storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/bucket/retention/README.md

storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/docs/bucket/retention/README.md (about)

     1  # Object Lock and Immutablity Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
     2  
     3  MinIO server allows WORM for specific objects or by configuring a bucket with default object lock configuration that applies default retention mode and retention duration to all objects. This makes objects in the bucket immutable i.e. delete of the version are not allowed until an expiry specified in the bucket's object lock configuration or object retention.
     4  
     5  Object locking requires locking to be enabled on a bucket at the time of bucket creation, object locking also automatically enables versioning on the bucket. In addition, a default retention period and retention mode can be configured on a bucket to be applied to objects created in that bucket.
     6  
     7  Independent of retention, an object can also be under legal hold. This effectively disallows all deletes of an object under legal hold until the legal hold is removed by an API call.
     8  
     9  ## Get Started
    10  
    11  ### 1. Prerequisites
    12  
    13  - Install MinIO - [MinIO Quickstart Guide](https://docs.min.io/docs/minio-quickstart-guide)
    14  - Install `awscli` - [Installing AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
    15  
    16  ### 2. Set bucket WORM configuration
    17  
    18  WORM on a bucket is enabled by setting object lock configuration. This configuration is applied to existing and new objects in the bucket. Below is an example sets `Governance` mode and one day retention time from object creation time of all objects in `mybucket`.
    19  
    20  ```sh
    21  $ awscli s3api put-object-lock-configuration --bucket mybucket --object-lock-configuration 'ObjectLockEnabled=\"Enabled\",Rule={DefaultRetention={Mode=\"GOVERNANCE\",Days=1}}'
    22  ```
    23  
    24  ### Set object lock
    25  
    26  PutObject API allows setting per object retention mode and retention duration using `x-amz-object-lock-mode` and `x-amz-object-lock-retain-until-date` headers. This takes precedence over any bucket object lock configuration w.r.t retention.
    27  
    28  ```sh
    29  aws s3api put-object --bucket testbucket --key lockme --object-lock-mode GOVERNANCE --object-lock-retain-until-date "2019-11-20"  --body /etc/issue
    30  ```
    31  
    32  See https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html for AWS S3 spec on object locking and permissions required for object retention and governance bypass overrides.
    33  
    34  ### Set legal hold on an object
    35  
    36  PutObject API allows setting legal hold using `x-amz-object-lock-legal-hold` header.
    37  
    38  ```sh
    39  aws s3api put-object --bucket testbucket --key legalhold --object-lock-legal-hold-status ON --body /etc/issue
    40  ```
    41  
    42  See https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html for AWS S3 spec on object locking and permissions required for specifying legal hold.
    43  
    44  ## Concepts
    45  - If an object is under legal hold, it cannot be deleted unless the legal hold is explicitly removed for the respective version id. DeleteObjectVersion() would fail otherwise.
    46  - In `Compliance` mode, objects cannot be deleted by anyone until retention period is expired for the respective version id. If user has requisite governance bypass permissions, an object's retention date can be extended in `Compliance` mode.
    47  - Once object lock configuration is set to a bucket
    48    - New objects inherit the retention settings of the bucket object lock configuration automatically
    49    - Retention headers can be optionally set when uploading objects
    50    - Explicitly calling PutObjectRetention API call on the object
    51  - *MINIO_NTP_SERVER* environment variable can be set to remote NTP server endpoint if system time is not desired for setting retention dates.
    52  - **Object locking feature is only available in erasure coded and distributed erasure coded setups**.
    53  
    54  ## Explore Further
    55  
    56  - [Use `mc` with MinIO Server](https://docs.min.io/docs/minio-client-quickstart-guide)
    57  - [Use `aws-cli` with MinIO Server](https://docs.min.io/docs/aws-cli-with-minio)
    58  - [Use `s3cmd` with MinIO Server](https://docs.min.io/docs/s3cmd-with-minio)
    59  - [Use `minio-go` SDK with MinIO Server](https://docs.min.io/docs/golang-client-quickstart-guide)
    60  - [The MinIO documentation website](https://docs.min.io)