Skip to content
Michael Dombrowski edited this page Sep 20, 2023 · 6 revisions

Overview

Greengrass IPC offers a set of APIs for components to interact with Greengrass and each other. IPC is implemented using event streams over Unix domain sockets or Windows named pipes. All IPC APIs are implemented using bidirectional asynchronous streams. So even though some APIs appear to be request-response, they are still implemented as a stream, just with particular semantics enforced (ie. the stream closes after sending the response). The IPC transport layer is implemented in C and the application layer is implemented in Java, C++, Python, and NodeJS.

Clients in all languages and the server in Java (server is not currently available in any other languages) are all automatically generated based on a Smithy model of the APIs.

IPCEventStreamService implements the IPC server in Nucleus which creates the socket and server listener as well as registering each API's default implementation. It then registers the authentication handler which determines if a connection is valid. It also configures a dummy authorization handler because Greengrass implements its own authorization. Each IPC service implementation then needs to register the real operation handler which will override the default handler. For example, MqttProxyIPCService registers PublishToIoTCoreHandler and SubscribeToIoTCoreHandler.

Authentication

Authentication (often abbreviated AuthN) determines who is trying to do something. Greengrass provides a unique secret token to each component when it is started using the environment variable SVCUID. This secret token uniquely identifies an individual component and is used to authenticate the component to Greengrass if that component attempts to connect to Greengrass over IPC. When a GenericExternalService is created, it will generate this token which is then associated with the service in memory. If the token is provided to Greengrass in the IPC connect message, then Greengrass can lookup this token to identify the service which is connecting, or to reject the connection if the token is unknown.

Authorization

Authorization (often abbreviated AuthZ) determines what you're allowed to do. Combined with authN, Greengrass knows who you are and based on who you are we can lookup the policy to see what you're allowed to do. Authorization is mostly implemented in AuthorizationHandler. The authorization handler keeps a list of valid operations and IPC services, this is not strictly necessary and should be removed because it makes it impossible to add new IPC operations or services without updating the Nucleus. If a component specifies a policy that contains an unknown IPC service or operation, then IPC policy parsing will log an error and return without parsing any remaining policies, so this means that any one invalid policy may prevent valid policies in other components from being loaded.

To actually perform authorization for an API call, the API implementation must call isAuthorized which will then throw an exception if the operation is not authorized for the service.

Clone this wiki locally