[DOCS] Adds hash algorithms to security settings

lcawl · lcawl · commit 74048ffba783 · 2018-08-16T10:41:10.000-07:00
diff --git a/docs/reference/settings/security-hash-settings.asciidoc b/docs/reference/settings/security-hash-settings.asciidoc
@@ -0,0 +1,83 @@
+[float]
+[[hashing-settings]]
+==== User cache and password hash algorithms
+
+Certain realms store user credentials in memory. To limit exposure 
+to credential theft and mitigate credential compromise, cached user credentials 
+are hashed in memory. By default, the user cache is hashed with a salted 
+`sha-256` hash algorithm. You can use a different hashing algorithm by setting 
+the `cache.hash_algo` realm settings to any of the following values:
+
+[[cache-hash-algo]]
+.Cache hash algorithms
+|=======================
+| Algorithm           | | | Description
+| `ssha256`           | | | Uses a salted `sha-256` algorithm (default).
+| `md5`               | | | Uses `MD5` algorithm.
+| `sha1`              | | | Uses `SHA1` algorithm.
+| `bcrypt`            | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
+| `bcrypt4`           | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
+| `bcrypt5`           | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
+| `bcrypt6`           | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
+| `bcrypt7`           | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
+| `bcrypt8`           | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
+| `bcrypt9`           | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
+| `pbkdf2`            | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 10000 iterations.
+| `pbkdf2_1000`       | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 1000 iterations.
+| `pbkdf2_10000`      | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 10000 iterations.
+| `pbkdf2_50000`      | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 50000 iterations.
+| `pbkdf2_100000`     | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 100000 iterations.
+| `pbkdf2_500000`     | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                              pseudorandom function using 500000 iterations.
+| `pbkdf2_1000000`    | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 1000000 iterations.
+| `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in
+                            memory. CAUTION: keeping clear text is considered insecure
+                            and can be compromised at the OS level (for example through
+                            memory dumps and using `ptrace`).
+|=======================
+
+Likewise, realms that store passwords hash them using cryptographically strong 
+and password-specific salt values. You can configure the algorithm for password 
+hashing by setting the `xpack.security.authc.password_hashing.algorithm` setting 
+to one of the following:
+
+[[password-hashing-algorithms]]
+.Password hashing algorithms
+|=======================
+| Algorithm           | | | Description
+
+| `bcrypt`            | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. (default)
+| `bcrypt4`           | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
+| `bcrypt5`           | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
+| `bcrypt6`           | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
+| `bcrypt7`           | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
+| `bcrypt8`           | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
+| `bcrypt9`           | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
+| `bcrypt10`          | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
+| `bcrypt11`          | | | Uses `bcrypt` algorithm with salt generated in 2048 rounds.
+| `bcrypt12`          | | | Uses `bcrypt` algorithm with salt generated in 4096 rounds.
+| `bcrypt13`          | | | Uses `bcrypt` algorithm with salt generated in 8192 rounds.
+| `bcrypt14`          | | | Uses `bcrypt` algorithm with salt generated in 16384 rounds.
+| `pbkdf2`            | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 10000 iterations.
+| `pbkdf2_1000`       | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 1000 iterations.
+| `pbkdf2_10000`      | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 10000 iterations.
+| `pbkdf2_50000`      | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 50000 iterations.
+| `pbkdf2_100000`     | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 100000 iterations.
+| `pbkdf2_500000`     | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                              pseudorandom function using 500000 iterations.
+| `pbkdf2_1000000`    | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
+                             pseudorandom function using 1000000 iterations.
+|=======================
+
+
diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc
@@ -55,8 +55,8 @@ In `elasticsearch.yml`, set this to `false` to disable support for the default "
 [[password-hashing-settings]]
 ==== Password hashing settings
 `xpack.security.authc.password_hashing.algorithm`::
-Specifies the hashing algorithm that is used for secure user credential storage
-(see {xpack-ref}/password-hashing.html#password-hashing-algorithms[Password hashing algorithms] table for all possible values). Defaults to `bcrypt`.
+Specifies the hashing algorithm that is used for secure user credential storage. 
+See <<password-hashing-algorithms>>. Defaults to `bcrypt`.
 
 [float]
 [[anonymous-access-settings]]
@@ -170,9 +170,8 @@ the standard {es} <<time-units,time units>>. Defaults to `20m`.
 cache at any given time. Defaults to 100,000.
 
 `cache.hash_algo`:: (Expert Setting) The hashing algorithm that is used for the 
-in-memory cached user credentials. For possible values, see 
-{xpack-ref}/controlling-user-cache.html[Cache hash algorithms]. Defaults to 
-`ssha256`.
+in-memory cached user credentials. For possible values, see <<cache-hash-algo>>. 
+Defaults to `ssha256`.
 
 
 [[ref-users-settings]]
@@ -196,8 +195,7 @@ Defaults to 100,000.
 
 `cache.hash_algo`::
 (Expert Setting) The hashing algorithm that is used for the in-memory cached
-user credentials. See the {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for
-all possible values. Defaults to `ssha256`.
+user credentials. See <<cache-hash-algo>>. Defaults to `ssha256`.
 
 [[ref-ldap-settings]]
 [float]
@@ -450,8 +448,7 @@ Defaults to `100000`.
 
 `cache.hash_algo`::
 (Expert Setting) Specifies the hashing algorithm that is used for the
-in-memory cached user credentials. See {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms]
-table for all possible values. Defaults to `ssha256`.
+in-memory cached user credentials. See <<cache-hash-algo>>. Defaults to `ssha256`.
 
 [[ref-ad-settings]]
 [float]
@@ -690,7 +687,7 @@ Defaults to `100000`.
 
 `cache.hash_algo`::
 (Expert Setting) Specifies the hashing algorithm that is used for
-the in-memory cached user credentials (see {xpack-ref}/controlling-user-cache.html#controlling-user-cache[Cache hash algorithms] table for all possible values). Defaults to `ssha256`.
+the in-memory cached user credentials. See <<cache-hash-algo>>. Defaults to `ssha256`.
 
 `follow_referrals`::
 If set to `true` {security} follows referrals returned by the LDAP server. 
@@ -1314,3 +1311,5 @@ List of IP addresses to allow for this profile.
 
 `transport.profiles.$PROFILE.xpack.security.filter.deny`::
 List of IP addresses to deny for this profile.
+
+include::security-hash-settings.asciidoc[]
