Controlling the User Cacheedit

User credentials are cached in memory on each node to avoid connecting to a remote authentication server or hitting the disk for every incoming request. You can configure characteristics of the user cache with the cache.ttl, cache.max_users, and cache.hash_algo realm settings.

PKI realms do not use the user cache.

The cached user credentials are hashed in memory. By default, Shield uses a salted sha-256 hash algorigthm. You can use a different algorithm by setting the cache-hash_algo setting to any of the supported cache hash algorithms:

Table 4. Cache hash algorithms

Algorithm

Description

ssha256

Uses a salted sha-256 algorithm (default).

md5

Uses MD5 algorithm.

sha1

Uses SHA1 algorithm.

bcrypt

Uses bcrypt algorithm with salt generated in 10 rounds.

bcrypt4

Uses bcrypt algorithm with salt generated in 4 rounds.

bcrypt5

Uses bcrypt algorithm with salt generated in 5 rounds.

bcrypt6

Uses bcrypt algorithm with salt generated in 6 rounds.

bcrypt7

Uses bcrypt algorithm with salt generated in 7 rounds.

bcrypt8

Uses bcrypt algorithm with salt generated in 8 rounds.

bcrypt9

Uses bcrypt algorithm with salt generated in 9 rounds.

noop,clear_text

Doesn’t hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using ptrace).

Evicting Users from the Cacheedit

Shield exposes a Clear Cache API you can use to force the eviction of cached users. For example, the following request evicts all users from the ad1 realm:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear'

To clear the cache for multiple realms, specify the realms as a comma-separated list:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1,ad2/_cache/clear'

You can also evict specific users:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear?usernames=rdeniro,alpacino'