Articles in this section

See more

Enabling JWT Authentication

Avatar
Lars George
  • Updated
Follow

Question

When you install a cluster and do not enable any authentication method, the cluster is started in test mode, allowing access to all users. I want to enable JWT authentication now, how do I do that?
 

Answer

Note: The information in this FAQ may be outdated. Refer to the Okera documentation here for current configuration instructions.
 

1. Create a Key Pair

For example, use ssh-keygen to generate a key pair and then export the public key in PEM format:
% ssh-keygen -b 2048 -t rsa -f ~/my_rsa.key -N "" -q
% openssl rsa -in ~/my_rsa.key -outform PEM -pubout -out ~/my_rsa.pub
Notes:
  • You can also use an existing SSH key pair, given you export its public key in PEM format as explained above.
  • You can also other tools to generate a key pair. Using the SSH CLI tools are convenient and suffice usually.

2. Configure the Public Ke

Copy the PEM file to the S3 location of the configured staging directory for this cluster, set by "OKERA_S3_STAGING_DIR". Create a "/etc" directory inside that location and copy the public key into it. For example, using the AWS tools:
% aws s3 cp ~/my_rsa.pub s3://example/etc/
upload: ~/my_rsa.pub to s3://example/etc/my_rsa.pub

% aws s3 ls s3://example/etc/
...
2018-10-24 10:49:16 401 id_rsa.pub
...
Then add the key to the /etc/okera/env.sh file:
export OKERA_JWT_PUBLIC_KEY="/etc/my_rsa.pub"
Notes:
  • You can also add it to another bucket you already have and use the explicit S3 path.
  • The value of the above variable allows for more than one key file to be specified. This is needed, for example, when integrating with other JWT enabled clients, such as Databricks. Use commas to separate them.

3. Configure Admin Group

You need to set the groups that contain DBAs, using the following environment variable in the/etc/okera/env.sh file:
export OKERA_CATALOG_ADMINS=admin,username1,admin-group

 

4. Create Tokens

Now that you have a private key and configured the public key, you can create the tokens you need. Use the DMs CLI tool ("ocadm") to do so. When creating the tokens, you need to create at least two separate ones:
 

A. System Token
Create the system token that is used internally:

% cli/ocadm tokens create okera root admin --jwtPrivateKey ~/my_rsa.key > system.token
 

B. User Tokens

For example:
% cli/ocadm tokens create admin admin --jwtPrivateKey ~/my_rsa.key > admin.token
This creates an admin token. You can use the content of the resulting token file to log into the UI.
 
Another example:
% cli/ocadm tokens create testuser test --jwtPrivateKey ~/my_rsa.key > testuser.token
This creates a token for a regular user, since the group "test" was used, which is not specified as one of the catalog admin groups (see next step). You can use the content of the resulting token file to log into the UI.
 

5. Configure the System Token

Upload the system token to the S3 bucket, the same way as done for the public key (see above):
% aws s3 cp ~/system.token s3://example/etc/
Then configure it in the /etc/okera/env.sh file:
export OKERA_SYSTEM_TOKEN="/etc/system.token"
 
6. Restart Resources 
 Finally, restart the cluster to push the new setting.
 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk