diff --git a/source/administration/monitoring/bucket-notifications.rst b/source/administration/monitoring/bucket-notifications.rst index 7de206df..b7c29e3a 100644 --- a/source/administration/monitoring/bucket-notifications.rst +++ b/source/administration/monitoring/bucket-notifications.rst @@ -79,6 +79,32 @@ MinIO supports publishing event notifications to the following targets: See :ref:`minio-bucket-notifications-publish-webhook` for a tutorial. +Asynchronous vs Synchronous Bucket Notifications +------------------------------------------------ + +.. versionadded:: RELEASE.2023-06-23T20-26-00Z + + MinIO supports either asynchronous (default) or synchronous bucket notifications for *all* remote targets. + +With asynchronous delivery, MinIO fires the event at the configured remote and does *not* wait for a response before continuing to the next event. +Asynchronous bucket notification prioritizes sending events with the risk of some events being lost if the remote target has a transient issue during transit or processing. + +With synchronous delivery, MinIO fires the event at the configured remote and then waits for the remote to confirm a successful receipt before continuing to the next event. +Synchronous bucket notification prioritizes delivery of events with the risk of a slower event-send rate and queue fill. + +To enable synchronous bucket notifications for *all configured remote targets*, use either of the following settings: + +- Set the :envvar:`MINIO_API_SYNC_EVENTS` environment variable to ``on`` and restart the MinIO deployment. + +- Set the :mc-conf:`api.sync_events` configuration setting to ``on`` and restart the MinIO deployment. + +.. note:: + + MinIO maintains a per-remote queue of events (``10000`` by default) where it stores unsent and pending events. + + For asynchronous or synchronous bucket notifications, MinIO discards new events if the queue fills. + You can increase the queue size as necessary to better accommodate the rate of event send and processing of the MinIO deployment and remote target. + .. _minio-bucket-notifications-event-types: diff --git a/source/developers/transforms-with-object-lambda.rst b/source/developers/transforms-with-object-lambda.rst index bc0f4b4b..d84a4d2f 100644 --- a/source/developers/transforms-with-object-lambda.rst +++ b/source/developers/transforms-with-object-lambda.rst @@ -108,6 +108,17 @@ To enable MinIO to call the handler, register the handler function as a webhook Register an endpoint for a handler function. For multiple handlers, set this environment variable for each function endpoint. +MinIO also supports the following environment variables for authenticated webhook endpoints: + +:envvar:`MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN_functionanme ` + Specify the opaque string or JWT authorization token for authenticating to the webhook. + +:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_CERT_functionname ` + Specify the client certificate to use for mTLS authentication to the webhook. + +:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_KEY_functionname ` + Specify the private key to use for mTLS authentication to the webhook. + Restart MinIO to apply the changes. diff --git a/source/includes/common-mc-admin-config.rst b/source/includes/common-mc-admin-config.rst index cdaa2b18..926388a7 100644 --- a/source/includes/common-mc-admin-config.rst +++ b/source/includes/common-mc-admin-config.rst @@ -161,6 +161,10 @@ server/broker. Specify the password for the MQTT username with which MinIO authenticates to the MQTT server/broker. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-mqtt-password @@ -288,6 +292,10 @@ enforces authentication. The password for connecting to an Elasticsearch service endpoint which enforces authentication. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-elasticsearch-password .. start-minio-notify-elasticsearch-queue-limit @@ -430,6 +438,10 @@ supports the following values: Specify the password for the Redis server. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-redis-password @@ -495,12 +507,20 @@ Specify the username for connecting to the NATS service endpoint. Specify the passport for connecting to the NATS service endpoint. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-nats-password .. start-minio-notify-nats-token Specify the token for connecting to the NATS service endpoint. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-nats-token .. start-minio-notify-nats-tls @@ -837,6 +857,10 @@ to the Kafka broker(s). Specify the password for performing SASL/PLAIN or SASL/SCRAM authentication to the Kafka broker(s). +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-kafka-sasl-password .. start-minio-notify-kafka-sasl-mechanism @@ -977,6 +1001,10 @@ Specify the URL for the webhook service. Specify the opaque string or JWT authorization token to use for authenticating to the webhook service. