Reload of FileUserPasswdStore does not invalidate lastSuccessfulAuthCache

[slobodanadamovic]

Reloading users and passwords in the file realm could potentially introduce new users or update existing.
This means that lastSuccessfulAuthCache may not be up to date anymore and would provide suboptimal order of authentication in RealmsAuthenticator. This is not a big problem since users still have a possibility to use clear cache API which would now clear lastSuccessfulAuthCache as well.

Suggestion: We could improve this by registering a listener which would invoke expireAll in AuthenticationService, when the file realm store gets updated.

Note: Compared to the native realm, we only need to clear the lastSuccessfulAuthCache on the local node.

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[ywangd]

We could improve this by registering a listener which would invoke expireAll in AuthenticationService, when the file realm store gets updated.

I think we should explore the possibility to expire individual users instead of expireAll. File realm is usually considered as under control of the infrastructure owner which is not necessary the end-users (e.g. ESS). As such, we would want to minimize the impact of infrastructure owner's operations on end-users.

[slobodanadamovic]

This is a good point. I think it should be possible to expire individual users. At the moment I don't see any reason why not.
We could allow both expireAll and expire individual users to be called and leave it to the implementor to chose which method makes more sense to be called.