Cloudera Docs

Configuring JWT Authentication

Impala shell users can now provide a JWT instead of a username/password to authenticate to an Impala instance. When JWT authentication is used, the impala shell enforces the use of the hs2-http protocol since the JWT is sent via the "Authentication" HTTP header.

To enable and configure JWT:
  1. In Cloudera Manager, select the Impala service.
  2. In the Configuration tab, type jwt in the search box. The fields for JWT configuration will be listed.
  3. Set the following fields to enable JWT.
    JWKS URL (jwks_url)
    URL where the JSON Web Key Set (JWKS) can be downloaded for JWT verification. The default value is none, users will need to get the JWKS URL from their authentication provider's documentation.
    Username JWT Custom Claim (jwt_custom_claim_username)

    JWT claim that contains the username to use when authenticating with Impala. The default value is none, users will need to reference their authentication provider's documentation to determine which JWT payload claim contains the username.

    JWT Token Authentication (jwt_token_auth)

    Determines if JWT authentication is allowed without TLS being enabled on connections to the Impala daemon. The default value is false. Impala writes a warning message in the log file if it’s set as true since it’s not secure. Only set as true for test environments without sensitive data.

    JWT Validate Signature (jwt_validate_signature)

    Determines if the signatures on incoming JWTs are validated against the JWKS. If set as true, Impala verifies the signature in JWT with pre-installed public keys. The default value is true. Only set as true for test environments without sensitive data.

    JWKS Pull Timeout (jwks_pulling_timeout_s)

    The time in seconds to wait for the JWKS to be downloaded from the specified URL before timing out. This flag is used when jwks_url is specified. The default value is 10 seconds.

    JWKS Update Frequency (jwks_update_frequency_s)

    The time in seconds to wait between re-downloading the JWKS from the specified URL. This flag is used when jwks_url is specified. The default value is 60 seconds.

    Verify JWKS Server Certificate (jwks_verify_server_certificate)

    Specifies if the TLS certificate of the JWKS server is verified when retrieving the JWKS from the specified JWKS URL. This should only be set to false for development / testing. The default value is true.