[[controlling-user-cache]] === Controlling the User Cache User credentials are cached in memory on each node to avoid connecting to a remote authentication service or hitting the disk for every incoming request. You can configure characteristics of the user cache with the `cache.ttl`, `cache.max_users`, and `cache.hash_algo` realm settings. NOTE: PKI realms do not cache user credentials but do cache the resolved user object to avoid unnecessarily needing to perform role mapping on each request. The cached user credentials are hashed in memory. By default, {security} uses a salted `sha-256` hash algorithm. You can use a different hashing algorithm by setting the `cache_hash_algo` setting to any of the following: [[cache-hash-algo]] .Cache hash algorithms |======================= | Algorithm | | | Description | `ssha256` | | | Uses a salted `sha-256` algorithm (default). | `md5` | | | Uses `MD5` algorithm. | `sha1` | | | Uses `SHA1` algorithm. | `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. | `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds. | `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds. | `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds. | `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds. | `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds. | `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds. | `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using `ptrace`). |======================= [[cache-eviction-api]] ==== Evicting Users from the Cache {security} exposes a {ref}/security-api-clear-cache.html[Clear Cache API] you can use to force the eviction of cached users. For example, the following request evicts all users from the `ad1` realm: [source, js] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache' ------------------------------------------------------------ To clear the cache for multiple realms, specify the realms as a comma-separated list: [source, js] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache' ------------------------------------------------------------ You can also evict specific users: [source, java] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino' ------------------------------------------------------------