Controlling the User Cache

edit

User credentials are cached in memory on each node to avoid connecting to a remote authentication server or hitting the disk for every incoming request. You can configure characteristics of the user cache with the cache.ttl, cache.max_users, and ``cache.hash_algo` realm settings.

PKI realms do not use the user cache.

The cached user credentials are hashed in memory. By default, Shield uses a salted sha-256 hash algorigthm. You can use a different algorithm by setting the cache-hash_algo setting to any of the supported Cache hash algorithms.

Table 4. Cache hash algorithms

Algorithm

Description

ssha256

Uses a salted sha-256 algorithm (default).

md5

Uses MD5 algorithm.

sha1

Uses SHA1 algorithm.

bcrypt

Uses bcrypt algorithm with salt generated in 10 rounds.

bcrypt4

Uses bcrypt algorithm with salt generated in 4 rounds.

bcrypt5

Uses bcrypt algorithm with salt generated in 5 rounds.

bcrypt6

Uses bcrypt algorithm with salt generated in 6 rounds.

bcrypt7

Uses bcrypt algorithm with salt generated in 7 rounds.

bcrypt8

Uses bcrypt algorithm with salt generated in 8 rounds.

bcrypt9

Uses bcrypt algorithm with salt generated in 9 rounds.

sha2

Uses SHA2 algorithm.

apr1

Uses apr1 algorithm (md5 crypt).

noop,clear_text

Doesn’t hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using ptrace).

Evicting Users from the Cache

edit

Shield exposes an API to force the eviction of cached users. For example, the following request evicts all users from the ad1 realm:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear'

To clear the cache for multiple realms, specify the realms as a comma-separated list:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1,ad2/_cache/clear'

You can also evict specific users:

$ curl -XPOST 'http://localhost:9200/_shield/realm/ad1/_cache/clear?usernames=rdeniro,alpacino'