level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
3.1 KiB
Object Lock and Immutablity
MinIO server allows selectively specify WORM for specific objects or configuring a bucket with default object lock configuration that applies default retention mode and retention duration to all incoming objects. Essentially, this makes objects in the bucket immutable i.e. delete and overwrite are not allowed till stipulated time specified in the bucket's object lock configuration or object retention.
Object locking requires locking to be enabled on a bucket at the time of bucket creation. In addition, a default retention period and retention mode can be configured on a bucket to be applied to objects created in that bucket.
Get Started
1. Prerequisites
Install MinIO - MinIO Quickstart Guide.
2. Set bucket WORM configuration
WORM on a bucket is enabled by setting object lock configuration. This configuration is applied to existing and new objects in the bucket. Below is an example sets Governance
mode and one day retention time from object creation time of all objects in mybucket
.
$ awscli s3api put-object-lock-configuration --bucket mybucket --object-lock-configuration 'ObjectLockEnabled=\"Enabled\",Rule={DefaultRetention={Mode=\"GOVERNANCE\",Days=1}}'
Set object lock
PutObject API allows setting per object retention mode and retention duration using x-amz-object-lock-mode
and x-amz-object-lock-retain-until-date
headers. This takes precedence over any bucket object lock configuration w.r.t retention.
aws s3api put-object --bucket testbucket --key lockme --object-lock-mode GOVERNANCE --object-lock-retain-until-date "2019-11-20" --body /etc/issue
See https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html for AWS S3 spec on object locking and permissions required for object retention and governance bypass overrides.
3. Note
- When global WORM is enabled by
MINIO_WORM
environment variable orworm
field in configuration file supersedes bucket level WORM andPUT object lock configuration
REST API is disabled. - global WORM and objects in
Compliance
mode can never be overwritten - Currently
Governance
mode does not allow overwriting an existing object as versioning is not available in MinIO. To that extentGovernance
mode is similar toCompliance
. However, if user has requisiteGovernance
bypass permissions, an object inGovernance
mode can be overwritten. - Once object lock configuration is set to a bucket, new objects inherit the retention settings of the bucket object lock configuration (if set) or the retention headers set in the PUT request or set with PutObjectRetention API call