2017-04-06 21:29:29 -04:00
|
|
|
[[controlling-user-cache]]
|
|
|
|
=== Controlling the User Cache
|
|
|
|
|
|
|
|
User credentials are cached in memory on each node to avoid connecting to a
|
|
|
|
remote authentication service or hitting the disk for every incoming request.
|
|
|
|
You can configure characteristics of the user cache with the `cache.ttl`,
|
|
|
|
`cache.max_users`, and `cache.hash_algo` realm settings.
|
|
|
|
|
2018-04-20 11:53:47 -04:00
|
|
|
NOTE: PKI realms do not cache user credentials but do cache the resolved user
|
|
|
|
object to avoid unnecessarily needing to perform role mapping on each request.
|
2017-04-06 21:29:29 -04:00
|
|
|
|
|
|
|
The cached user credentials are hashed in memory. By default, {security} uses a
|
|
|
|
salted `sha-256` hash algorithm. You can use a different hashing algorithm by
|
|
|
|
setting the `cache_hash_algo` setting to any of the following:
|
|
|
|
|
|
|
|
[[cache-hash-algo]]
|
|
|
|
.Cache hash algorithms
|
|
|
|
|=======================
|
|
|
|
| Algorithm | | | Description
|
|
|
|
| `ssha256` | | | Uses a salted `sha-256` algorithm (default).
|
|
|
|
| `md5` | | | Uses `MD5` algorithm.
|
|
|
|
| `sha1` | | | Uses `SHA1` algorithm.
|
2018-04-09 12:59:06 -04:00
|
|
|
| `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
|
|
|
|
| `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
|
|
|
|
| `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
|
|
|
|
| `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
|
|
|
|
| `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
|
|
|
|
| `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
|
|
|
|
| `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
|
2017-04-06 21:29:29 -04:00
|
|
|
| `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in
|
|
|
|
memory. CAUTION: keeping clear text is considered insecure
|
|
|
|
and can be compromised at the OS level (for example through
|
|
|
|
memory dumps and using `ptrace`).
|
|
|
|
|=======================
|
|
|
|
|
|
|
|
[[cache-eviction-api]]
|
|
|
|
==== Evicting Users from the Cache
|
|
|
|
|
2017-06-28 14:02:40 -04:00
|
|
|
{security} exposes a
|
|
|
|
{ref}/security-api-clear-cache.html[Clear Cache API] you can use
|
2017-04-06 21:29:29 -04:00
|
|
|
to force the eviction of cached users. For example, the following request evicts
|
|
|
|
all users from the `ad1` realm:
|
|
|
|
|
|
|
|
[source, js]
|
|
|
|
------------------------------------------------------------
|
|
|
|
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
|
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
To clear the cache for multiple realms, specify the realms as a comma-separated
|
|
|
|
list:
|
|
|
|
|
|
|
|
[source, js]
|
|
|
|
------------------------------------------------------------
|
|
|
|
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
|
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
You can also evict specific users:
|
|
|
|
|
|
|
|
[source, java]
|
|
|
|
------------------------------------------------------------
|
|
|
|
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
|
|
|
|
------------------------------------------------------------
|