Controlling the User Cache

edit

User credentials are cached in memory on each node to avoid connecting to a remote authentication service or hitting the disk for every incoming request. You can configure characteristics of the user cache with the cache.ttl, cache.max_users, and cache.hash_algo realm settings.

PKI realms do not use the user cache.

The cached user credentials are hashed in memory. By default, X-Pack security uses a salted sha-256 hash algorithm. You can use a different hashing algorithm by setting the cache_hash_algo setting to any of the following:

Table 10. Cache hash algorithms

Algorithm

Description

ssha256

Uses a salted sha-256 algorithm (default).

md5

Uses MD5 algorithm.

sha1

Uses SHA1 algorithm.

bcrypt

Uses bcrypt algorithm with salt generated in 10 rounds.

bcrypt4

Uses bcrypt algorithm with salt generated in 4 rounds.

bcrypt5

Uses bcrypt algorithm with salt generated in 5 rounds.

bcrypt6

Uses bcrypt algorithm with salt generated in 6 rounds.

bcrypt7

Uses bcrypt algorithm with salt generated in 7 rounds.

bcrypt8

Uses bcrypt algorithm with salt generated in 8 rounds.

bcrypt9

Uses bcrypt algorithm with salt generated in 9 rounds.

noop,clear_text

Doesn’t hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using ptrace).

Evicting Users from the Cache

edit

X-Pack security exposes a Clear Cache API you can use to force the eviction of cached users. For example, the following request evicts all users from the ad1 realm:

$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'

To clear the cache for multiple realms, specify the realms as a comma-separated list:

$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'

You can also evict specific users:

$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'