MinIO AIStor implements Transport Layer Security (TLS) 1.2+ encryption with support for Server Name Indication (SNI) for selecting relevant TLS certificates in response to client requests. You must set up TLS before you can enable data encryption, also called server-side encryption. MinIO AIStor supports the following types of certificate signatures: self-signed internal or private certificate authorities (CAs) third-party CAs Multiple certificates are implemented with SNI to determine which certificate to return to a client based on the hostname in the request.

Configure identity providers for MinIO AIStor including built-in users, OpenID Connect, Active Directory/LDAP, and plugins for external solutions.

Create and manage users and groups directly in MinIO AIStor. Configure built-in identity management alone or together with external identity providers.

Use the following checklist when tuning the hardware and operating system configuration for a production, distributed MinIO AIStor deployment. These settings align with the health checks performed by SUBNET diagnostics. Upload a diagnostic report with mc support diag ALIAS and review the results in SUBNET to validate your deployment against these recommendations. CPU Check Recommendation CPU governor Set to performance on all nodes. Other governors (such as powersave or ondemand) reduce throughput under load. See CPU tuning. Vector extensions Verify that SSE 4.2 and AVX2 extensions are available on all CPUs. MinIO AIStor uses these for erasure coding and hashing. Check with lscpu | grep -i -E 'sse4_2|avx2'. Minimum cores A minimum of 8 physical cores per node is recommended. Nodes with fewer cores may bottleneck under concurrent S3 workloads. CPU consistency All nodes in the cluster should have the same CPU make, model, and core count. Asymmetric CPU configurations can cause uneven performance. Memory Check Recommendation Swap Disable swap or set vm.swappiness=0. Swap causes unpredictable latency spikes. See Memory tuning. Transparent huge pages Set to madvise, not always. The always setting can cause latency spikes and memory fragmentation. See Memory tuning. IOMMU Disable IOMMU if not required for device passthrough. IOMMU adds overhead to DMA operations. See Bootloader settings. Memory consistency All nodes in the cluster should have the same amount of RAM. Asymmetric memory configurations can cause uneven performance. Drives Check Recommendation XFS error retries Set max_retries to a finite value instead of the default -1 (infinite). Infinite retries can cause processes to hang on failing drives. See Disable XFS retry on error. Mount options Mount XFS drives with noatime,nodiratime. This eliminates unnecessary access time updates on every read operation. See Storage requirements. Drive usage Keep drive usage below 80%. Performance degrades as drives fill due to XFS fragmentation and reduced free extent availability. Monitor with mc support diag ALIAS. Drive consistency All nodes should have the same number, type, and size of drives. Asymmetric drive configurations can cause uneven performance. Network Check Recommendation Ethernet ring buffer Maximize RX and TX ring buffer sizes on all network interfaces used by MinIO AIStor. Small ring buffers cause packet drops under load. See Ring buffers. Internode latency Internode network round-trip time should remain below 10 ms. High latency impacts distributed lock performance and erasure coding operations. See Network tuning. Network validation Validate network performance across all nodes before production deployment. See Network and storage performance testing. Operating system Check Recommendation Resource limits Set the open file descriptor limit to at least 65536 for the MinIO AIStor process. Set LimitNOFILE=65536 in the systemd unit file or configure with ulimit -n 65536. Process user Run MinIO AIStor as a dedicated non-root user. Running as root is a security risk and is flagged by SUBNET diagnostics. See the installation guides for user creation steps. Kernel stability Avoid kernel versions with known stability issues. See Linux Kernel Requirements. OS consistency All nodes in the cluster should run the same operating system distribution and version. Mixed OS environments can introduce inconsistent behavior. Validate with SUBNET diagnostics After applying the above settings, upload a fresh diagnostic report:

MinIO AIStor supports publishing bucket notification events to a webhook service endpoint. Prerequisites The MinIO AIStor mc command line tool This procedure uses the mc command line tool for certain actions. See the mc Quickstart for installation instructions. Add a webhook endpoint to an AIStor Server The following procedure adds a new webhook service endpoint for supporting bucket notifications in an AIStor Server.

MinIO AIStor uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users. MinIO AIStor PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. This documentation makes a best-effort to cover IAM-specific behavior and functionality. Refer also to the AWS IAM documentation for more information.

This guide covers configuring Keycloak as an OpenID Connect (OIDC) identity provider for MinIO AIStor. For general OIDC configuration, see OpenID Connect Identity Management. Prerequisites A running Keycloak server. See the Keycloak installation guide for setup instructions. A MinIO AIStor deployment with network connectivity to the Keycloak server. The mc CLI installed and configured with an alias for your MinIO AIStor deployment. Configure Keycloak Create a client In the Keycloak admin console, navigate to Clients and select the account client (or create a new client). Under Settings, change Access Type to confidential and save. Under the Credentials tab, copy the Secret value. This value is used for MINIO_IDENTITY_OPENID_CLIENT_SECRET. Under Settings, set Valid Redirect URIs to * (or restrict to your MinIO AIStor Console URL). Under Advanced Settings, set Access Token Lifespan to 1 Hours. Configure policy claim mapping MinIO AIStor uses a JWT claim to determine which policies to assign to an authenticated user.

MinIO AIStor includes a Quality of Service (QoS) configuration that allows you to define rate limiting and concurrency controls for S3 requests on a per-bucket basis. This feature enables fine-grained control over API request rates and concurrent operations to ensure optimal resource utilization and prevent system overload. QoS has two enforcement layers This page describes API QoS, which controls requests — requests per second (rps) and concurrent operations (concurrency) — inside the MinIO AIStor server. API QoS does not cap bandwidth.

This guide covers OS-level and hardware tuning for MinIO AIStor, with specific recommendations for high-bandwidth deployments using 100G/400G networks and NVMe storage. For benchmarking tools to validate tuning changes, see Benchmarking. Quick start with tuned MinIO provides a tuned profile that applies CPU, memory, filesystem, and network settings.

You can use the MinIO AIStor Console to perform several of the bucket and object management and interaction functions available in MinIO AIStor. Depending on the permissions and IAM policies for the authenticated user, you can: Browse, upload, revert, manage, and interact with objects. Browse, create, and manage buckets. Create or monitor remote tiers for object transition rules. Object browser The Object Browser lists the buckets and objects the authenticated user has access to on the deployment.