Configuring the Hive Virtual Warehouse for authentication

You need to enable platform JWT authentication for your Hive Virtual Warehouse during creation or editing of the Virtual Warehouse and configure some HiveServer (HS2) properties. This ensures that the Hive Virtual Warehouse supports authentication using JWT tokens.

You must have acquired the JWT token through your Identity Provider (IDP). In CDW, you use the Knox Token Generation service to generate the token.
  1. Follow the instructions for creating a Virtual Warehouse.
  2. Under Authentication, select Enable JWT Authentication.
  3. From the Overview page, go to the Virtual Warehouses tab, click > Edit against the required Hive Virtual Warehouse.
    The Virtual Warehouse Details page is displayed.
  4. Go to Configurations > Hiveserver2.
  5. Select hive-site from the Configuration files drop-down list, search for hive.server2.authentication, and set the value to JWT along with existing authentication protocols that are specified.
    For example, 'LDAP,SAML,JWT'.
  6. Search for hive.server2.authentication.jwt.jwks.skip.ssl.cert and set the value to true.
  7. Search for hive.server2.transport.mode and set the value to http.
  8. Search for hive.server2.authentication.jwt.jwks.url and, if you find it, set the value to the JSON Web Key Sets (JWKS) URL, which is used to sign the JWT token. For example, https://myadmin-host/myadmin/homepage/knoxtoken/api/v1/jwks.json.
    If you do not find hive.server2.authentication.jwt.jwks.url, click Add Custom Configuration and add it to hive-site as a custom property, and then set the value to the JSON Web Key Sets (JWKS) URL.

    You can fetch the JWKS URL by pasting the copied JWT token in the jwt.io website. Paste the JWT token in the Encoded text box of the Debugger and the decoded token header displays a jku parameter that contains the URL. You can provide a comma-separated list of jwks.json URL for this configuration.

  9. If you modify the JWKS URL, restart HiveServer.
  10. Click Apply Changes.