When you install a cluster and do not enable any authentication method, the cluster is started in test mode, allowing access to all users. I want to enable JWT authentication now, how do I do that?
Note: The information in this FAQ may be outdated. Refer to the Okera documentation here for current configuration instructions.
1. Create a Key Pair
For example, use ssh-keygen to generate a key pair and then export the public key in PEM format:
% ssh-keygen -b 2048 -t rsa -f ~/my_rsa.key -N "" -q
% openssl rsa -in ~/my_rsa.key -outform PEM -pubout -out ~/my_rsa.pub
- You can also use an existing SSH key pair, given you export its public key in PEM format as explained above.
- You can also other tools to generate a key pair. Using the SSH CLI tools are convenient and suffice usually.
2. Configure the Public Ke
Copy the PEM file to the S3 location of the configured staging directory for this cluster, set by "OKERA_S3_STAGING_DIR". Create a "/etc" directory inside that location and copy the public key into it. For example, using the AWS tools:
% aws s3 cp ~/my_rsa.pub s3://example/etc/
upload: ~/my_rsa.pub to s3://example/etc/my_rsa.pub
% aws s3 ls s3://example/etc/
2018-10-24 10:49:16 401 id_rsa.pub
Then add the key to the /etc/okera/env.sh file:
- You can also add it to another bucket you already have and use the explicit S3 path.
- The value of the above variable allows for more than one key file to be specified. This is needed, for example, when integrating with other JWT enabled clients, such as Databricks. Use commas to separate them.
3. Configure Admin Group
You need to set the groups that contain DBAs, using the following environment variable in the/etc/okera/env.sh file:
4. Create Tokens
Now that you have a private key and configured the public key, you can create the tokens you need. Use the DMs CLI tool ("ocadm") to do so. When creating the tokens, you need to create at least two separate ones:
A. System Token
Create the system token that is used internally:
% cli/ocadm tokens create okera root admin --jwtPrivateKey ~/my_rsa.key > system.token
B. User Tokens
% cli/ocadm tokens create admin admin --jwtPrivateKey ~/my_rsa.key > admin.token
This creates an admin token. You can use the content of the resulting token file to log into the UI.
% cli/ocadm tokens create testuser test --jwtPrivateKey ~/my_rsa.key > testuser.token
This creates a token for a regular user, since the group "test" was used, which is not specified as one of the catalog admin groups (see next step). You can use the content of the resulting token file to log into the UI.
5. Configure the System Token
Upload the system token to the S3 bucket, the same way as done for the public key (see above):
% aws s3 cp ~/system.token s3://example/etc/
Then configure it in the /etc/okera/env.sh file:
6. Restart Resources