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-notify-webhook-auth-token .. start-minio-notify-webhook-client-cert @@ -1280,3 +1308,13 @@ Defaults to ``"text/*, application/json, application/xml, binary/octet-stream"`` +-----------------+--------------------------+ .. end-minio-data-compression-default-desc + +.. start-minio-api-sync-events + +Enables synchronous :ref:`bucket notifications `. + +Specify ``on`` to direct MinIO to wait until the remote target returns success on receipt of an event before processing further events. + +Defaults to ``off``, or asynchronous bucket notifications where MinIO does not wait for the remote target to return success on receipt of an event. + +.. end-minio-api-sync-events diff --git a/source/includes/common-minio-external-auth.rst b/source/includes/common-minio-external-auth.rst index 6467aebd..3051d721 100644 --- a/source/includes/common-minio-external-auth.rst +++ b/source/includes/common-minio-external-auth.rst @@ -18,6 +18,10 @@ Specify the client secret MinIO uses when authenticating user credentials against the :abbr:`OIDC (OpenID Connect)` compatible provider. This field may be optional depending on the provider. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-openid-client-secret .. start-minio-openid-jwks-url @@ -192,6 +196,10 @@ privileges to support querying performing user and group lookups. Specify the password for the :ref:`Lookup-Bind ` user account. +.. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + .. end-minio-ad-ldap-lookup-bind-password .. start-minio-ad-ldap-user-dn-search-base-dn diff --git a/source/reference/minio-mc-admin/mc-admin-config.rst b/source/reference/minio-mc-admin/mc-admin-config.rst index d32c4e4d..6b6aaab3 100644 --- a/source/reference/minio-mc-admin/mc-admin-config.rst +++ b/source/reference/minio-mc-admin/mc-admin-config.rst @@ -88,7 +88,7 @@ Configuration Settings The following configuration settings define runtime behavior of the MinIO :mc:`server ` process: -Root User Account +API Configuration ~~~~~~~~~~~~~~~~~ .. mc-conf:: api @@ -105,6 +105,13 @@ Root User Account To reset after an unintentional lock, set :envvar:`MINIO_API_ROOT_ACCESS` ``on`` to override this setting and temporarily re-enable the root account. You can then change this setting to ``on`` *or* make the necessary user/policy changes to ensure normal administrative access through other non-root accounts. + .. mc-conf:: sync_events + + .. include:: /includes/common-mc-admin-config.rst + :start-after: start-minio-api-sync-events + :end-before: end-minio-api-sync-events + + Corresponds with the :envvar:`MINIO_API_SYNC_EVENTS` environment variable. .. _minio-server-config-logging-logs: diff --git a/source/reference/minio-server/minio-server.rst b/source/reference/minio-server/minio-server.rst index 12b03d77..33c61add 100644 --- a/source/reference/minio-server/minio-server.rst +++ b/source/reference/minio-server/minio-server.rst @@ -1005,6 +1005,15 @@ These environment variables configure notification targets for use with - :ref:`minio-server-envvar-bucket-notification-kafka` - :ref:`minio-server-envvar-bucket-notification-webhook` +.. envvar:: MINIO_API_SYNC_EVENTS + :optional: + + .. include:: /includes/common-mc-admin-config.rst + :start-after: start-minio-api-sync-events + :end-before: end-minio-api-sync-events + + Corresponds with the :mc-conf:`~api.sync_events` configuration setting. + .. _minio-server-envvar-bucket-notification-amqp: AMQP Service for Bucket Notifications @@ -2629,7 +2638,26 @@ For example, the following command sets two distinct Object Lambda webhook endpo .. envvar:: MINIO_LAMBDA_WEBHOOK_ENDPOINT - The HTTP endpoint of the webhook for the handler function. + The HTTP endpoint of the lambda webhook for the handler function. + + +.. envvar:: MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN + + Specify the opaque string or JWT authorization token to use for authenticating to the lambda webhook service. + + .. versionchanged:: RELEASE.2023-06-23T20-26-00Z + + MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`. + + +.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_CERT + + Specify the path to the client certificate to use for performing mTLS authentication to the lambda webhook service. + +.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_KEY + + Specify the path to the private key to use for performing mTLS authentication to the lambda webhook service. + .. _minio-server-envvar-external-identity-management-ad-ldap: