
| include(ConnextDdsConfigureCmakeUtils) | ||
| connextdds_configure_cmake_utils() | ||
|
|
||
| find_package(RTIConnextDDS |
Contributor
There was a problem hiding this comment.
I guess someone from internal tools should take a look at this
| <!-- Domain used for the RTI Observability framework. --> | ||
| <domain_rule> | ||
| <domains> | ||
| <id>101</id> |
Contributor
There was a problem hiding this comment.
This is the default one, but it could potentially be changed.
| <discovery_protection_kind>NONE</discovery_protection_kind> | ||
| <liveliness_protection_kind>NONE</liveliness_protection_kind> | ||
| <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind> | ||
| <rtps_psk_protection_kind>ENCRYPT</rtps_psk_protection_kind> |
Contributor
There was a problem hiding this comment.
I guess we should encrypt metrics and logs
| </validity> | ||
| <allow_rule> | ||
| <domains> | ||
| <id>101</id> |
Contributor
There was a problem hiding this comment.
This is the default domain but it could potentially be changed.
| <id>101</id> | ||
| <tag>RTI_o11y</tag> | ||
| </domains> | ||
| <subscribe_monitoring>METRICS</subscribe_monitoring> |
Contributor
There was a problem hiding this comment.
We should allow both, metrics and logs.
| <not_before>2014-06-01T13:00:00</not_before> | ||
| <not_after>2037-06-01T13:00:00</not_after> | ||
| </validity> | ||
| <default>ALLOW</default> |
Contributor
There was a problem hiding this comment.
Should we do something similar to PermissionsM.xml? Using the subscribe_monitoring instead of allowing everything?
Contributor
|
@colmenero, regarding your CDS question, if cloud discovery service enables security, then yes, probably the library will require security too, because infrastructure services are dynamic linked. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Security Plugins now require the monitoring library if the example is dynamically linked (the monitoring library is in the LD_LIBRARY_PATH). This PR adapts the examples to meet this requirement.
The security examples will now use monitoring when linked dynamically. They will not use monitoring when they are linked statically. This is ok because the monitoring library is only a requirement when linking dynamically.
Missing
Reviewers