DOCS-898: Synchronous Bucket Notifications, config API secret redaction (#960)

Closes #898 - Adds a short section on synchronous vs asynchronous bucket notifications - Adds a note on specific configs which now return redacted data on `mc admin config get` - Found a few new webhook lambda envvars to add
2025-07-31 18:04:52 +03:00 · 2023-08-21 11:19:20 -04:00
parent 9ea539b8ab
commit ac72345962
6 changed files with 120 additions and 2 deletions
--- a/source/administration/monitoring/bucket-notifications.rst
+++ b/source/administration/monitoring/bucket-notifications.rst
@ -79,6 +79,32 @@ MinIO supports publishing event notifications to the following targets:

       See :ref:`minio-bucket-notifications-publish-webhook` for a tutorial.

+Asynchronous vs Synchronous Bucket Notifications
+------------------------------------------------
+
+.. versionadded:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO supports either asynchronous (default) or synchronous bucket notifications for *all* remote targets.
+
+With asynchronous delivery, MinIO fires the event at the configured remote and does *not* wait for a response before continuing to the next event.
+Asynchronous bucket notification prioritizes sending events with the risk of some events being lost if the remote target has a transient issue during transit or processing.
+
+With synchronous delivery, MinIO fires the event at the configured remote and then waits for the remote to confirm a successful receipt before continuing to the next event.
+Synchronous bucket notification prioritizes delivery of events with the risk of a slower event-send rate and queue fill.
+
+To enable synchronous bucket notifications for *all configured remote targets*, use either of the following settings:
+
+- Set the :envvar:`MINIO_API_SYNC_EVENTS` environment variable to ``on`` and restart the MinIO deployment.
+
+- Set the :mc-conf:`api.sync_events` configuration setting to ``on`` and restart the MinIO deployment.
+
+.. note::
+
+   MinIO maintains a per-remote queue of events (``10000`` by default) where it stores unsent and pending events.
+
+   For asynchronous or synchronous bucket notifications, MinIO discards new events if the queue fills.
+   You can increase the queue size as necessary to better accommodate the rate of event send and processing of the MinIO deployment and remote target.
+

 .. _minio-bucket-notifications-event-types:

--- a/source/developers/transforms-with-object-lambda.rst
+++ b/source/developers/transforms-with-object-lambda.rst
@ -108,6 +108,17 @@ To enable MinIO to call the handler, register the handler function as a webhook
   Register an endpoint for a handler function.
   For multiple handlers, set this environment variable for each function endpoint.

+MinIO also supports the following environment variables for authenticated webhook endpoints:
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN_functionanme <MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN>`
+   Specify the opaque string or JWT authorization token for authenticating to the webhook.
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_CERT_functionname <MINIO_LAMBDA_WEBHOOK_CLIENT_CERT>`
+   Specify the client certificate to use for mTLS authentication to the webhook.
+
+:envvar:`MINIO_LAMBDA_WEBHOOK_CLIENT_KEY_functionname <MINIO_LAMBDA_WEBHOOK_CLIENT_CERT>`
+   Specify the private key to use for mTLS authentication to the webhook.
+
 Restart MinIO to apply the changes.


--- a/source/includes/common-mc-admin-config.rst
+++ b/source/includes/common-mc-admin-config.rst
@ -161,6 +161,10 @@ server/broker.
 Specify the password for the MQTT username with which MinIO authenticates to the
 MQTT server/broker.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-mqtt-password


@ -288,6 +292,10 @@ enforces authentication.
 The password for connecting to an Elasticsearch service endpoint which enforces
 authentication.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-elasticsearch-password

 .. start-minio-notify-elasticsearch-queue-limit
@ -430,6 +438,10 @@ supports the following values:

 Specify the password for the Redis server.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-redis-password


@ -495,12 +507,20 @@ Specify the username for connecting to the NATS service endpoint.

 Specify the passport for connecting to the NATS service endpoint.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-nats-password

 .. start-minio-notify-nats-token

 Specify the token for connecting to the NATS service endpoint.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-nats-token

 .. start-minio-notify-nats-tls
@ -837,6 +857,10 @@ to the Kafka broker(s).
 Specify the password for performing SASL/PLAIN or SASL/SCRAM authentication
 to the Kafka broker(s).

