OpenSearch/x-pack/docs/en/security/authentication/user-cache.asciidoc

45 lines
1.8 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[[controlling-user-cache]]
=== Controlling the user cache
User credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the `cache.ttl`,
`cache.max_users`, and `cache.hash_algo` realm settings.
Security: cache users in PKI realm (elastic/x-pack-elasticsearch#4428) The PKI realm has never been a caching realm as the need had not presented itself until now. The PKI realm relies on role mappings to map the DN from a certificate to roles so that the users have the appropriate access permissions. Without caching, this role mapping will happen on every request. For file based role mappings, this is not an issue as the mappings are based on equality checks for the DN. However, the design of the API based role mappings allows for more complex matches. These matches are implemented using automata, which are built on every request that needs role mappings. Building automata is an expensive operation and in combination with the PKI realm's lack of caching leads to a significant performance impact. The change in this commit makes the PkiRealm a caching realm using the same pattern as other caching realms. The cache provided by elasticsearch core is used to map the fingerprint of a certificate to the user that was resolved from this certificate. The semantics of modifications to this cache during iteration requires that we use a read-write lock to protect access. There can be multiple concurrent modifications and retrievals but iteration must be protected from any attempts to modify the cache. Additionally, some PKI tests were converted to single node tests as part of this change. One test only used a single node and the other did not require multiple nodes. relates elastic/x-pack-elasticsearch#4406 Original commit: elastic/x-pack-elasticsearch@214772e1c13ff418570a4ab8043b5a19266f5193
2018-04-20 11:53:47 -04:00
NOTE: PKI realms do not cache user credentials but do cache the resolved user
object to avoid unnecessarily needing to perform role mapping on each request.
The cached user credentials are hashed in memory. By default, {security} uses a
salted `sha-256` hash algorithm. You can use a different hashing algorithm by
setting the `cache.hash_algo` realm settings. See
{ref}/security-settings.html#hashing-settings[User cache and password hash algorithms].
[[cache-eviction-api]]
==== Evicting users from the cache
{security} exposes a
{ref}/security-api-clear-cache.html[Clear Cache API] you can use
to force the eviction of cached users. For example, the following request evicts
all users from the `ad1` realm:
[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
------------------------------------------------------------
To clear the cache for multiple realms, specify the realms as a comma-separated
list:
[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
------------------------------------------------------------
You can also evict specific users:
[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
------------------------------------------------------------