Configuring server side JWT authentication for Kudu

Learn how to configure server-side changes for JSON Web Token (JWT) authentication for Kudu.

JWT authentication is an experimental feature. To change the flags mentioned in the following steps, you need to add --unlock_experimental_flags to the Kudu safety valve configuration.
  1. Log in to Cloudera Manager.
  2. Select the Kudu service.
  3. Click Configurations.
  4. Search for Kudu Service Advanced Configuration Snippet (Safety Valve) for gflagfile, and configure the required configuration parameters for JWT authentication:
    --unlock_experimental_flags
    --enable_jwt_token_auth=true
    --jwks_url=...
    The following list describes the configuration flags available:
    enable_jwt_token_auth
    Valid option: Boolean
    Default value: false
    Description: This enables JWT authentication. The server expects a valid JWT to be sent by the client which is verified when the connection is being established. When true, reads the JWT token out of the RPC and extracts user name from the token payload.

    Either --jwks_file_path or --jwks_url (but not both) must be set when --enable_jwt_token_auth is set to true.

    jwks_file_path
    Valid option: String
    Description: File path of the pre-installed JSON Web Key Set (JWKS) for JWT verification.
    jwks_url
    Valid option: String
    Description: URL of the JWKS for JWT verification.
  5. Optional: Add --trusted_certificate_file=... flag as well, if the JWKS server you are using does not have an SSL certificate signed by a CA that is trusted on the system level.