OpenSearch/x-pack/docs/en/security/authentication/user-cache.asciidoc

45 lines
1.8 KiB
Plaintext

[role="xpack"]
[[controlling-user-cache]]
=== Controlling the user cache
User credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the `cache.ttl`,
`cache.max_users`, and `cache.hash_algo` realm settings.
NOTE: PKI realms do not cache user credentials but do cache the resolved user
object to avoid unnecessarily needing to perform role mapping on each request.
The cached user credentials are hashed in memory. By default, {security} uses a
salted `sha-256` hash algorithm. You can use a different hashing algorithm by
setting the `cache.hash_algo` realm settings. See
{ref}/security-settings.html#hashing-settings[User cache and password hash algorithms].
[[cache-eviction-api]]
==== Evicting users from the cache
{security} exposes a
{ref}/security-api-clear-cache.html[Clear Cache API] you can use
to force the eviction of cached users. For example, the following request evicts
all users from the `ad1` realm:
[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
------------------------------------------------------------
To clear the cache for multiple realms, specify the realms as a comma-separated
list:
[source, js]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
------------------------------------------------------------
You can also evict specific users:
[source, java]
------------------------------------------------------------
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
------------------------------------------------------------