Skip authentication for UDS connections#617
Merged
hdwhdw merged 2 commits intosonic-net:masterfrom Mar 12, 2026
Merged
Conversation
When the server is configured with cert-only auth, UDS connections fail because ClientCertAuthenAndAuthor requires TLS peer credentials that don't exist on Unix sockets. Add a check at the top of authenticate() to bypass auth for gNOI requests on UDS connections, since UDS security is enforced at the file-system level via socket permissions (0750/0660). The bypass is scoped to gNOI only -- gNMI RPCs on UDS continue to follow existing auth rules. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
Contributor
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds an authentication bypass in the authenticate() function of the gNMI server, allowing gNOI RPCs made over Unix Domain Socket (UDS) connections to succeed even when the server is configured with certificate-only auth. The rationale is that UDS connections are already secured at the filesystem level via socket permissions (0750/0660), so requiring TLS peer credentials is redundant and would make UDS connections non-functional for gNOI services.
Changes:
gnmi_server/server.go: Inserts a short-circuit at the top ofauthenticate()that returns immediately (withAuthEnabled = false) whentarget == "gnoi"and the connection is over a Unix socket.gnmi_server/server_test.go: Adds aCreateUDSCtx()helper and aTestAuthenticateGnoiUDStest covering gNOI read/write success over UDS and gNMI failure over UDS with cert-only auth.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
gnmi_server/server.go |
Adds UDS auth bypass for target == "gnoi" in authenticate() |
gnmi_server/server_test.go |
Adds CreateUDSCtx helper and TestAuthenticateGnoiUDS unit test |
Remove the gnoi-only restriction so that both gNMI and gNOI RPCs skip certificate auth when the caller connects via Unix domain socket. UDS access is already gated by filesystem permissions on the socket. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
Contributor
|
/azp run |
hdwhdw
changed the title
|
Azure Pipelines successfully started running 1 pipeline(s). |
vaibhavhd
approved these changes
Mar 12, 2026
8 tasks
hdwhdw
added a commit
to hdwhdw/sonic-buildimage
that referenced
this pull request
Mar 12, 2026
Includes sonic-net/sonic-gnmi#617: skip certificate authentication for connections over Unix domain sockets. Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
yxieca
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 13, 2026
What is the motivation for this PR When --client_auth cert is configured on the gNMI server, UDS connections fail auth because TLS peer creds are unavailable, blocking local services (e.g., device-ops-agent) from using gNMI/gNOI over UDS. How did you do it Updated sonic-gnmi submodule to include sonic-net/sonic-gnmi#617, adding a UDS detection check in authenticate() to skip cert auth for UDS (secured by socket permissions). How did you verify/test it On a device with --client_auth cert configured: $ sudo grpcurl -plaintext unix:///var/run/gnmi/gnmi.sock gnoi.system.System/Time {time: 1773163799143468772} Without sudo: permission denied at filesystem level. Unique Signed-off-by Signed-off-by: Dawei Huang <daweihuang@microsoft.com>
eddieruan-alibaba
pushed a commit
to eddieruan-alibaba/sonic-buildimage
that referenced
this pull request
Mar 19, 2026
What is the motivation for this PR When --client_auth cert is configured on the gNMI server, UDS connections fail auth because TLS peer creds are unavailable, blocking local services (e.g., device-ops-agent) from using gNMI/gNOI over UDS. How did you do it Updated sonic-gnmi submodule to include sonic-net/sonic-gnmi#617, adding a UDS detection check in authenticate() to skip cert auth for UDS (secured by socket permissions). How did you verify/test it On a device with --client_auth cert configured: $ sudo grpcurl -plaintext unix:///var/run/gnmi/gnmi.sock gnoi.system.System/Time {time: 1773163799143468772} Without sudo: permission denied at filesystem level. Unique Signed-off-by Signed-off-by: Dawei Huang <daweihuang@microsoft.com> Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com>
eddieruan-alibaba
added a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Mar 23, 2026
* Add db alias Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Fix a typo Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Remove redis-sysmondb alias Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Take care review comments from Aseem and Selva Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Update sonic-gnmi submodule to include UDS auth bypass (#26155) What is the motivation for this PR When --client_auth cert is configured on the gNMI server, UDS connections fail auth because TLS peer creds are unavailable, blocking local services (e.g., device-ops-agent) from using gNMI/gNOI over UDS. How did you do it Updated sonic-gnmi submodule to include sonic-net/sonic-gnmi#617, adding a UDS detection check in authenticate() to skip cert auth for UDS (secured by socket permissions). How did you verify/test it On a device with --client_auth cert configured: $ sudo grpcurl -plaintext unix:///var/run/gnmi/gnmi.sock gnoi.system.System/Time {time: 1773163799143468772} Without sudo: permission denied at filesystem level. Unique Signed-off-by Signed-off-by: Dawei Huang <daweihuang@microsoft.com> Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Remove exit based on Aseem's comments Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Add DCO sign-off for previous commit Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Reorg codes based on Ashwin's comments Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> * Update pythonscript name Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> --------- Signed-off-by: Eddie Ruan <eddie.ruan@alibaba-inc.com> Signed-off-by: Dawei Huang <daweihuang@microsoft.com> Co-authored-by: Dawei Huang <daweihuang@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
When
--client_auth certis configured, connections over Unix Domain Socket (UDS) fail authentication becauseClientCertAuthenAndAuthor()requires TLS peer credentials that don't exist on Unix sockets.This PR skips certificate authentication for all RPCs (gNMI and gNOI) when the connection arrives over a UDS. UDS access is already secured at the filesystem level via socket permissions (
srw-rw---- root:root), making TLS auth redundant.How I did it
Added a check at the top of
authenticate()inserver.gothat detects UDS connections viapeer.Addr.(*net.UnixAddr)and returns early, bypassing auth.How to verify it
Unit tests:
On-device (vlab-01):
Without sudo: permission denied at filesystem level (correct behavior — socket is
0660 root:root).