MinIO AIStor RELEASE.2025-08-29T21-27-49Z is a security and feature release that patches a critical STS session policy vulnerability, introduces KMS monitoring and persistent API metrics, and delivers significant performance improvements for inventory reports and data rebalancing.
Answer
This release addresses a critical security issue with STS session policies while adding valuable operational features for monitoring and observability. Organizations using STS temporary credentials should upgrade immediately.
Security Updates
Critical STS Session Policy Fix
What
A critical vulnerability in the Security Token Service (STS) was fixed where session policies were not being enforced. The system now properly restricts temporary credentials according to the policies provided during token generation.
The vulnerability: When applications requested temporary credentials via STS with session policies, those policy restrictions were not being applied. This meant temporary credentials could have more permissions than intended.
The fix: Session policies are now correctly enforced, ensuring temporary credentials are properly scoped to their intended permissions.
Availability
Available in this release. This is a security patch—immediate upgrade recommended.
Why
STS session policies are a critical security control for:
- Least-privilege access - Limiting temporary credentials to only needed permissions
- Application isolation - Ensuring applications can’t exceed their intended scope
- Compliance requirements - Meeting access control audit requirements
Without proper session policy enforcement, temporary credentials could access resources beyond their intended scope, creating significant security and compliance risks.
What This Means for Customers
- Immediate action required for organizations using STS with session policies
- Stronger access control with proper policy enforcement
- Compliance assurance for temporary credential usage
- No configuration changes needed—enforcement is automatic upon upgrade
Recommendation: Prioritize upgrading if your environment uses STS temporary credentials with session policies.
New Features
KMS Health Monitoring
What
New metrics now track external Key Management Server health for encryption-related alerting. This provides visibility into the availability and responsiveness of your KMS infrastructure.
Key capabilities:
- KMS connectivity status monitoring
- Health metrics for alerting and dashboards
- Integration with existing Prometheus monitoring
Availability
Available in this release.
Why
When using server-side encryption with external KMS (AWS KMS, HashiCorp Vault, etc.), KMS availability directly impacts the ability to read and write encrypted objects. Without KMS health monitoring, a KMS outage could cause application failures without clear root cause visibility.
What This Means for Customers
- Proactive alerting on KMS connectivity issues
- Faster incident response with clear KMS health visibility
- Better SLA management for encryption-dependent workloads
- Integration with existing monitoring via Prometheus metrics
Persistent API Metrics
What
API usage statistics now survive server restarts, enabling improved long-term monitoring and capacity planning.
Previously, API metrics were reset on server restart, losing historical usage data. Now, metrics persist across restarts.
Availability
Available in this release.
Why
Accurate usage metrics are essential for:
- Capacity planning - Understanding usage patterns over time
- Chargeback/showback - Tracking consumption for cost allocation
- Performance analysis - Identifying trends and anomalies
- SLA reporting - Demonstrating service levels
Losing metrics on restart made long-term analysis unreliable and complicated capacity planning.
What This Means for Customers
- Reliable usage tracking across maintenance windows
- Accurate capacity planning with continuous metrics
- Better chargeback data without gaps from restarts
- Improved trend analysis for performance optimization
Improvements
Enhanced Webhook Logging
What
Webhook logs now include the originating node hostname, making it easier to troubleshoot issues in distributed deployments.
Availability
Available in this release.
Why
In distributed MinIO deployments, identifying which node generated a webhook event is critical for troubleshooting. Without node identification, correlating webhook issues to specific servers required additional investigation.
What This Means for Customers
- Faster troubleshooting of webhook-related issues
- Better correlation between webhook events and server logs
- Simplified debugging in multi-node deployments
Batch Expiration Enhancements
What
Batch expiration jobs now support:
- Multiple prefixes in a single job
- Prefix removal operations
Availability
Available in this release.
Why
Data lifecycle management often requires expiring objects across multiple prefixes or removing prefix structures during reorganization. These enhancements reduce the number of jobs needed and simplify data management workflows.
