mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-24 23:27:25 -04:00
255c9a7f95
**Problem:** For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. **Solution:** - Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory - Update doc snippet tests to use security Rel: https://github.com/elastic/platform-docs-team/issues/208
45 lines
1.8 KiB
Text
45 lines
1.8 KiB
Text
[role="xpack"]
|
|
[[controlling-user-cache]]
|
|
=== Controlling the user cache
|
|
|
|
User credentials are cached in memory on each node to avoid connecting to a
|
|
remote authentication service or hitting the disk for every incoming request.
|
|
You can configure characteristics of the user cache with the `cache.ttl`,
|
|
`cache.max_users`, and `cache.hash_algo` realm settings.
|
|
|
|
NOTE: JWT realms use `jwt.cache.ttl` and `jwt.cache.size` realm settings.
|
|
|
|
NOTE: PKI and JWT realms do not cache user credentials, but do cache the resolved user
|
|
object to avoid unnecessarily needing to perform role mapping on each request.
|
|
|
|
The cached user credentials are hashed in memory. By default, the {es}
|
|
{security-features} use a salted `sha-256` hash algorithm. You can use a
|
|
different hashing algorithm by setting the `cache.hash_algo` realm settings. See
|
|
<<hashing-settings>>.
|
|
|
|
[[cache-eviction-api]]
|
|
==== Evicting users from the cache
|
|
|
|
You can use the <<security-api-clear-cache,clear cache API>> to force
|
|
the eviction of cached users . For example, the following request evicts all
|
|
users from the `ad1` realm:
|
|
|
|
[source,js]
|
|
------------------------------------------------------------
|
|
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache'
|
|
------------------------------------------------------------
|
|
|
|
To clear the cache for multiple realms, specify the realms as a comma-separated
|
|
list:
|
|
|
|
[source,js]
|
|
------------------------------------------------------------
|
|
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1,ad2/_clear_cache'
|
|
------------------------------------------------------------
|
|
|
|
You can also evict specific users:
|
|
|
|
[source, java]
|
|
------------------------------------------------------------
|
|
$ curl -XPOST 'http://localhost:9200/_security/realm/ad1/_clear_cache?usernames=rdeniro,alpacino'
|
|
------------------------------------------------------------
|