Authentication of Cloudera AI Inference service
Cloudera AI Inference service uses Cloudera Workload Authentication JSON Web Token (JWT) to authenticate users and clients that interact with all HTTP endpoints exposed by the service workload.
Authenticating using JWT: All client applications must present a valid JWT as an HTTP Authorization Bearer token, as shown in the following example:
$ export CDP_TOKEN=${JWT} $ curl -H "Authorization: Bearer ${CDP_TOKEN}" <URL>
Supported JWT Issuers
Cloudera AI Inference service supports JWTs issued by the following identity providers:
- Knox Gateway Server (running in the Data Lake environment)
- User Management Service (UMS) (part of the Cloudera Control Plane)
Using Data Lake Knox JWT
You can use the Data Lake Knox JWT for most authentication scenarios. For more information about Apache Knox configuration, see Knox documentation.
- Open the Data Lake tab in the CDP environment UI.
- Click the Token Integration link.
- In the newly opened window, click Token Generation.
- Use the new window, set the desired token lifetime and generate a JWT.
- Copy the generated JWT from the Knox UI and use it in your application as an
Authorization Bearer Token:
- Go to the Endpoint Details page of any model endpoint in the UI.
- Click Code Sample tab.
- Click Copy CDP Token.
Using Auto-generated Kerberos JWTs
Some applications, such as Cloudera AI Workbench, automatically generates JWTs using the user's Kerberos credentials. These JWTs are automatically injected into all user workload pods , such as, workbench session pod, or an application pod and are stored at /tmp/jwt.
import json JWT = json.load(open('/tmp/jwt', 'r'))['access_token']
Use this token to authenticate your app to the AI Inference service.
Using a UMS JWT
- Option 1: Using the CDP
CLI:
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name DE | jq -r '.token')
- Option 2: Using Cloudera AI Inference service UI:
- Open the model's Endpoint details page.
- click Code Sample tab.
- Click Copy CDP Token.
UMS Token Expiration
- UMS tokens expire after one hour by default.
- If a token is expired, the service returns an HTTP 401 Unauthorized response.
- To extend the token lifetime, use the following
command:
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec <expiration-time-in-seconds>
Recommended token for Automation: Knox JWT
For most programmatic and automation use cases, the Data Lake Knox JWT is recommended instead of UMS JWT for the following reasons:
-
Faster Authentication : Knox JWT validation is faster, as the issuer is located within the same environment as the Cloudera AI Inference service.
-
Environment Scope: Knox JWTs are environment-scoped, while UMS JWTs are tenant-scoped.
-
Simplified Expiration Management: Knox token expiration policies are easier to configure.
-
Better Machine User Support: The Knox server offers easier management and issuance for service accounts.