OpenSearch/x-pack/docs/en/security/authentication/user-cache.asciidoc

[role="xpack"]
[[controlling-user-cache]]
=== Controlling the user cache

User credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the `cache.ttl`,
`cache.max_users`, and `cache.hash_algo` realm settings.

NOTE: PKI realms do not cache user credentials but do cache the resolved user
object to avoid unnecessarily needing to perform role mapping on each request.

The cached user credentials are hashed in memory. By default, the {es}
{security-features} use a salted `sha-256` hash algorithm. You can use a
different hashing algorithm by setting the `cache.hash_algo` realm settings. See 
{ref}/security-settings.html#hashing-settings[User cache and password hash algorithms].

[[cache-eviction-api]]
==== Evicting users from the cache

You can use the {ref}/security-api-clear-cache.html[clear cache API] to force
the eviction of cached users . For example, the following request evicts all
users from the `ad1` realm:

[source,js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache'
------------------------------------------------------------

To clear the cache for multiple realms, specify the realms as a comma-separated
list:

[source,js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1,ad2/_clear_cache'
------------------------------------------------------------

You can also evict specific users:

[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
------------------------------------------------------------
[DOCS] Fixes title capitalization in security content 2018-05-14 18:35:02 -04:00			`[role="xpack"]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`[[controlling-user-cache]]`
[DOCS] Fixes title capitalization in security content 2018-05-14 18:35:02 -04:00			`=== Controlling the user cache`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
			`User credentials are cached in memory on each node to avoid connecting to a`
			`remote authentication service or hitting the disk for every incoming request.`
			You can configure characteristics of the user cache with the `cache.ttl`,
			`cache.max_users`, and `cache.hash_algo` realm settings.

Security: cache users in PKI realm (elastic/x-pack-elasticsearch#4428) The PKI realm has never been a caching realm as the need had not presented itself until now. The PKI realm relies on role mappings to map the DN from a certificate to roles so that the users have the appropriate access permissions. Without caching, this role mapping will happen on every request. For file based role mappings, this is not an issue as the mappings are based on equality checks for the DN. However, the design of the API based role mappings allows for more complex matches. These matches are implemented using automata, which are built on every request that needs role mappings. Building automata is an expensive operation and in combination with the PKI realm's lack of caching leads to a significant performance impact. The change in this commit makes the PkiRealm a caching realm using the same pattern as other caching realms. The cache provided by elasticsearch core is used to map the fingerprint of a certificate to the user that was resolved from this certificate. The semantics of modifications to this cache during iteration requires that we use a read-write lock to protect access. There can be multiple concurrent modifications and retrievals but iteration must be protected from any attempts to modify the cache. Additionally, some PKI tests were converted to single node tests as part of this change. One test only used a single node and the other did not require multiple nodes. relates elastic/x-pack-elasticsearch#4406 Original commit: elastic/x-pack-elasticsearch@214772e1c13ff418570a4ab8043b5a19266f5193 2018-04-20 11:53:47 -04:00			`NOTE: PKI realms do not cache user credentials but do cache the resolved user`
			`object to avoid unnecessarily needing to perform role mapping on each request.`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 17:53:37 -05:00			`The cached user credentials are hashed in memory. By default, the {es}`
			{security-features} use a salted `sha-256` hash algorithm. You can use a
			different hashing algorithm by setting the `cache.hash_algo` realm settings. See
[DOCS] Add configurable password hashing docs (#32849) * [DOCS] Add configurable password hashing docs Adds documentation about the newly introduced configuration option for setting the password hashing algorithm to be used for the users cache and for storing credentials for the native and file realm. 2018-08-21 05:05:42 -04:00			`{ref}/security-settings.html#hashing-settings[User cache and password hash algorithms].`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
			`[[cache-eviction-api]]`
[DOCS] Fixes title capitalization in security content 2018-05-14 18:35:02 -04:00			`==== Evicting users from the cache`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Update X-Pack terminology in security docs (#36564) 2018-12-19 17:53:37 -05:00			`You can use the {ref}/security-api-clear-cache.html[clear cache API] to force`
			`the eviction of cached users . For example, the following request evicts all`
			users from the `ad1` realm:
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00
[DOCS] Replace "// CONSOLE" comments with [source,console] (#46679) 2019-09-13 11:23:53 -04:00			`[source,js]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`------------------------------------------------------------`
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 04:13:10 -05:00			`$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache'`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`------------------------------------------------------------`

			`To clear the cache for multiple realms, specify the realms as a comma-separated`
			`list:`

[DOCS] Replace "// CONSOLE" comments with [source,console] (#46679) 2019-09-13 11:23:53 -04:00			`[source,js]`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`------------------------------------------------------------`
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 04:13:10 -05:00			`$ curl -XPOST 'http://localhost:9200/_security/realm/ad1,ad2/_clear_cache'`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`------------------------------------------------------------`

			`You can also evict specific users:`

			`[source, java]`
			`------------------------------------------------------------`
Deprecate /_xpack/security/* in favor of /_security/* (#36293) * This commit is part of our plan to deprecate and ultimately remove the use of _xpack in the REST APIs. - REST API docs - HLRC docs and doc tests - Handle REST actions with deprecation warnings - Changed endpoints in rest-api-spec and relevant file names 2018-12-11 04:13:10 -05:00			`$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'`
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`------------------------------------------------------------`