| permalink | sidebar | keywords | summary |
|---|---|---|---|
ilm/requirements-for-s3-object-lock.html |
sidebar |
requirements, s3 object lock, compliant ilm rule, compliant ilm policy |
You must review the requirements for enabling the global S3 Object Lock setting, the requirements for creating compliant ILM rules and ILM policies, and the restrictions StorageGRID places on buckets and objects that use S3 Object Lock. |
You must review the requirements for enabling the global S3 Object Lock setting, the requirements for creating compliant ILM rules and ILM policies, and the restrictions StorageGRID places on buckets and objects that use S3 Object Lock.
-
You must enable the global S3 Object Lock setting using the Grid Manager or the Grid Management API before any S3 tenant can create a bucket with S3 Object Lock enabled.
-
Enabling the global S3 Object Lock setting allows all S3 tenant accounts to create buckets with S3 Object Lock enabled.
-
After you enable the global S3 Object Lock setting, you can’t disable the setting.
-
You can’t enable the global S3 Object Lock unless the default rule in all active ILM policies is compliant (that is, the default rule must comply with the requirements of buckets with S3 Object Lock enabled).
-
When the global S3 Object Lock setting is enabled, you can’t create a new ILM policy or activate an existing ILM policy unless the default rule in the policy is compliant. After the global S3 Object Lock setting has been enabled, the ILM rules and ILM policies pages indicate which ILM rules are compliant.
If you want to enable the global S3 Object Lock setting, you must ensure that the default rule in all active ILM policies is compliant. A compliant rule satisfies the requirements of both buckets with S3 Object Lock enabled and any existing buckets that have legacy Compliance enabled:
-
It must create at least two replicated object copies or one erasure-coded copy.
-
These copies must exist on Storage Nodes for the entire duration of each line in the placement instructions.
-
Object copies can’t be saved in a Cloud Storage Pool.
-
Object copies can’t be saved on Archive Nodes.
-
At least one line of the placement instructions must start at day 0, using Ingest time as the reference time.
-
At least one line of the placement instructions must be "forever."
When the global S3 Object Lock setting is enabled, active and inactive ILM policies can include both compliant and non-compliant rules.
-
The default rule in an active or inactive ILM policy must be compliant.
-
Non-compliant rules only apply to objects in buckets that don’t have S3 Object Lock enabled or that don’t have the legacy Compliance feature enabled.
-
Compliant rules can apply to objects in any bucket; S3 Object Lock or legacy Compliance does not need to be enabled for the bucket.
A compliant ILM policy might include these three rules:
-
A compliant rule that creates erasure-coded copies of the objects in a specific bucket with S3 Object Lock enabled. The EC copies are stored on Storage Nodes from day 0 to forever.
-
A non-compliant rule that creates two replicated object copies on Storage Nodes for a year and then moves one object copy to Archive Nodes and stores that copy forever. This rule only applies to buckets that don’t have S3 Object Lock or legacy Compliance enabled because it stores only one object copy forever and it uses Archive Nodes.
-
A default, compliant rule that creates two replicated object copies on Storage Nodes from day 0 to forever. This rule applies to any object in any bucket that was not filtered out by the first two rules.