Authentication of Cloudera AI Inference service
Cloudera AI Inference service uses CDP Workload Authentication JSON Web Token (JWT) to authenticate users/clients that interact with all HTTP endpoints exposed by the service workload.
External Clients' Authentication
External clients that run outside of CDP data services and that interact with Cloudera AI Inference service API and with model endpoints must obtain a JWT from the CDP control plane, which must be passed as a bearer token in HTTP requests sent to the Cloudera AI Inference service API and model endpoints.
-
Obtain the JWT using CDP CLI.
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name [***Workload name***] | jq -r '.token')
The same workload name (DE) can be used for authentication to Cloudera AI Inference service as well.
-
Pass CDP_TOKEN in the HTTP request header.
$ curl -H "Authorization: Bearer ${CDP_TOKEN}" [***URL***]
The token obtained using this method expires in one hour by default. You must obtain a new token if your token is rejected by the server as expired. The server responds with a
401 HTTP
response code if the token has expired. -
Create tokens with longer lifetimes than the default 1 hour using the following CDP command:
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec [***EXPIRATION-TIME-IN-SECONDS***]
Internal Clients Authentication
Authenticated clients or users running inside another Cloudera Data Platform Data Service,
like a Cloudera Machine Learning Workspace, or Hue UI in the same environment, can pass Data
Lake issued JWTs for authentication to Cloudera AI Inference service running in the
environment. For instance, inside a CML Workspace session, this JWT is available as the
access_token
field in the /tmp/jwt file.