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-kafka-sasl-password

 .. start-minio-notify-kafka-sasl-mechanism
@ -977,6 +1001,10 @@ Specify the URL for the webhook service.
 Specify the opaque string or JWT authorization token to use for 
 authenticating to the webhook service.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-notify-webhook-auth-token

 .. start-minio-notify-webhook-client-cert
@ -1280,3 +1308,13 @@ Defaults to ``"text/*, application/json, application/xml, binary/octet-stream"``
 +-----------------+--------------------------+

 .. end-minio-data-compression-default-desc
+
+.. start-minio-api-sync-events
+
+Enables synchronous :ref:`bucket notifications <minio-bucket-notifications>`.
+
+Specify ``on`` to direct MinIO to wait until the remote target returns success on receipt of an event before processing further events.
+
+Defaults to ``off``, or asynchronous bucket notifications where MinIO does not wait for the remote target to return success on receipt of an event.
+
+.. end-minio-api-sync-events
--- a/source/includes/common-minio-external-auth.rst
+++ b/source/includes/common-minio-external-auth.rst
@ -18,6 +18,10 @@ Specify the client secret MinIO uses when authenticating user credentials
 against the :abbr:`OIDC (OpenID Connect)` compatible provider. This field
 may be optional depending on the provider.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-openid-client-secret

 .. start-minio-openid-jwks-url
@ -192,6 +196,10 @@ privileges to support querying performing user and group lookups.
 Specify the password for the :ref:`Lookup-Bind 
 <minio-external-identity-management-ad-ldap-lookup-bind>` user account.

+.. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+   MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
 .. end-minio-ad-ldap-lookup-bind-password

 .. start-minio-ad-ldap-user-dn-search-base-dn
--- a/source/reference/minio-mc-admin/mc-admin-config.rst
+++ b/source/reference/minio-mc-admin/mc-admin-config.rst
@ -88,7 +88,7 @@ Configuration Settings
 The following configuration settings define runtime behavior of the 
 MinIO :mc:`server <minio server>` process:

-Root User Account
+API Configuration
 ~~~~~~~~~~~~~~~~~

 .. mc-conf:: api
@ -105,6 +105,13 @@ Root User Account
      To reset after an unintentional lock, set :envvar:`MINIO_API_ROOT_ACCESS` ``on`` to override this setting and temporarily re-enable the root account.
      You can then change this setting to ``on`` *or* make the necessary user/policy changes to ensure normal administrative access through other non-root accounts.

+   .. mc-conf:: sync_events
+
+      .. include:: /includes/common-mc-admin-config.rst
+         :start-after: start-minio-api-sync-events
+         :end-before: end-minio-api-sync-events
+
+      Corresponds with the :envvar:`MINIO_API_SYNC_EVENTS` environment variable.

 .. _minio-server-config-logging-logs:

--- a/source/reference/minio-server/minio-server.rst
+++ b/source/reference/minio-server/minio-server.rst
@ -1005,6 +1005,15 @@ These environment variables configure notification targets for use with
 - :ref:`minio-server-envvar-bucket-notification-kafka`
 - :ref:`minio-server-envvar-bucket-notification-webhook`

+.. envvar:: MINIO_API_SYNC_EVENTS
+   :optional:
+
+   .. include:: /includes/common-mc-admin-config.rst
+      :start-after: start-minio-api-sync-events
+      :end-before: end-minio-api-sync-events
+
+   Corresponds with the :mc-conf:`~api.sync_events` configuration setting.
+
 .. _minio-server-envvar-bucket-notification-amqp:

 AMQP Service for Bucket Notifications
@ -2629,7 +2638,26 @@ For example, the following command sets two distinct Object Lambda webhook endpo

 .. envvar:: MINIO_LAMBDA_WEBHOOK_ENDPOINT

-   The HTTP endpoint of the webhook for the handler function.
+   The HTTP endpoint of the lambda webhook for the handler function.
+
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_AUTH_TOKEN
+
+   Specify the opaque string or JWT authorization token to use for authenticating to the lambda webhook service.
+
+   .. versionchanged:: RELEASE.2023-06-23T20-26-00Z
+
+      MinIO redacts this value when returned as part of :mc-cmd:`mc admin config get`.
+
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_CERT
+
+   Specify the path to the client certificate to use for performing mTLS authentication to the lambda webhook service.
+
+.. envvar:: MINIO_LAMBDA_WEBHOOK_CLIENT_KEY
+
+   Specify the path to the private key to use for performing mTLS authentication to the lambda webhook service.
+

 .. _minio-server-envvar-external-identity-management-ad-ldap: