Controlling the User Cacheedit
User credentials are cached in memory on each node to avoid connecting to a remote authentication
server or hitting the disk for every incoming request. You can configure characteristics of the
user cache with the cache.ttl, cache.max_users, and ``cache.hash_algo` realm settings.
PKI realms do not use the user cache.
The cached user credentials are hashed in memory. By default, Shield uses a salted sha-256
hash algorigthm. You can use a different algorithm by setting the cache-hash_algo setting
to any of the supported Cache hash algorithms.
Table 4. Cache hash algorithms
Algorithm |
Description |
|
Uses a salted |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Uses |
|
Doesn’t hash the credentials and keeps it in clear text in
memory. CAUTION: keeping clear text is considered insecure
and can be compromised at the OS level (for example through
memory dumps and using |
Evicting Users from the Cacheedit
Shield exposes an API to force the eviction of cached users. For example, the following request
evicts all users from the ad1 realm:
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear'
To clear the cache for multiple realms, specify the realms as a comma-separated list:
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1,ad2/_cache/clear'
You can also evict specific users:
$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear?usernames=rdeniro,alpacino'