Cloudera Docs

Configuring the Hive Virtual Warehouse for authentication

Before setting up token-based authentication, you must configure a few HiveServer (HS2) properties and add a custom property.

  • You must have acquired the JWT token through your Identity Provider (IDP). In CDW Public Cloud, you use the Knox Token Generation service to generate the token as described in "Acquiring a JWT Token".
  1. In the CDW UI, in Overview, select a Hive Virtual Warehouse, click , and click Edit.
  2. In Details, click CONFIGURATIONS > HiveServer2.
  3. Select hive-site from the drop-down list, search for hive.server2.authentication. , and set the value to JWT along with existing authentication protocols that are specified.
    For example, 'LDAP,SAML,JWT'.
  4. Search for hive.server2.authentication.jwt.jwks.skip.ssl.cert and set the value to true.
  5. Search for hive.server2.transport.mode and set the value to http.
  6. Search for hive.server2.authentication.jwt.jwks.url and, if you find it, set the value to the JSON Web Key Sets (JWKS) URL, which is used to sign the JWT token. For example, https://myadmin-host/myadmin/homepage/knoxtoken/api/v1/jwks.json
    If you do not find hive.server2.authentication.jwt.jwks.url, click and add it to hive-site as a custom property, and then set the value to the JSON Web Key Sets (JWKS) URL.

    You can fetch the JWKS URL by pasting the copied JWT token in the jwt.io website. Paste the JWT token in the Encoded text box of the Debugger and the decoded token header displays a jku parameter that contains the URL. You can provide a comma-separated list of jwks.json URL for this configuration.

  7. If you modify the JWKS URL, restart HiveServer.