Skip authentication for UDS connections

gnmi_server/server.go

@@ -654,6 +654,16 @@ func authenticate(config *Config, ctx context.Context, target string, writeAcces
 	var err error
 	success := false
 	rc, ctx := common_utils.GetContext(ctx)
+
+	// Skip authentication for UDS (Unix Domain Socket) connections.
+	// UDS security is enforced at the file-system level via socket permissions.
+	if pr, ok := peer.FromContext(ctx); ok && pr.Addr != nil {
+		if _, isUnix := pr.Addr.(*net.UnixAddr); isUnix {
+			rc.Auth.AuthEnabled = false
+			return ctx, nil
+		}
+	}
+
 	if !config.UserAuth.Any() {
 		//No Auth enabled
 		rc.Auth.AuthEnabled = false

gnmi_server/server_test.go

@@ -13,6 +13,7 @@ import (
 	"flag"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"os/exec"
 	"os/user"
@@ -6364,6 +6365,30 @@ func TestAuthenticate(t *testing.T) {
 	cancel()
 }
 
+func createUDSCtx() (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	p := peer.Peer{
+		Addr: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
+	}
+	ctx = peer.NewContext(ctx, &p)
+	return ctx, cancel
+}
+
+func TestAuthenticateUDS(t *testing.T) {
+	cfg := &Config{UserAuth: AuthTypes{"password": false, "cert": true, "jwt": false}}
+
+	for _, target := range []string{"gnmi", "gnoi"} {
+		for _, write := range []bool{false, true} {
+			ctx, cancel := createUDSCtx()
+			_, err := authenticate(cfg, ctx, target, write)
+			if err != nil {
+				t.Errorf("%s (write=%v) over UDS should succeed: %v", target, write, err)
+			}
+			cancel()
+		}
+	}
+}
+
 type MockServerStream struct {
 	grpc.ServerStream
 }