User credentials are cached in memory on each node to avoid connecting to a
remote authentication service or hitting the disk for every incoming request.
You can configure characteristics of the user cache with the
cache.hash_algo realm settings.
PKI realms do not use the user cache.
The cached user credentials are hashed in memory. By default, X-Pack security uses a
sha-256 hash algorithm. You can use a different hashing algorithm by
cache_hash_algo setting to any of the following:
Table 10. Cache hash algorithms
Uses a salted
Doesn’t hash the credentials and keeps it in clear text in
memory. CAUTION: keeping clear text is considered insecure
and can be compromised at the OS level (for example through
memory dumps and using
X-Pack security exposes a
Clear Cache API you can use
to force the eviction of cached users. For example, the following request evicts
all users from the
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache'
To clear the cache for multiple realms, specify the realms as a comma-separated list:
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1,ad2/_clear_cache'
You can also evict specific users:
$ curl -XPOST 'http://localhost:9200/_xpack/security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'