When a client process connects to a pool and container, it must present a credential that contains user and group principals for ACL evaluation on the server side. The credential is generated by daos_agent, which is considered a secure component of the DAOS control plane, rather than by the client process, in order to avoid credential forgery.

On systems with high client process counts (e.g. hundreds of client connections per minute), the agent may perform a significant amount of duplicated work by resolving local uid/gid values into ACL principals and then cryptographically signing a credential for each client connection. As a performance optimization, the agent should be able to cache the generated credential for a given uid:gid pair for some admin-defined lifetime.

By default, the credential cache will be disabled. With a conservative cache value (e.g. 1 minute) chosen, the agent may reduce per-connection overhead at the client side while providing reasonable responsiveness to user/group database updates.