Note
To enable indestructible object mode on the cluster, contact VAST Data Customer Success.
Indestructible object mode is an optional feature that can be enabled on the cluster to protect S3 data from deletion or modification for a configurable time period.
When enabled globally on the cluster, the feature is available to enable per view. It is available only for views that have S3 enabled as a protocol. It does not work concurrently with object versioning and object locking. It prevents S3 objects from being deleted, overwritten or modified, including modifications to object metadata. The protection applies to each object from its creation date until the end of a configurable retention period. The period is a number of days between 1 and 400. After the end of the retention period, the object is no longer affected in any way by indestructible object mode.
The configuration of indestructible object mode on each view is itself protected from modification. Changing the retention period or disabling the mode on a view cannot be done without unlocking the cluster's indestructibility mechanism. This is the same mechanism that locks the indestructibility feature for snapshots.
When indestructible object mode is enabled on a view, there are two conditions that must both be met before the view can be deleted: the cluster's indestructibility mechanism must be unlocked and the view must be empty of data.
Indestructible object mode is a VAST proprietary feature that is distinct from S3 object locking, which is based on the AWS S3 object locking feature. There are several differences between the two features.
Requirements and Limitations
The cluster must be running 5.3 as a minimum version.
An NTP server must be configured on the cluster.
The view must be enabled for S3 protocol only. Indestructible object mode cannot be enabled on multiprotocol views. There must be no other views on the same path or a subdirectory of the view path.
If other views overlap the view on which this feature is enabled, access to the bucket through those views, such as by mounting an overlapping view by NFS client, is blocked.
The following features cannot be enabled concurrently on the view: object versioning, WORM, object lock (which requires object versioning).
Directories that contain views that have indestructible object mode enabled cannot be moved to the trash folder.
A snapshot cannot be restored on a view that is in indestructible object mode.
Indestructible object mode is not supported concurrently with asynchronous or synchronous replication or global access.
Indestructible object mode cannot be enabled on the view that points to the '/' path.
Indestructibility cannot be configured on the view used to store audit records.
Object Protection During the Retention Period
Indestructible object mode retains objects for a configurable retention time after object creation. The retention period is configured as a property of the view that applies to all objects in the bucket from the time each object is created. During its retention period, an object cannot be:
Deleted, including by a lifecycle rule. Once the retention period is over, a lifecycle rule can delete the object.
Overwritten
Renamed
Modified. This includes changes to all metadata, such as ACLs and object tags. Therefore, setting these after uploading an object is not allowed when indestructible object mode is enabled. It has to be done as part of the upload action.
While under indestructible object mode, objects can be copied to another bucket. The object copy is only protected by indestructible object mode depending on the configuration of the destination bucket.
Bucket Level Actions Blocked When Indestructible Object Mode is Enabled
Deleting the bucket when it contains data.
Changing bucket owner.
Running bulk permission update on the view or creating a view under a path where a bulk permission update is running.
Actions that Require Indestructibility to be Unlocked
The following actions cannot be done without unlocking the cluster's indestructibility mechanism:
Disabling indestructibility mode on a view.
Changing the retention period for a view.
Deleting the bucket when empty. This is true regardless of whether the bucket is deleted from VMS or by S3 API request.
Differences Between Indestructible Object Mode and S3 Object Locking
S3 Object Locking | Indestructible Object Mode | |
|---|---|---|
Ability to change retention settings of objects already loaded to the bucket? | No, retention settings are set by the client during upload. (If not explicitly set, the view level retention configuration, if there is one, is applied.) | Yes, changing the retention mode on the view affects all objects in the bucket, with the expiration time of each object depending on creation date. |
Requires object versioning? | Yes | No. Object versioning cannot be enabled on a view that has indestructible object mode enabled. |
Retention Period | Variable, controlled via VMS by the bucket owner or other grantees with a specific permission via identity/bucket policy | Fixed retention period, controlled by VMS admins. |
Can new versions of objects be uploaded | Yes | No, and irrelevant because S3 object versioning cannot be enabled together with indestructible object mode. |
Can delete or modify data seen by users when accessing the object? | Yes, objects can be deleted with delete markers. New versions of objects can be uploaded. | No, not during the retention period |
Configuring Indestructible Object Mode on a View
Configuring Indestructible Object Mode on a View in VAST Web UI
When creating a new view with the VAST Web UI, if the feature is enabled on the cluster, you will find the Indestructible Object Mode section in the view creation dialog in the S3 section. There you can set the following:
To enable the feature on the bucket, turn on Enable indestructible object mode with the slider provided.
To set the retention period to anything other than the default 8 days, enter the number of days in the Default Retention Period field. You can set any number of days from 1 to 400.
Note
You will not be able to change this retention period after view creation without first unlocking the cluster's indestructibility mechanism, which requires a secure authentication procedure.
You can also use these settings when modifying a view, to change the configuration after it was enabled on a given view. However, they are disabled unless the cluster's indestructibility mechanism is unlocked.
S3 Client User Experience and Requests
Indestructible object mode is transparent to the client user except in the sense that actions that are blocked by the feature are denied.
Users should be aware that any ACLs and object tags that the user wants to set on an object must be set as part of the object upload action, since after object upload, these settings cannot be made since they are modifications to the object metadata.
Users should also be aware that lifecycle rules do not cause objects to expire while they are retained by indestructible object mode.
Viewing Object Retention Information
A header, Retain-Until, is added to the response of the following object related requests:
HeadObject
GetObject
ListObjects
ListObjectsV2
The header contains the date until which the object is protected by indestructible object mode. Some clients offer a way to display this header.
Modifying Object Retention Period by Client Request
The retention period for specific objects can be modified by the client through a proprietary S3 client request. The request type, extend-indestructible-object-retention-period, resets the creation time of specified objects to the current time so that the retention time period for those objects is reset.
Granting Permission to Send IndestructibleObjectExtendRetentionPeriod Requests
The request requires permission for the IndestructibleObjectExtendRetentionPeriod action. You can grant users this permission through identity and bucket policies.
Request Syntax
The request body can specify up to 1000 objects to be modified.
PUT /<bucket_name>/?extend-indestructible-object-retention-period HTTP/1.1
Host: <vip>:<s3_port>
Content-Type: application/xml
Authorization: <authorization string>
<?xml version="1.0" encoding="UTF-8"?>
<IndestructibleObjectExtendRetentionPeriod xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Object>
<Key>string</Key>
</Object>
<Object>
<Key>string</Key>
</Object>
...
<Object>
<Key>string</Key>
</Object>
</IndestructibleObjectExtendRetentionPeriod>For example:
PUT /bucket1/?extend-indestructible-object-retention-period HTTP/1.1
Host: 171.21.121.1:9090
Content-Type: application/xml
Authorization: <authorization string>
<?xml version="1.0" encoding="UTF-8"?>
<IndestructibleObjectExtendRetentionPeriod xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Object>
<Key>object-name1</Key>
</Object>
<Object>
<Key>object-name2</Key>
</Object>
...
<Object>
<Key>object-nameN</Key>
</Object>
</IndestructibleObjectExtendRetentionPeriod>Request Content
| Contains the object reference and configuration. |
| Specifies an object by its object key. |