Configuring token-based authentication
Using a JSON web token (JWT), your Virtual Warehouse client user can sign on to your Virtual Warehouse for a period of time instead of entering single-sign on (SSO) credentials every time your user wants to run a query.
JWT authentication does not involve a user name and password. You do not have to provide any secrets (passwords) to the server, such as a Virtual Warehouse. Instead, JWT tokens, generated by a third party, which is Apache Knox in Cloudera Data Platform, issues a JWT token. Knox can sign the token through asymmetric key cryptography, and the JWT token carries the signature. You can use the token as a bearer token, essentially a password, for accessing the Virtual Warehouse. The Virtual Warehouse needs only a public key stored in a JSON blob called a JSON Web Key Set (JWKS).
Following the procedure below, you acquire a token and set the lifespan of that token (cannot be revoked until expiration). Tokens can be shared.
- From Impyla
This option requires your client to configure Impyla as described in "Configuring Impyla for authentication".
- From a JDBC client.
If you set up a Hive Virtual Warehouse for authentication, you need to configure a few properties as described in "Configuring a Hive Virtual Warehouse for authentication". Finally, you instruct your client to connect to your Hive Virtual Warehouse to use authentication from a JDBC client.