Configuring token-based authentication

Using a JSON web token (JWT), your Virtual Warehouse client user can sign on to your Virtual Warehouse for a period of time instead of entering single-sign on (SSO) credentials every time your user wants to run a query.

JWT authentication is a method of proving identity and is standardized through IETF RFC 7519. It uses a time limited token to provide identity instead of a username and password. JWT tokens are secrets that are generated by a third-party system using asymmetric key cryptography and used as a bearer token for accessing Virtual Warehouses. Virtual Warehouses only need the public portion of the third-party's asymmetric keys. Within Cloudera Data Platform, Apache Knox serves as the trusted third-party JWT provider.

Following the procedure below, you acquire a token and set the lifespan of that token (cannot be revoked until expiration). Tokens are secrets that can be used multiple times until they expire.

If you created an Impala Virtual Warehouse for JWT authentication, your client user can choose the following ways to access your the Impala Virtual Warehouse:
  • From Impyla

    This option requires your client to configure Impyla as described in "Configuring Impyla for authentication".

  • From a JDBC client.

    If you set up a Hive Virtual Warehouse for authentication, you need to configure a few properties as described in "Configuring a Hive Virtual Warehouse for authentication". No configuration of the Impala Virtual Warehouse is required. Finally, you instruct your client to connect to your Hive or Impala Virtual Warehouse to use authentication from a JDBC client.