Clear cache API

us3r · April 27, 2016, 6:42am

Hello

Based on the documentation we should use POST request on __shield/realm/NAME/_cache/clear to clear evicts users from the user cache.
However it looks like that this handler doesnt work anymore...

$ curl -u admin -XPOST http://127.0.0.1:9200/_shield/realm/ldap1/_cache/clear Enter host password for user 'admin': No handler found for uri [/_shield/realm/ldap1/_cache/clear] and method [POST]

Any advice?

michalterbert · April 27, 2016, 6:45am

Hello Mariusz,

I have the same issue like you.
Technical documentation of Shield sukcs

jaymode · April 27, 2016, 10:15am

Hi Mariusz,

Can you share the version of shield and elasticsearch that you are using? Also can you share your shield settings from the elasticsearch.yml file?

-Jay

us3r · April 27, 2016, 11:27am

Hi, we are using version 2.3.1

"version": {
"number": "2.3.1",
"build_hash": "bd980929010aef404e7cb0843e61d0665269fc39",
"build_timestamp": "2016-04-04T12:25:05Z",
"build_snapshot": false,
"lucene_version": "5.5.0"
}

And shield in the same version :

license 2.3.1 j  
shield  2.3.1 j

On each host.

Our current configuration (more or less) looks like that:

cluster.name: {{ cluster }}
node.name: ${HOSTNAME}-{{ item.0 }}
node.master: {{ item.3 }}
node.data: {{ item.4 }}
node.rack: ${HOSTNAME}
path.data: {{ item.1 }}
bootstrap.mlockall: 1
network.bind_host: ${HOSTNAME}
network.publish_host: ${HOSTNAME}
network.host: ${HOSTNAME}
http.port: {{ item.2 }}
discovery.zen.ping.unicast.hosts: {{ hosts }}
discovery.zen.minimum_master_nodes: 4
node.max_local_storage_nodes: 3
cluster.routing.allocation.awareness.attributes: rack
cluster.routing.allocation.same_shard.host: 1
processors: 13
index.merge.scheduler.max_thread_count: 1

shield.ssl.keystore.path: /etc/elasticsearch/node{{ item.0 }}/shield/node.jks
shield.ssl.keystore.password: OUR_SECRET_PASSWORD

shield:
authc:
realms:
ldap1:
type: ldap
hostname_verification: 0
order: 0
url: "ldaps://{{ ldap_server }}:636"
user_dn_templates:
- "uid={0}, ou=People, o=company"
{{ ldap_users }}
group_search:
base_dn: {{ ldap_group }}
files:
role_mapping: "/etc/elasticsearch/node{{ item.0 }}/shield/role_mapping.yml

michalterbert · April 27, 2016, 7:13pm

any update?

us3r · April 27, 2016, 7:46pm

no
I still do not know how to accelerate the propagation of the permissions changes. It looks like that you need to be really calm before you upgrade ELK to the newest version.

Maybe better is to wait a little before publish a new "stable" version... updating the whole infra every week is really painfull.

jaymode · April 28, 2016, 10:19am

@us3r @michalterbert thank you for bringing this to our attention. In the process of adding a new alias for this API, the prior one was inadvertently removed. As a workaround, you can use the following command:

curl -u admin -XPOST http://127.0.0.1:9200/_shield/realm/ldap1/_clear_cache

I'll ensure the documentation is updated and the pre-existing API is restored for the next release.