Authenticating Cloudera AI Inference service

Cloudera AI Inference service uses Cloudera Workload Authentication JSON Web Token (JWT) to authenticate users and clients that interact with all HTTP endpoints exposed by the service workload.

Authenticating using JWT: All client applications must present a valid JWT as an HTTP Authorization Bearer token, as shown in the following example:

$ export CDP_TOKEN=${JWT}
$ curl -H "Authorization: Bearer ${CDP_TOKEN}" <URL>

UMS Token Expiration

UMS tokens expire after one hour by default.
If a token is expired, the service returns an HTTP 401 Unauthorized response.

Supported JWT Issuers

Cloudera AI Inference service supports JWTs issued by the following identity providers:

User Management Service (UMS) (part of the Cloudera Control Plane)

Obtain the CDP_TOKEN from the User Management Service (UMS) using either the CDP CLI or Cloudera AI Inference service UI.
1. Optional: Use the CDP CLI:
```
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name DE | jq -r '.token')
```
  note
  The same workload name (for example, DE in the above command) can be used to authenticate with Cloudera AI Inference service.
2. Optional: Use the Cloudera AI Inference service UI, navigate to Model Endpoints:
  1. In the Cloudera console, click the Cloudera AI tile.
    The Cloudera AI Workbenches page displays.
  2. Click Model Endpoints under Deployments on the left navigation menu.
  3. Click your model endpoint.
  4. Click on Code Sample.
  5. Click on Copy CDP Token.
Set the /tmp/jwt file in the Cloudera AI Workbench.
1. In the Cloudera console, click the Cloudera AI tile.
  
  The Cloudera AI Workbenches page displays.
2. Click on your workbench, create a new project, and start a new JupyterLab session.
3. Create a text file in the workbench called jwt.
4. Add the following to the contents of the file:
```
{"access_token":"CDP_TOKEN","token_type":"Bearer"}
```
  Substitute the CDP_TOKEN with the actual CDP_TOKEN.
5. Go to Terminal Access , and copy the jwt to /tmp/jwt.