Authentication of Cloudera AI Inference service
Cloudera AI Inference service uses Cloudera Workload Authentication JSON Web Token (JWT) to authenticate users/clients that interact with all HTTP endpoints exposed by the service workload.
External Clients' Authentication
External clients that run outside of Cloudera Data Services on premises and that interact with Cloudera AI Inference service API and with model endpoints must obtain a JWT from the Cloudera control plane, which must be passed as a bearer token in HTTP requests sent to the Cloudera AI Inference service API and model endpoints.
-
Obtain the JWT:
-
Using CDP CLI.
$ CDP_TOKEN=$(cdp iam generate-workload-auth-token --workload-name [***Workload name***] | jq -r '.token')The same workload name (DE) can be used for authentication to Cloudera AI Inference service as well.
- Using Cloudera AI Inference service UI: Go to the Endpoint details page of any model endpoint,
click Code Sample tab, and then on Copy CDP
Token.
-
-
Pass CDP_TOKEN in the HTTP request header.
$ curl -H "Authorization: Bearer ${CDP_TOKEN}" [***URL***]The token obtained using this method expires in one hour by default. You must obtain a new token if your token is rejected by the server as expired. The server responds with a
401 HTTPresponse code if the token has expired. -
Create tokens with longer lifetimes than the default 1 hour using the following Cloudera command:
$ cdp iam set-authentication-policy --workload-auth-token-expiration-sec [***EXPIRATION-TIME-IN-SECONDS***]
Internal Clients Authentication
Authenticated clients or users running inside other Cloudera data services, like a Cloudera AI Workbench, or Hue UI in the same environment, can pass Data Lake
issued JWTs for authentication to Cloudera AI Inference service running in the
environment. For instance, inside a Cloudera AI Workbench session, this JWT
is available as the access_token field in the /tmp/jwt
file. For example, see Inference using OpenAI Python SDK client in a Cloudera AI Workbench Session.
