Cloudera Docs

Configuring the Hive Virtual Warehouse for authentication

You need to enable platform JWT authentication for your Hive Virtual Warehouse during creation or editing of the Virtual Warehouse and configure some HiveServer (HS2) properties. This ensures that the Hive Virtual Warehouse supports authentication using JWT tokens.

You must have acquired the JWT token through your Identity Provider (IDP). In CDW, you use the Knox Token Generation service to generate the token.
  1. Follow the instructions for creating a Virtual Warehouse.
  2. Select Enable JWT Authentication.
  3. From the Overview page, click against the required Hive Virtual Warehouse, and click Edit.
  4. In the Details page, click CONFIGURATIONS > Hiveserver2.
  5. Select hive-site from the drop-down list, search for hive.server2.authentication, and set the value to JWT along with existing authentication protocols that are specified.
    For example, 'LDAP,SAML,JWT'.
  6. Search for hive.server2.authentication.jwt.jwks.skip.ssl.cert and set the value to true.
  7. Search for hive.server2.transport.mode and set the value to http.
  8. Search for hive.server2.authentication.jwt.jwks.url and, if you find it, set the value to the JSON Web Key Sets (JWKS) URL, which is used to sign the JWT token. For example, https://myadmin-host/myadmin/homepage/knoxtoken/api/v1/jwks.json
    If you do not find hive.server2.authentication.jwt.jwks.url, click and add it to hive-site as a custom property, and then set the value to the JSON Web Key Sets (JWKS) URL.

    You can fetch the JWKS URL by pasting the copied JWT token in the jwt.io website. Paste the JWT token in the Encoded text box of the Debugger and the decoded token header displays a jku parameter that contains the URL. You can provide a comma-separated list of jwks.json URL for this configuration.

  9. If you modify the JWKS URL, restart HiveServer.