This section documents steps for installing and managing AIStor Server on macOS™ host machines. Procedure Install AIStor Server onto the macOS host The easiest way to install AIStor Server on macOS is using Homebrew.

Use the following checklist when planning the security configuration for a production, distributed AIStor Server. Required steps Identity and access management Step Details Group policies Define group policies either on MinIO AIStor or the selected 3rd party Identity Provider (LDAP/Active Directory or OpenID Connect) Individual access policies Define individual access policies on MinIO AIStor or the selected 3rd party Identity Provider Identity provider configuration Configure MinIO AIStor to use the selected 3rd party Identity Provider Firewall access Port Details S3 API listen port Grant firewall access for TCP traffic to the Object Store S3 API Listen Port (Default: 9000) Console port Grant firewall access for TCP traffic to the AIStor Server console port (Recommended Default: 9443) Encryption-at-rest MinIO AIStor supports Server-Side Encryption using MinIO KMS:

MinIO AIStor supports publishing bucket notification events to PostgreSQL. MinIO AIStor supports PostgreSQL 9.5 and later only. Prerequisites PostgreSQL 9.5 and later MinIO AIStor relies on features introduced with PostgreSQL 9.5. The MinIO AIStor mc Command Line Tool This procedure uses the mc command line tool for certain actions. See the mc Quickstart for installation instructions.

The MinIO AIStor Identity Management Plugin provides a REST interface for offloading authentication to an external identity manager with a webhook service. Client applications can use the AssumeRoleWithCustomToken STS API extension to generate access tokens for MinIO AIStor. MinIO AIStor verifies this token by making a POST request to the configured plugin endpoint and uses the returned response to determine the authentication status of the client. Configuration settings You can configure the MinIO AIStor Identity Management Plugin with the following environment variables or configuration settings:

MinIO AIStor includes a Quality of Service (QoS) configuration that allows you to define rate limiting and concurrency controls for S3 requests on a per-bucket basis. This feature enables fine-grained control over API request rates and concurrent operations to ensure optimal resource utilization and prevent system overload. You can configure rules with QoS to do the following: Feature Description Rate Limiting Control the number of requests per second for specified operations Concurrency Control Limit the number of concurrent operations Prefix-based Targeting Apply limits to specific object prefixes within buckets API-specific Rules Target specific S3 operations Priority-based Evaluation Use rule priorities for complex scenarios In production environments, you typically write a YAML configuration file for your QoS rules that looks like the following:

The MinIO AIStor Access Management Plugin provides a REST interface for offloading authorization through a webhook service. MinIO AIStor sends the request and credential details for every API call to the configured external HTTP(S) endpoint and looks for a response of ALLOW or DENY. MinIO AIStor can therefore delegate the access management to the external system instead of relying on S3 policy based access control. Configuration settings You can configure the MinIO AIStor External Access Management Plugin using the following environment variables or configuration settings.

MinIO AIStor Object Locking (“Object Retention”) enforces Write-Once Read-Many (WORM) immutability to protect versioned objects from deletion. MinIO AIStor supports both duration based object retention and indefinite legal hold retention. MinIO AIStor Object Locking provides key data retention compliance and meets SEC17a-4(f), FINRA 4511(C), and CFTC 1.31(c)-(d) requirements as per Cohasset Associates. Overview

MinIO AIStor supports publishing bucket notification events to a webhook service endpoint. Prerequisites The MinIO AIStor mc command line tool This procedure uses the mc command line tool for certain actions. See the mc Quickstart for installation instructions. Add a webhook endpoint to an AIStor Server The following procedure adds a new webhook service endpoint for supporting bucket notifications in an AIStor Server.

Access management and policies MinIO AIStor uses the built-in access management where a user’s attached policies determines the operations and data paths to which they have access. The mc table share commands require the following permissions: admin:DeltaSharingCreateShare admin:DeltaSharingGetShare admin:DeltaSharingListShares admin:DeltaSharingUpdateShare admin:DeltaSharingDeleteShare The user must also have s3:GetObject and s3:ListBucket permissions on all buckets and paths in which they must manage table shares.

MinIO AIStor requires authentication and authorization for every operation on the object store. Human users and client applications must authenticate, and can perform only operations on resources explicitly allowed by the access policies assigned to them. Authentication verifies the identity of a user or client application. User credentials take the form of a username and password. Application credentials can take the form of an access key and secret key, or an application can call the appropriate STS endpoint. Which endpoint depends on your identity provider.