Authentication of Cloudera AI Inference service
Cloudera AI Inference service uses Cloudera Data Platform Workload Authentication JSON Web Token (JWT) to authenticate users/clients that interact with all HTTP endpoints exposed by the service workload.
External Clients' Authentication
External clients that run outside of Cloudera Private Cloud Data Services and that interact with Cloudera AI Inference service API and with model endpoints must obtain a JWT from the Cloudera Data Platform control plane, which must be passed as a bearer token in HTTP requests sent to the Cloudera AI Inference service API and model endpoints.
-
Obtain the JWT using Cloudera Data Platform CLI.
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name [***Workload name***] | jq -r '.token')The same workload name (DE) can be used for authentication to Cloudera AI Inference service as well.
-
Pass CDP_TOKEN in the HTTP request header.
$ curl -H "Authorization: Bearer ${CDP_TOKEN}" [***URL***]The token obtained using this method expires in one hour by default. You must obtain a new token if your token is rejected by the server as expired. The server responds with a
401 HTTPresponse code if the token has expired. -
Create tokens with longer lifetimes than the default 1 hour using the following Cloudera Data Platform command:
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec [***EXPIRATION-TIME-IN-SECONDS***]
Internal Clients Authentication
Authenticated clients or users running inside another Cloudera Private Cloud Data Services,
like a Cloudera AI Workbench, or Hue UI in the same environment, can pass Data
Lake issued JWTs for authentication to Cloudera AI Inference service running in the
environment. For instance, inside a Cloudera AI Workbench session, this JWT is available as the
access_token field in the /tmp/jwt file.