What This Means for Customers
- Simplified lifecycle management with multi-prefix support
- Fewer batch jobs to manage
- More flexible data organization with prefix removal
Configurable Lambda Webhook Timeout
What
The Lambda webhook response timeout is now configurable, allowing adjustment for longer-running webhook handlers.
Availability
Available in this release.
Why
Some webhook handlers require more time to process events, especially when integrating with external services or performing complex operations. A fixed timeout caused failures for legitimate long-running handlers.
What This Means for Customers
- Support for complex webhook handlers that need more processing time
- Fewer timeout-related failures in integrations
- More flexible event processing architectures
Prometheus Metrics Documentation
What
Prometheus documentation updated with previously undocumented metrics, improving observability setup and dashboard creation.
Availability
Available in this release.
Why
Complete metrics documentation enables customers to build comprehensive monitoring dashboards and alerting rules.
What This Means for Customers
- Better observability with full metrics visibility
- Easier dashboard creation with complete documentation
- More effective alerting using all available metrics
Performance Optimizations
Faster Parquet Inventory Reports
What
Parquet inventory report generation speed significantly improved through efficient batch-writing techniques.
Availability
Available in this release.
Why
Inventory reports for large namespaces can take considerable time to generate. Optimizing Parquet writing reduces the time to produce inventory data, enabling more frequent reporting and faster analytics.
What This Means for Customers
- Faster inventory generation for large namespaces
- More frequent reporting options
- Reduced resource consumption during report generation
- Quicker time-to-insight for analytics workflows
Optimized Data Rebalancing
What
Data rebalancing now stops scanning once targets are met, reducing unnecessary load on the system.
Previously, rebalancing operations would continue scanning even after achieving balance targets, consuming resources unnecessarily.
Availability
Available in this release.
Why
Data rebalancing is resource-intensive. Continuing to scan after targets are met wastes I/O and CPU resources that could serve production workloads.
What This Means for Customers
- Reduced system load during rebalancing operations
- Faster rebalancing completion by stopping when done
- Less impact on production workloads during maintenance
- More efficient resource utilization
Bug Fixes
Storage and Reliability Fixes
| Issue | Fix |
|---|---|
| Storage subsystem resource leak | Prevented resource exhaustion over time |
| Parquet file generation race condition | Eliminated potential data corruption |
| Replication queue disk persistence | Ensured replication state survives restarts |
| Data rebalance restart capability | Improved recovery from interrupted rebalancing |
| Data rebalance status persistence | Status now persists without configuration files |
Tools and Compatibility Fixes
| Issue | Fix |
|---|---|
| Speedtest tool with STS credentials | Now works correctly with temporary credentials |
| License reload duplicate process | Eliminated redundant license processing |
| Multi-object delete success reporting | Accurate reporting of delete operations |
Console UI Fixes
| Issue | Fix |
|---|---|
| Unit display issues | Corrected capacity unit formatting |
| Storage capacity display | Accurate capacity reporting |
| Permissions handling | Proper permission checks in UI |
Upgrade Recommendations
Priority: High (Security Release)
This release should be prioritized due to the STS session policy security fix.
| Environment | Recommendation |
|---|---|
| Using STS with session policies | Upgrade immediately |
| Using external KMS | Upgrade soon for KMS monitoring |
| Large-scale deployments | Upgrade for performance improvements |
| All other environments | Upgrade at next maintenance window |
Summary
MinIO AIStor RELEASE.2025-08-29 delivers:
- Critical security fix for STS session policy enforcement
- KMS health monitoring for encryption infrastructure visibility
- Persistent API metrics for reliable usage tracking
- Faster Parquet inventory generation
- Optimized data rebalancing with reduced system load
- Multiple bug fixes for storage, replication, and console
Action Required: Organizations using STS temporary credentials with session policies should upgrade immediately to ensure proper policy enforcement.
References
For questions about the security vulnerability or upgrade assistance, contact your MinIO support team.