Bucket Lifecycle Policy

Lifecycle policies perform active deletion of the non-locked content based on time-based policies. Though object locking and lifecycle policies are not direct mirrors of each other, having both capabilities allows a customer to prevent deletion-style ransomware attacks while providing more complex protection schemes.

Warning

Data in an object storage bucket or container must be managed solely by Veeam Backup & Replication, including retention and data management. Enabling lifecycle rules is not supported, and may result in backup and restore failures. For more information, see Considerations and Limitations - User Guide for VMware vSphere.

S3 Lifecycle Policy Features at Bucket Level

  • A bucket contains a set of overlapping policies called rules.

  • Each rule contains an ID (name).

  • Each rule contains a flag indicating if it is enabled or not.

  • Each rule contains an optional filter describing the rule applied to which objects within the bucket.

    • The absence of a filter indicates all objects in the bucket are subject to the rule.

    • A filter includes a prefix of an object name (relative to the bucket) that is subject to the rule.

Info

AWS S3 supports tag-based filters, but Swarm does not support them.

  • A rule contains an expiration action indicating the deletion of an object when the rule applies. The expiration action operates on the current version of an object, either by deleting the object permanently in a non-versioned bucket or creating a delete marker in a versioned bucket.

    • A time limit is provided in the form of “integral number of days” or “absolute date”.

      • Any object created before that date is subject to expiration if an absolute date is provided.

      • When an integral number of days is provided, the evaluation of the expiration cut-off for the current version uses the object version’s age, rounding up to midnight UTC. The integral number of days starts from 0 at that time. For historic (non-current) object versions, the date of the next newest object version is used for evaluation, again rounded up to midnight UTC.

      • In both cases, the policy takes effect at midnight UTC of the specified date.

    • Policies based on the number of object versions are not yet supported.

  • Swarm supports policy.lifecycle policy setting at the cluster level that acts as a master switch for the feature.

Use Cases

  • S3 stores various lifecycle policies at the granularity of buckets with policies applying to the content in those buckets. Since policies apply to all objects in a bucket, Swarm provides an ability to apply the same S3 behaviors to the content stored and accessed via other protocols (e.g., SCSP).

  • Object versioning provides durability, but Swarm previously lacked a convenient mechanism to prevent old versions from unbounded accumulation. Lifecycle policies allow a bucket owner to limit version accumulation and thus, mitigate concerns about runaway cluster space usage.

Swarm Lifecycle Policy

Swarm allows all client applications to protect data from malicious deletions and overwrites, without any middle layer. The Swarm UI provides the simplest way to enable or disable lifecycle policies for buckets within the domain.

Swarm is constantly checking and reviewing Bucket lifecycle policies to verify the policies are enforced in a timely manner. See Supported Amazon S3 Features.

  • To specify multiple rules, use multiple Policy-Lifecycle headers on the bucket, one for each rule. If needed, place multiple rules into a single Policy-Lifecycle header, with each rule separated by commas.

 

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.