Configuring token-based authentication

Using a JSON web token (JWT), your Virtual Warehouse client user can sign on to your Virtual Warehouse for a period of time instead of entering single-sign on (SSO) credentials every time your user wants to run a query.

JWT authentication does not involve a user name and password. You do not have to provide any secrets (passwords) to the server, such as a Virtual Warehouse. Instead, JWT tokens, generated by a third party, which is Apache Knox in Cloudera Data Platform, issues a JWT token. Knox can sign the token through asymmetric key cryptography, and the JWT token carries the signature. You can use the token as a bearer token, essentially a password, for accessing the Virtual Warehouse. The Virtual Warehouse needs only a public key stored in a JSON blob called a JSON Web Key Set (JWKS).

Following the procedure below, you acquire a token and set the lifespan of that token (cannot be revoked until expiration). Tokens can be shared.

If you created an Impala Virtual Warehouse for JWT authentication, your client user can choose the following ways to access your the Impala Virtual Warehouse:
  • From Impyla

    This option requires your client to configure Impyla as described in "Configuring Impyla for authentication".

  • From a JDBC client.

    If you set up a Hive Virtual Warehouse for authentication, you need to configure a few properties as described in "Configuring a Hive Virtual Warehouse for authentication". Finally, you instruct your client to connect to your Hive Virtual Warehouse to use authentication from a JDBC client.