## Monitoring MinIO in Kubernetes

MinIO server exposes un-authenticated liveness endpoints so Kubernetes can natively identify unhealthy MinIO containers. MinIO also exposes Prometheus compatible data on a different endpoint to enable Prometheus users to natively monitor their MinIO deployments.

### Use cases: external service { #use-cases-external-service }

An example could be that you have an external authentication provider that you need to call.

You send it a token and it returns an authenticated user.

This provider might be charging you per request, and calling it might take some extra time than if you had a fixed mock user for tests.

        if (authenticator != null && fessConfig.getSystemPropertyAsBoolean(SPNEGO_INITIALIZED, false)) {
            return authenticator;
        }
        try {
            // set some System properties
            final SpnegoFilterConfig config = SpnegoFilterConfig.getInstance(new SpengoConfig());

            // pre-authenticate
            authenticator = new org.codelibs.spnego.SpnegoAuthenticator(config);

NtlmPasswordAuthenticator auth = new NtlmPasswordAuthenticator("domain", "username", "password");
CIFSContext authContext = context.withCredentials(auth);

// Use authenticated context
try (SmbFile file = new SmbFile("smb://server/share/", authContext)) {
    for (SmbFile f : file.listFiles()) {
        System.out.println(f.getName());
    }
}
```

## Configuration

, 👆 🔗, 👥 🔜 🕴 🤚 👩‍💻 🚥 👩‍💻 🔀, ☑ 🔓, & 🦁:

{* ../../docs_src/security/tutorial003.py hl[58:66,69:72,90] *}

/// info

🌖 🎚 `WWW-Authenticate` ⏮️ 💲 `Bearer` 👥 🛬 📥 🍕 🔌.

🙆 🇺🇸🔍 (❌) 👔 📟 4️⃣0️⃣1️⃣ "⛔" 🤔 📨 `WWW-Authenticate` 🎚.

💼 📨 🤝 (👆 💼), 💲 👈 🎚 🔜 `Bearer`.

👆 💪 🤙 🚶 👈 ➕ 🎚 & ⚫️ 🔜 👷.

✋️ ⚫️ 🚚 📥 🛠️ ⏮️ 🔧.

/// info | Información

El header adicional `WWW-Authenticate` con el valor `Bearer` que estamos devolviendo aquí también es parte de la especificación.

Cualquier código de estado HTTP (error) 401 "UNAUTHORIZED" se supone que también debe devolver un header `WWW-Authenticate`.

En el caso de tokens bearer (nuestro caso), el valor de ese header debe ser `Bearer`.

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;

/**
 * NTLMSSP AV pair representing target name information in NTLM authentication.
 * Contains the name of the target server or service being authenticated against.
 *
 * @author mbechler
 */
public class AvTargetName extends AvPair {

    /**
     *
     */
    private static final Charset UTF16LE = StandardCharsets.UTF_16LE;

    /**

                        ssn.removeAttribute("NtlmHttpAuth");
                    }
                }
                resp.setHeader("WWW-Authenticate", "NTLM");
                if (offerBasic) {
                    resp.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realm + "\"");
                }
                resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

Latency sensitive applications may notice an increased latency due to a request to the external plugin upon every authenticated request to MinIO. User are advised to provision their infrastructure such that latency and performance is acceptable.

## Quickstart

| Version         | String  | Yes      | Value must be `2011-06-15`                                           |
| Token           | String  | Yes      | Token to be authenticated by identity plugin                         |
| RoleArn         | String  | Yes      | Must match the Role ARN generated for the identity plugin            |