MinIO | Immutability for MinIO
source link: https://min.io/product/data-immutability-for-object-storage
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Protecting data from deletion (accidental or intentional) is a key compliance component that touches
every industry. MinIO supports a complete range of functionality including object locking, retention, legal
holds, governance, and compliance. Object locking can be used in conjunction with MinIO versioning to
ensure data immutability and eliminate the risk of data tampering or destruction.
Object Retention
Object storage retention rules ensure that an object is WORM protected for some period of time. Object storage retention policy specifies retention periods set on an object version either explicitly or through a bucket default setting. A default lock configuration set at the bucket level applies to objects that are created subsequently, and does not apply retroactively to versions of objects created previously.
When the bucket default setting is used, a duration is set in either days or years that defines the length of time for which every object version placed in the bucket should be protected. A new object placed in the bucket inherits the protection duration as set for the bucket.
Retention periods may be set explicitly for an object version. Explicit retention periods specify a Retain Until Date for the object version. The Retain Until Date setting is stored in the object version's metadata and protects the object version until the retention period expires.
After the retention period expires, the object version can be deleted unless a legal hold was also placed on the object version.
Explicit retention mode settings override default bucket settings.
Retention periods can be extended easily by submitting a new lock request.
There are two types of modes used to set a retention period for objects and buckets in the Retention framework:
Governance Mode
Governance mode is used to protect objects from being deleted by standard users. Some users, however, will need to retain the permissions required to modify the retention settings or delete the objects. Those users will require special permissions such as the s3:BypassGovernanceRetention permission and DeleteObject permission.
Compliance Mode
Compliance mode is more restrictive and cannot be undone within the retention period. As a result, Compliance mode ensures that no one, including the root user, can delete an object during its retention period.
Legal Hold
Legal hold offers the same WORM protection as the retention period, but it has no expiration date. It is an indefinite hold that can only be removed by an authorized user.
Objects continue to be versioned while they have policies defined for retention or legal hold. A copy operation on a version of an object does not carry forward the retention and legal hold settings from the source bucket to the destination.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK