How to use the S3 Object Locking feature
This guide presents the steps required for configuring and using the S3 Object Locking feature using curl and the AWS CLI.
- 1 Prerequisites
- 2 Configuring Object Locking through the SCSP API
- 2.1 A. Enabling object locking on the bucket and all subsequently created objects
- 2.2 B. Enabling object locking on the bucket without automatically setting it on the objects written afterwards.
- 2.3 C. Enabling legal hold for a newly written object
- 2.4 D. Managing the retention settings of an existing object
- 2.5 E. Managing the legal hold settings of an existing object
- 3 Configuring Object Locking through the S3 API
- 3.1 A. Enabling object locking on the bucket and all subsequently created objects
- 3.2 B. Enabling object locking on the bucket without automatically setting it on the objects written afterwards
- 3.3 C. Enabling legal-hold on newly written objects
- 3.4 D. Managing the locking settings of existing versions of an object
- 3.5 E. Managing the legal-hold settings of existing versions of an object
- 4 Related articles
Prerequisites
Before proceeding with configuring object locking please perform the following steps
Make sure you have a Swarm 14.0+ cluster with a search feed pointing to an Elasticsearch 7+ cluster; also make sure to issue the requests in this guide through a Content Gateway 7.6 or higher.
Create a tenant, a domain in that tenant and a bucket, using either the Content UI or the Content Gateway’s Management API, as follows:
Create a tenant.
curl -XPUT -i -u caringoadmin:caringo "http://192.168.8.109:9090/_admin/manage/tenants/example.tenant.com"
Create a domain within that tenant.
curl -XPUT -i -u caringoadmin:caringo "http://192.168.8.109:9090/_admin/manage/tenants/example.tenant.com/domains/locking.example.com"
Create a bucket in the domain.
curl -XPUT -i -u caringoadmin:caringo "http://192.168.8.109:9090/_admin/manage/tenants/example.tenant.com/domains/locking.example.com/buckets/b1"
Enable versioning at the cluster-level. You can do that through the swarmctl utility available in our support bundle https://support.cloud.datacore.com/tools/swarm-support-tools.tgz, by running the following command from within the dist/ folder.
Enable versioning for the newly created domain.
Enable versioning for the newly created bucket.
In order to use the S3 API, create an S3 token for the user that’s going to manage object locking on the bucket. In the following examples, that role will be played by someuser. Write down the token UUID outputted by the request below which will be your S3 AWS_ACCESS_KEY_ID and the secret that you’ve configured for this token, which will be your S3 AWS_SECRET_ACCESS_KEY.
The user that will manage object locking on the bucket needs to be either the bucket’s owner or a user with admin-level permissions for that bucket. The following requests grant all privileges on the bucket to someuser, which is the user that we’re going to employ in the next steps.
All the above steps need to be performed by an user that has the required administrative permissions at the tenant, domain and bucket levels. In these examples the requests were issued by the caringoadmin user which is configured as the root-level admin user.
Configuring Object Locking through the SCSP API
A. Enabling object locking on the bucket and all subsequently created objects
In this case, the object locking parameters that you will apply through the following request will be automatically applied to all the objects that you write onwards, unless you explicitly set the object-locking headers when writing an object. In the latter case, Gateway will always use the maximum of either the bucket default retention duration or the duration specified in a per-object request.
Enabling object-locking at the bucket level through SCSP requires the following steps:
Do a PUT
/<bucket>?
objectlock=<defaultmode> [ :<defaultperiod> ] wheredefaultmode
can be either "governance" or "compliance"defaultperiod
is optional; it is a number of years (y) or days (d), eg.1y
or20d
.
(Optional) Check that object-locking was enabled at the bucket level by issuing a
GET /<bucket>?
objectlock and checking that the following headers exist and that the response body says:Object locking is enabled on bucket
x-object-lock-meta-status: ENABLED
(Optionally)
x-object-lock-meta-default: <GOVERNANCE|COMPLIANCE>[:<duration>]
All the objects that you write/modify after this, will have the bucket-level object-locking specification automatically applied to them. To verify this do the following:
Create a new object in the bucket.
Make sure the object is locked according to the locking configuration defined at the bucket level, namely that it has the following headers:
X-Object-Lock-Meta-Mode: COMPLIANCE
X-Object-Lock-Meta-Retain-until-date: <current date + 50 days>
B. Enabling object locking on the bucket without automatically setting it on the objects written afterwards.
For users that want object locking enabled on the bucket, but not automatically applied to all subsequently created objects/versions, the following request needs to be performed.
In order to verify that object-locking is not automatically set on a new object (i.e. new objects are unlocked unless the user explicitly locks them when creating them) do the following:
Create a new object.
Check that it does not have the
X-Object-Lock-Meta-Mode
andX-Object-Lock-Meta-Retain-until-date
headers.
At this point you can create another object for which you can define your object-locking parameters of choice by setting the X-Object-Lock-Meta-Mode
and X-Object-Lock-Meta-Retain-until-date
headers, as follows:
Create the object, making sure to set the aforementioned headers.
Make sure that the object has the 2 headers, namely that it is locked.
C. Enabling legal hold for a newly written object
Enabling legal hold on a newly created object requires setting the x-object-lock-meta-legal-hold: ON
header when writing the object. For this particular use case, you need to perform the following steps:
Write the object with the aforementioned header.
Check that legal hold was applied on the object by issuing a HEAD request and confirming the presence of the following headers:
X-Object-Lock-Meta-Legal-Hold: ON
Lifepoint: [] deletable=no
X-Object-Lock-Meta-Original-Lifepoints: <if you've added other lifepoints, they should be in this list>
D. Managing the retention settings of an existing object
Managing the retention and/or legal-hold settings of an existing object is done on particular versions of that object, so the request will need to specify the version for which the retention and/or legal-hold settings are changed using the ?version=<etag of version>
query argument. One needs to also take into account the specific permissions and limitations as mentioned in https://caringo.atlassian.net/wiki/spaces/public/pages/2859925505
The workflow for managing the retention settings of an existing object is generally the following (in these examples we will use an object for which no object locking was set, stored in a bucket that has object-locking enabled, but not enforced, namely X-Object-Lock-Meta-Retain-until-date is not set on the bucket):
List the versions, noting the hash field returned by the listing requests, which is the versionId/etag of that particular version.
Set your desired lock (governance | compliance) and the retention period on one of the versions. In this example, we will set a governance lock with a retention period of 30 days. This is done through the
?objectlock=governance:30d
query argument.Try to remove the governance lock, making sure to set the
x-object-lock-meta-bypass-governance-retention: true
header and the?objectlock=retention
query argument.Set the version’s locking to compliance with a retention period of 40 days.
Try to reduce the retention period to 30 days, confirming that this is not allowed.
Try to increase the retention period to 50 days, which is allowed.
Check the version’s locking status through a GET request that includes the
?objectlock
argument.Change the bucket’s locking mode to compliance with a retention period that is less than what we’ve set for the object at step 6 (e.g. 30 days).
Try to change the version’s locking mode to compliance, without specifying the retention (i.e. use this query argument
?objectlock=compliance
), which means that it should inherit the retention set at the bucket level. Since at the bucket level we have set retention of 30 days, which is less than the 50 days that the version currently has, this request should fail:Change the bucket’s locking mode to compliance with retention higher than what the object currently has (e.g. 60 days).
Now change the version’s locking mode to the bucket’s default (use
?objectlock=
).Confirm that the object has a retention period that matches the bucket’s (i.e. 60 days).
E. Managing the legal hold settings of an existing object
In these examples we will use an object for which no object locking was set, stored in a bucket that has object-locking enabled, but not enforced, namely X-Object-Lock-Meta-Retain-until-date is not set on the bucket
The typical scenario for managing the legal hold settings of existing versions consists of the following steps:
List the object’s versions.
Set legal hold for one of the object’s version using the
?objectlock=legal-hold
query argument on a PUT request.Check the version’s locking status through a GET request that uses the
?objectlock
query argument.Remove the version’s legal hold, through a DELETE request that includes the
?objectlock=legal-hold
query argument.Confirm that the legal hold has been removed.
Configuring Object Locking through the S3 API
A. Enabling object locking on the bucket and all subsequently created objects
If you want to enable object locking on the bucket and have it applied automatically to all objects written afterwards, then the typical usage scenario is the following (NOTE: You will still be able to set object-locking on a per-object basis and the Gateway will always use the maximum of either the bucket default retention duration or the duration specified in a per-object request):
Use the
put-object-lock-configuration
S3 API call for enabling locking using the desired mode and retention period.Check the bucket’s locking status using the
get-object-lock-configuration
S3 API call.Create a new object in that bucket using the
put-object
API call.Check the object’s retention period using the
get-object-retention
S3 API call, making sure it matches the locking settings applied to the bucket. NOTE: This will return the retention settings of the object’s current version. If you need to check the retention settings of a different version, specify that using the--version-id
CLI option.
B. Enabling object locking on the bucket without automatically setting it on the objects written afterwards
If you want to enable object locking on the bucket without having it applied automatically to all objects written afterwards, then your typical usage scenario will look like this:
Use the
put-object-lock-configuration
S3 API call for enabling locking without setting a mode or retention period.Check the bucket’s locking status using the
get-object-lock-configuration
S3 API call.Create a new object in that bucket using the
put-object
API call.Check the object’s retention period using the
get-object-retention
S3 API call, making sure the object has no retention period set.Set a retention period for the current version of this newly written object using the
put-object-retention
API call.Using the
get-object-retention
S3 API call, confirm that the new retention period is now in place.Alternatively, you can set the object lock mode and retention period at write time, using the
--object-lock-mode
and--object-lock-retain-until-date
C. Enabling legal-hold on newly written objects
Using the AWS CLI, you can set legal-hold while writing an object by setting the --object-lock-legal-hold-status
option to ON:
Checking the legal hold status of the newly written object can be done using the get-object-legal-hold API call:
D. Managing the locking settings of existing versions of an object
The typical workflow when managing the locking settings of an object’s version using the AWS CLI is the following:
List the object’s versions using the
list-object-versions
API call, noting the VersionId of the version for which you want to manage the locking settings.Set a GOVERNANCE locking mode on one of the versions (in this example we will use the 2nd version) with a retention period until 2022-01-01T00:00:00. This can be done using the
put-object-retention
API call.Using the
get-object-retention
API call confirms that the new settings are in place.Remove the Governance lock using the
put-object-retention
call, with the--bypass-governance-retention
flag set.Confirm that the lock has been removed.
Set a Compliance mode object lock with a retention period of 90 days.
E. Managing the legal-hold settings of existing versions of an object
The typical workflow in this case consists of the following steps:
List the versions of an object and choose the version for which you want to apply the legal hold (in these examples we will use the 2nd most recent version.
Enable legal hold on that version using the
put-object-legal-hold
API call.Check the version’s legal hold status using the
get-object-legal-hold
.Remove the legal hold lock.
Confirm that the legal hold lock has been removed.
Related articles
https://caringo.atlassian.net/wiki/spaces/public/pages/2859925505
https://caringo.atlassian.net/wiki/spaces/KB/pages/2739666967
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.