Briefly, this error occurs when Elasticsearch encounters an issue while invalidating the JSON Web Token (JWT) cache for a specific security realm. This could be due to a misconfiguration in the security realm or an issue with the JWT itself. To resolve this, you can try the following: 1) Verify the configuration of your security realm, 2) Check the validity of your JWT, 3) Ensure that the realm is properly connected to the JWT provider, and 4) Restart Elasticsearch to clear any potential cache issues.
This guide will help you check for common problems that cause the log ” Exception invalidating JWT cache for realm [” + name() + “] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, cache.
Overview
Elasticsearch uses three types of caches to improve the efficiency of operation.
- Node request cache
- Shard data cache
- Field data cache
How they work
Node request cache maintains the results of queries used in a filter context. The results are evicted on a least recently used basis.
Shard data cache maintains the results of frequently used queries where size=0, particularly the results of aggregations. This cache is particularly relevant for logging use cases where data is not updated on old indices, and regular aggregations can be kept in cache to be reused.
The field data cache is used for sorting and aggregations. To keep these operations quick Elasticsearch loads these values into memory.
Examples
Elasticsearch usually manages cache behind the scenes, without the need for any specific settings. However, it is possible to monitor and limit the amount of memory being used on each node for a given cache type by putting the following in elasticsearch.yml :
indices.queries.cache.size: 10% indices.fielddata.cache.size: 30%
Note, the above values are in fact the defaults, and there is no need to set them specifically. The default values are good for most use cases, and should rarely be modified.
You can monitor the use of caches on each node like this:
GET /_nodes/stats/indices/fielddata GET /_nodes/stats/indices/query_cache GET /_nodes/stats/indices/request_cache
Notes and good things to know
Construct your queries with reusable filters. There are certain parts of your query which are good candidates to be reused across a large number of queries, and you should design your queries with this in mind. Anything thing that does not need to be scored should go in the filter section of a bool query. For example, time ranges, language selectors, or clauses that exclude inactive documents are all likely to be excluded in a large number of queries, and should be included in filter parts of the query so that they can be cached and reused.
In particular, take care with time filters. “now-15m” cannot be reused, because “now” will continually change as the time window moves on. On the other hand “now-15/m” will round to the nearest minute, and can be re-used (via cache) for 60 seconds before rolling over to the next minute.
For example when a user enters the search term “brexit”, we may want to also filter on language and time period to return relevant articles. The query below leaves only the query term “brexit” in the “must” part of the query, because this is the only part which should affect the relevance score. The time filter and language filter can be reused time and time again for new queries for different searches.
POST results/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"message": {
"query": "brexit"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-10d/d"
}
}
},
{
"term": {
"lang.keyword": {
"value": "en",
"boost": 1
}
}
}
]
}
}
}Limit the use of field data. Be careful about using fielddata=true in your mapping where the number of terms will result in a high cardinality. If you must use fielddata=true, you can also reduce the requirement of fielddata cache by limiting the requirements for fielddata for a given index using a field data frequency filter.
POST results/_search
{
"query": {
"bool": {
"must": [
{
"match": {
"message": {
"query": "brexit"
}
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-10d/d"
}
}
},
{
"term": {
"lang.keyword": {
"value": "en",
"boost": 1
}
}
}
]
}
}
}Log Context
Log “Exception invalidating JWT cache for realm [” + name() + “]” classname is JwtRealm.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
jwtCache.invalidateAll();
}
logger.debug("Invalidated JWT cache for realm [{}]"; name());
} catch (Exception e) {
// TODO: We should let the error bubble up instead of swallowing it
logger.warn("Exception invalidating JWT cache for realm [" + name() + "]"; e);
}
}
}
private boolean isCacheEnabled() {
