OpenSearch/shield/docs/public/setting-up-authentication/controlling-user-cache.asciidoc

[[controlling-user-cache]]
=== Controlling the User Cache

User credentials are cached in memory on each node to avoid connecting to a remote authentication 
server or hitting the disk for every incoming request. You can configure characteristics of the 
user cache with the `cache.ttl`, `cache.max_users`, and ``cache.hash_algo` realm settings.

NOTE: PKI realms do not use the user cache.

The cached user credentials are hashed in memory. By default, Shield uses a salted `sha-256` 
hash algorigthm. You can use a different algorithm by setting the `cache-hash_algo` setting
to  any of the supported <<cache-hash-algo, Cache hash algorithms>>.

[[cache-hash-algo]]
.Cache hash algorithms
|=======================
| Algorithm                       | Description
| `ssha256`                       | Uses a salted `sha-256` algorithm (default).
| `md5`                           | Uses `MD5` algorithm.
| `sha1`                          | Uses `SHA1` algorithm.
| `bcrypt`                        | Uses `bcrypt` algorithm with salt generated in 10 rounds.
| `bcrypt4`                       | Uses `bcrypt` algorithm with salt generated in 4 rounds.
| `bcrypt5`                       | Uses `bcrypt` algorithm with salt generated in 5 rounds.
| `bcrypt6`                       | Uses `bcrypt` algorithm with salt generated in 6 rounds.
| `bcrypt7`                       | Uses `bcrypt` algorithm with salt generated in 7 rounds.
| `bcrypt8`                       | Uses `bcrypt` algorithm with salt generated in 8 rounds.
| `bcrypt9`                       | Uses `bcrypt` algorithm with salt generated in 9 rounds.
| `sha2`                          | Uses `SHA2` algorithm.
| `apr1`                          | Uses `apr1` algorithm (md5 crypt).
| `noop`,`clear_text`             | Doesn't hash the credentials and keeps it in clear text in 
                                    memory. CAUTION: keeping clear text is considered insecure 
                                    and can be compromised at the OS level (for example through 
                                    memory dumps and using `ptrace`).
|=======================

[float]
==== Evicting Users from the Cache

Shield exposes an API to force the eviction of cached users. For example, the following request
evicts all users from the `ad1` realm:

[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear'
------------------------------------------------------------

To clear the cache for multiple realms, specify the realms as a comma-separated list:

[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1,ad2/_cache/clear'
------------------------------------------------------------

You can also evict specific users:

[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear?usernames=rdeniro,alpacino'
------------------------------------------------------------