This section explains how to enable and manage Object Lock for S3 Buckets in Qumulo Core.
Prerequisites
Before you can enable Object Lock for an S3 bucket, you must first enable S3 Bucket versioning.
How Object Lock for S3 Buckets Works in Qumulo Core
You can configure Object Lock for an S3 Bucket in three ways:
-
Lock with manual retention period: This configuration specifies a fixed period of time during which an object remains locked. Qumulo Core supports compliance mode, a type of retention period which prevents a protected object version from being overwritten or deleted by any user.
Note
Currently, Qumulo Core doesn’t support governance mode.To configure a lock with a manual compliance mode retention period, use the
PutObjectRetentionS3 API action or specify the configuration in the headers of theCreateMultipartUpload,CopyObject, orPutObjectS3 API action. -
Lock with default retention period: This configuration is similar to that of a lock with a manual retention period. It ensures that the S3 bucket locks any new object added to it.
Note
Specifying a manual retention period while creating a new object in an S3 bucket overrides the default retention period. -
Legal hold: This configuration ensures that an object remains locked without an expiration date, until you remove the hold.
To configure a legal hold, use the
PutObjectLegalHoldS3 API action or specify the configuration in the headers of theCreateMultipartUpload,CopyObject, orPutObjectS3 API action.
It isn’t possible to change any data or attributes of an object with a valid lock (with a manual or default retention period) or with a legal hold by using any of the protocols which Qumulo Core supports.
Enabling S3 Object Lock Configuration
You can configure S3 bucket locking by using the Qumulo REST API or qq CLI. For more information, see qq s3_modify_bucket
and qq s3_add_bucket
in the Qumulo qq CLI Command Guide. You can also use the S3 API directly.
Viewing S3 Object Lock Configuration
You can view the Object Lock configuration for an S3 bucket in two ways:
-
Run the
qq fs_file_get_attrcommand and use the--retrieve-file-lockflag. For example:$ qq fs_file_get_attr --retrieve-file-lock --path /demoThe following is example output. (Only part of the output is shown).
{ "lock": { "legal_hold": false, "retention_period": "2024-10-08T21:53:46.493886743Z" } } -
Run the
s3api get-object-retentioncommand and specify your bucket name, and your S3 access key. For example:$ aws s3api get-object-retention \ --bucket my-bucket \ --key AKIAIOSFODNN7EXAMPLEThe following is example output.
{ "Retention": { "Mode": "COMPLIANCE", "RetainUntilDate": "2024-10-08T21:53:46.493Z" } }