OpenSearch/docs/en/security/authentication/user-cache.asciidoc

[[controlling-user-cache]]
=== Controlling the User Cache

User credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the `cache.ttl`,
`cache.max_users`, and `cache.hash_algo` realm settings.

NOTE: PKI realms do not use the user cache.

The cached user credentials are hashed in memory. By default, {security} uses a
salted `sha-256` hash algorithm. You can use a different hashing algorithm by
setting the `cache_hash_algo` setting to any of the following:

[[cache-hash-algo]]
.Cache hash algorithms
|=======================
| Algorithm           | | | Description
| `ssha256`           | | | Uses a salted `sha-256` algorithm (default).
| `md5`               | | | Uses `MD5` algorithm.
| `sha1`              | | | Uses `SHA1` algorithm.
| `bcrypt`            | | | Uses `bcrypt` algorithm with salt generated in 10 rounds.
| `bcrypt4`           | | | Uses `bcrypt` algorithm with salt generated in 4 rounds.
| `bcrypt5`           | | | Uses `bcrypt` algorithm with salt generated in 5 rounds.
| `bcrypt6`           | | | Uses `bcrypt` algorithm with salt generated in 6 rounds.
| `bcrypt7`           | | | Uses `bcrypt` algorithm with salt generated in 7 rounds.
| `bcrypt8`           | | | Uses `bcrypt` algorithm with salt generated in 8 rounds.
| `bcrypt9`           | | | Uses `bcrypt` algorithm with salt generated in 9 rounds.
| `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in
                            memory. CAUTION: keeping clear text is considered insecure
                            and can be compromised at the OS level (for example through
                            memory dumps and using `ptrace`).
|=======================

[[cache-eviction-api]]
==== Evicting Users from the Cache

{security} exposes a <<security-api-clear-cache, Clear Cache API>> you can use
to force the eviction of cached users. For example, the following request evicts
all users from the `ad1` realm:

[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
------------------------------------------------------------

To clear the cache for multiple realms, specify the realms as a comma-separated
list:

[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
------------------------------------------------------------

You can also evict specific users:

[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
------------------------------------------------------------
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`[[controlling-user-cache]]`
			`=== Controlling the User Cache`

			`User credentials are cached in memory on each node to avoid connecting to a`
			`remote authentication service or hitting the disk for every incoming request.`
			You can configure characteristics of the user cache with the `cache.ttl`,
			`cache.max_users`, and `cache.hash_algo` realm settings.

			`NOTE: PKI realms do not use the user cache.`

			`The cached user credentials are hashed in memory. By default, {security} uses a`
			salted `sha-256` hash algorithm. You can use a different hashing algorithm by
			setting the `cache_hash_algo` setting to any of the following:

			`[[cache-hash-algo]]`
			`.Cache hash algorithms`
			`\|=======================`
			`\| Algorithm \| \| \| Description`
			\| `ssha256` \| \| \| Uses a salted `sha-256` algorithm (default).
			\| `md5` \| \| \| Uses `MD5` algorithm.
			\| `sha1` \| \| \| Uses `SHA1` algorithm.
			\| `bcrypt` \| \| \| Uses `bcrypt` algorithm with salt generated in 10 rounds.
			\| `bcrypt4` \| \| \| Uses `bcrypt` algorithm with salt generated in 4 rounds.
			\| `bcrypt5` \| \| \| Uses `bcrypt` algorithm with salt generated in 5 rounds.
			\| `bcrypt6` \| \| \| Uses `bcrypt` algorithm with salt generated in 6 rounds.
			\| `bcrypt7` \| \| \| Uses `bcrypt` algorithm with salt generated in 7 rounds.
			\| `bcrypt8` \| \| \| Uses `bcrypt` algorithm with salt generated in 8 rounds.
			\| `bcrypt9` \| \| \| Uses `bcrypt` algorithm with salt generated in 9 rounds.
			\| `noop`,`clear_text` \| \| \| Doesn't hash the credentials and keeps it in clear text in
			`memory. CAUTION: keeping clear text is considered insecure`
			`and can be compromised at the OS level (for example through`
			memory dumps and using `ptrace`).
			`\|=======================`

			`[[cache-eviction-api]]`
			`==== Evicting Users from the Cache`

			`{security} exposes a <<security-api-clear-cache, Clear Cache API>> you can use`
			`to force the eviction of cached users. For example, the following request evicts`
			all users from the `ad1` realm:

			`[source, js]`
			`------------------------------------------------------------`
			`$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'`
			`------------------------------------------------------------`

			`To clear the cache for multiple realms, specify the realms as a comma-separated`
			`list:`

			`[source, js]`
			`------------------------------------------------------------`
			`$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'`
			`------------------------------------------------------------`

			`You can also evict specific users:`

			`[source, java]`
			`------------------------------------------------------------`
			`$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'`
			`------------------------------------------------------------`