Authentication of Cloudera AI Inference service

Cloudera AI Inference service uses Cloudera Workload Authentication JSON Web Token (JWT) to authenticate users and clients that interact with all HTTP endpoints exposed by the service workload.

Authenticating using JWT: All client applications must present a valid JWT as an HTTP Authorization Bearer token, as shown in the following example:

$ export CDP_TOKEN=${JWT}
$ curl -H "Authorization: Bearer ${CDP_TOKEN}" <URL>

Supported JWT Issuers

Cloudera AI Inference service supports JWTs issued by the following identity providers:

Knox Gateway Server (running in the Data Lake environment)
User Management Service (UMS) (part of the Cloudera Control Plane)

Using Data Lake Knox JWT

You can use the Data Lake Knox JWT for most authentication scenarios. For more information about Apache Knox configuration, see Knox documentation.

Open the Data Lake tab in the CDP environment UI.
Click the Token Integration link.
In the newly opened window, click Token Generation.
Use the new window, set the desired token lifetime and generate a JWT.
Copy the generated JWT from the Knox UI and use it in your application as an Authorization Bearer Token:
1. Go to the Endpoint Details page of any model endpoint in the UI.
2. Click Code Sample tab.
3. Click Copy CDP Token.
  note
  - Configured maximum lifetime indicates the maximum expiration time allowed for the token.
  - You can specify the desired lifetime of the token during generation.
  - To increase the configured maximum lifetime, access the Data Lake CM UI. Refer to the Knox documentation for configuring the maximum lifetime.

Using Auto-generated Kerberos JWTs

Some applications, such as Cloudera AI Workbench, automatically generates JWTs using the user's Kerberos credentials. These JWTs are automatically injected into all user workload pods , such as, workbench session pod, or an application pod and are stored at /tmp/jwt.

Applications can extract the JWT to authenticate to Cloudera AI Inference service. The following example shows a simple Python code that reads JWT from a file in Python:

import json
JWT = json.load(open('/tmp/jwt', 'r'))['access_token']

Use this token to authenticate your app to the AI Inference service.

Using a UMS JWT

You can obtain JWTs from the User Management Service (UMS) using either the CDP CLI or Cloudera AI Inference service UI.

Option 1: Using the CDP CLI:
```
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name DE | jq -r '.token')
```
note
The same workload name (for example, DE in the above eommand) can be used to authenticate with Cloudera AI Inference service.
Option 2: Using Cloudera AI Inference service UI:
1. Open the model's Endpoint details page.
2. click Code Sample tab.
3. Click Copy CDP Token.

UMS Token Expiration

UMS tokens expire after one hour by default.
If a token is expired, the service returns an HTTP 401 Unauthorized response.
To extend the token lifetime, use the following command:
```
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec <expiration-time-in-seconds>
```
warning
This setting applies to the entire CDP account and is not limited to Cloudera AI Inference service. Increasing the token expiration time may introduce security risks, as JWT tokens, unlike API keys, cannot be revoked. Additionally, note that the above command requires the AUTHENTICATION_POLICY Cloudera entitlement.

Recommended token for Automation: Knox JWT

For most programmatic and automation use cases, the Data Lake Knox JWT is recommended instead of UMS JWT for the following reasons:

Faster Authentication : Knox JWT validation is faster, as the issuer is located within the same environment as the Cloudera AI Inference service.
Environment Scope: Knox JWTs are environment-scoped, while UMS JWTs are tenant-scoped.
Simplified Expiration Management: Knox token expiration policies are easier to configure.
Better Machine User Support: The Knox server offers easier management and issuance for service accounts.