IAM server (iamserver)
IAM uses gRPC to provide its functionality for other system components such as SM, provisioning script, etc. There are different types of gRPC services provided by IAM. All services are divided into two groups: public and protected. Public services are accessible via the public interface using TLS security and the protected interface using mTLS security, whereas protected services are accessible only via the protected interface:
- IAMPublicService - public service that provides key/certificate information as well as node information;
- IAMPublicIdentityService - public service that provides system identification information such as system ID, subjects, etc. This service is available when the identifier plugin is configured in the config file;
- IAMPublicPermissionsService - public service that provides service permissions information. This service is available when EnablePermissionsHandler option is set to true in the config file;
- IAMProvisioningService - protected service that serves provisioning procedure. This service is enabled by the command line option provisioning;
- IAMCertificateService - protected service that generates keys and applies certificates;
- IAMPermissionsService - protected service that registers service permissions.
Important: On an unprovisioned system, IAM server uses insecure connection for both protected and public connections. After the system is provisioned, IAM uses mTLS and TLS accordingly.
The protected services implement system-critical functions: create keys, register service, etc. The public services provide access to generic public data and information: system ID, service permissions, etc. The API of each service is described in the gRPC protocol: iamanager.proto.
The IAM server instance uses the IdentHandler, CertHandler, PermHandler and RemoteIAMsHandler interfaces to link between the gRPC API and appropriate IAM components. These interfaces are implemented by the following IAM components: identhandler, certhandler, permhandler, iamclient accordingly.
The IAM server also handles the finish provisioning and encrypt disk commands. The finish provisioning handler is a simple hook that is called after receiving the finish provisioning command. Using this hook, the IAM server calls the system command configured in the IAM configuration with the finishProvisioningCmdArgs parameter. On encrypt disk command, iamserver generates a key and applies self-signed certificates on dedicated storage type - diskencryption. This key/certificate pair can be used by an external system tool or util to encrypt/open disk. The external disk encryption tool is triggered by iamserver by calling commands specified in diskEncryptCmdArgs parameter in the IAM configuration.