Controlling the user cache
editControlling the user cache
editUser credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the cache.ttl,
cache.max_users, and cache.hash_algo realm settings.
PKI realms do not cache user credentials but do cache the resolved user object to avoid unnecessarily needing to perform role mapping on each request.
The cached user credentials are hashed in memory. By default, X-Pack security uses a
salted sha-256 hash algorithm. You can use a different hashing algorithm by
setting the cache_hash_algo setting to any of the following:
Table 37. Cache hash algorithms
Algorithm |
Description |
||
|
Uses a salted |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Uses |
||
|
Doesn’t hash the credentials and keeps it in clear text in
memory. CAUTION: keeping clear text is considered insecure
and can be compromised at the OS level (for example through
memory dumps and using |
Evicting users from the cache
editX-Pack security exposes a
Clear Cache API you can use
to force the eviction of cached users. For example, the following request evicts
all users from the ad1 realm:
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
To clear the cache for multiple realms, specify the realms as a comma-separated list:
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
You can also evict specific users:
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'