Appendix C: Object Storage Immutability (S3 Object Lock)

Overview

Zadara Object Storage Immutability ensures data integrity by stopping stored objects from being deleted or overwritten during a specific retention timeframe. With Object Storage Immutability (Object Lock) enabled on a container, it is impossible to modify or shorten the retention period for an existing object. Immutability ensures object version integrity and availability throughout the defined retention period.

This feature can be leveraged directly from the S3 Compatible backup software (i.e. Veeam v10) to ensure the integrity and availability of the backup as required. A configuration guide for SOBR(Scale-Out Backup Repository) that leverages Veeam’s Immutability feature can be found in Zadara’s Knowledge-Base portal.

S3 Object Lock

The VPSA Object Storage is utilizing the S3 Object Lock feature (Compliant Mode) in order to set a retention period to a given object and mark it as an immutable object. Deleting this object will be blocked until the retention period has expired. Object Lock should be enabled during the creation time of a new container directly from the management interface or by using AWS S3 Tools (CLI/SDK). Please note that Object-Lock cannot be enabled for existing containers.

Note

  • All object management related operations for a container with S3 Object Lock enabled will be blocked from the VPSA Object Storage management interface.

  • Starting from version 20.01-367, it is possible to set quotas and adjust containers permissions from the VPSA Object Storage management interface.

Enable Object Lock from the Management Interface

Object Lock can be enabled for a new container during its creation. In order to create a new container with Object Lock:

  1. Login to the management interface.

  2. Navigate to the Object Storage Console section.

  3. In the upper options menu, click on the Add button.

  4. Provide a new container name.

  5. Check the “Object Lock” option.

  6. Create the new container by clicking the Create button.

enable-object-lock

Upon creation the Versioning feature will be enabled automatically for the new container.

Note

Versioning will be enabled automatically for the new container, which may lead to additional storage consumption. Object Lock will prevent the deletion or modification of any object prior to its retention period expiry.

A container with Object Lock enabled can be identified from the container properties. Object Lock property would be set to true.

ensure-object-lock-gui

Enable Object Lock using the AWS S3 CLI

In the following examples, we will enable Object Lock using AWS Tools for Power-Shell.

Currently, Object Lock can be enabled and reviewed only from the VPSA Object Storage S3 API interface.

Note

The below examples are utilizing Power-Shell syntax. A matching API calls will achieve the same functionality using the language of your choice.

Enabling Object Lock

Object lock should be enabled on the container level, during creation time, Object versioning will be enabled automatically.

Make sure the Object Storage credentials were set.

Define the VPSA Object Storage as an endpoint:

$ENDPOINT="https://vsa-0000000b-zadara-qa13.zadarazios.com"

Container Creation

$BUCKET="immutable-container"
aws s3api --endpoint-url=$ENDPOINT create-bucket --bucket $BUCKET --object-lock-enabled-for-bucket

The expect result should be:

{
    "Location": "/immutable-container"
}

Confirm Object Lock was enabled for the newly created container

aws s3api --endpoint-url=$ENDPOINT get-object-lock-configuration --bucket $BUCKET

The expected result should be:

{
    "ObjectLockConfiguration": {
        "ObjectLockEnabled": "Enabled"
    }
}

Upload an new object

$OBJECT="new-object-with-lock.log"
aws s3api --endpoint-url=$ENDPOINT put-object --bucket $BUCKET --key $OBJECT --body $OBJECT

#Response

{
   "ETag": "\"c6125a47483a2823d993da3d31ba6a50\"",
   "VersionId": "MzMxNjlmNzItOWQ3Ni00MWI0LTllOGYtZDQyN2RkMjRlN2Jk"
}

Set Object retention

aws s3api --endpoint-url=$ENDPOINT put-object-retention --bucket $BUCKET --key $OBJECT --retention Mode=COMPLIANCE,RetainUntilDate=2020-04-01

Retrieve object lock configuration:

aws s3api --endpoint-url=$ENDPOINT get-object-retention --bucket $BUCKET --key $OBJECT
{
   "Retention": {
      "Mode": "COMPLIANCE",
      "RetainUntilDate": "2020-04-01T00:00:00"
   }
}

In this example, the object will remain locked until April 1st, 2020.

List the object versions and attempt to delete a specific version

aws s3api --endpoint-url=$ENDPOINT list-object-versions --bucket $BUCKET  --prefix $OBJECT
{
   "Versions": [
      {
            "ETag": "%22c6125a47483a2823d993da3d31ba6a50%22",
            "Size": 14871255,
            "StorageClass": "STANDARD",
            "Key": "new-object-with-lock.log",
            "VersionId": "MzMxNjlmNzItOWQ3Ni00MWI0LTllOGYtZDQyN2RkMjRlN2Jk",
            "IsLatest": true,
            "LastModified": "2020-03-08T16:54:30.225Z",
            "Owner": {
               "DisplayName": "veeam:client",
               "ID": "veeam:client"
            }
      }
   ]
}

Select the object version and attempt to delete the object

aws s3api --endpoint-url=$ENDPOINT delete-object --bucket=$BUCKET --key=$OBJECT --version-id=$VERSION

An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied.