[[controlling-user-cache]] === Controlling the User Cache User credentials are cached in memory on each node to avoid connecting to a remote authentication server or hitting the disk for every incoming request. You can configure characteristics of the user cache with the `cache.ttl`, `cache.max_users`, and ``cache.hash_algo` realm settings. NOTE: PKI realms do not use the user cache. The cached user credentials are hashed in memory. By default, Shield uses a salted `sha-256` hash algorigthm. You can use a different algorithm by setting the `cache-hash_algo` setting to any of the supported <>. [[cache-hash-algo]] .Cache hash algorithms |======================= | Algorithm | Description | `ssha256` | Uses a salted `sha-256` algorithm (default). | `md5` | Uses `MD5` algorithm. | `sha1` | Uses `SHA1` algorithm. | `bcrypt` | Uses `bcrypt` algorithm with salt generated in 10 rounds. | `bcrypt4` | Uses `bcrypt` algorithm with salt generated in 4 rounds. | `bcrypt5` | Uses `bcrypt` algorithm with salt generated in 5 rounds. | `bcrypt6` | Uses `bcrypt` algorithm with salt generated in 6 rounds. | `bcrypt7` | Uses `bcrypt` algorithm with salt generated in 7 rounds. | `bcrypt8` | Uses `bcrypt` algorithm with salt generated in 8 rounds. | `bcrypt9` | Uses `bcrypt` algorithm with salt generated in 9 rounds. | `sha2` | Uses `SHA2` algorithm. | `apr1` | Uses `apr1` algorithm (md5 crypt). | `noop`,`clear_text` | Doesn't hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using `ptrace`). |======================= [float] ==== Evicting Users from the Cache Shield exposes an API to force the eviction of cached users. For example, the following request evicts all users from the `ad1` realm: [source, java] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear' ------------------------------------------------------------ To clear the cache for multiple realms, specify the realms as a comma-separated list: [source, java] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_shield/realm/ad1,ad2/_cache/clear' ------------------------------------------------------------ You can also evict specific users: [source, java] ------------------------------------------------------------ $ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear?usernames=rdeniro,alpacino' ------------------------------------------------------------