Source:Configuring Si3 NG Deduplication Store with Object Lock: Difference between revisions

From SEPsesam
(modifying option definition for object lock retention time)
No edit summary
(One intermediate revision by the same user not shown)
Line 62: Line 62:


In your cloud storage management console create a policy ''<policy_name>'', for example, <tt>Si3LockSesam</tt>. SEP sesam requires the policy settings as shown below. Edit the JSON policy statement accordingly.</translate>
In your cloud storage management console create a policy ''<policy_name>'', for example, <tt>Si3LockSesam</tt>. SEP sesam requires the policy settings as shown below. Edit the JSON policy statement accordingly.</translate>
<pre>
<syntaxhighlight lang="JSON">
{
{
     "Version": "2012-10-17",
     "Version": "2012-10-17",
Line 79: Line 79:
                 "s3:DeleteObject",
                 "s3:DeleteObject",
                 "s3:GetObjectVersion",
                 "s3:GetObjectVersion",
                 "s3:DeleteObjectVersion"
                 "s3:DeleteObjectVersion",
                "s3:GetBucketObjectLockConfiguration",
        "s3:ListAllMyBuckets"
             ],
             ],
             "Resource": "*"
             "Resource": "*"
Line 85: Line 87:
     ]
     ]
}
}
</pre>
</syntaxhighlight>
====Creating a policy on S3====
====Creating a policy on S3====
<ol><li><translate> On S3, in IAM Management Console, select '''Policies''' in the menu and then click '''Create policy'''.</translate></li>
<ol><li><translate> On S3, in IAM Management Console, select '''Policies''' in the menu and then click '''Create policy'''.</translate></li>

Revision as of 13:58, 29 November 2022

Other languages:

Template:Copyright SEP AG en

Draft.png WORK IN PROGRESS
This is a draft document for the SEP sesam upcoming 5.1.0 Apollon release. Note that the article is in the initial stage and may be updated, replaced or deleted at any time. It is inappropriate to use this document as reference material as it is a work in progress and should be treated as such.


Overview

When backing up your data to the S3 (Amazon Simple Storage Solution) cloud storage, Wasabi cloud storage, or other S3-compatible cloud implementation, you can use the Object Lock function to protect your data from alteration or deletion. Object Lock is a data protection feature and enables you to customize immutability of the backup objects. The retention period can be set for a fixed amount of time or indefinitely, and no one can change, delete or overwrite a backup object until its retention period is expired.

Immutable objects remain immutable until the end of their retention period. However, two retention modes are available:

  • Compliance mode - retention time of a protected file or object cannot be shortened by any user.
  • Governance mode - users with a special permission (for example, root user) can reduce the retention period.

SEP sesam is using object retention in governance mode. In governance mode SEP sesam backup user can add or extend the retention period on an object, and cannot shorten or remove it. In case the retention period is set incorrectly (for example 100 years), the user with user right BypassGovernanceRetention can change this setting.

S3 Object Lock works in buckets with enabled versioning. An object lock is placed on an individual object version and new object versions can be created, each version locked according to configured retention period.

S3 Object Lock also provides two modes of managing object retention that can be combined or used independently:

  • retention period - specifies a fixed period of time during which an object remains locked and can't be overwritten or deleted.
  • legal hold - has no expiration date and remains in place until you explicitly remove it. Legal holds are independent from retention periods.

SEP sesam is not using legal hold option. Legal hold can be placed on objects in the cloud storage management console.

Configuration of Si3 NG store with Object Lock

SEP sesam enables you to configure the Si3 NG data store with enabled Object Lock function. For general information on Si3 NG data store configuration and prerequisites, see Configuring Si3 NG Deduplication Store. This section deals only with the specific information on configuring the Si3 NG data store that is using the Object Lock function.

Information sign.png Note
This procedure involves configuration steps that are performed on the cloud storage management console. These steps provide only the basic information, for more detailed explanations and instructions refer to the documentation of your cloud storage provider. For example:
  1. Create a policy
  2. Create a backup user
  3. Create a bucket
  4. Configure the Si3 NG deduplication store

For information on configuring media pools, backing up to S3 cloud storage, and purging data on S3 cloud storage, see Backup to S3 Cloud Storage.

Create a policy

A policy defines the user permissions for buckets in your cloud storage and can be assigned to a user, group, or role. Policies are in JSON format.

In your cloud storage management console create a policy <policy_name>, for example, Si3LockSesam. SEP sesam requires the policy settings as shown below. Edit the JSON policy statement accordingly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectRetention",
                "s3:PutObjectRetention",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:DeleteObjectVersion",
                "s3:GetBucketObjectLockConfiguration",
		        "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        }
    ]
}

Creating a policy on S3

  1. On S3, in IAM Management Console, select Policies in the menu and then click Create policy.
  2. Switch to JSON tab and insert the SEP sesam policy statement (above).
    AWS Amazon IAM Management Console
  3. Follow the wizard to complete the procedure. For more information see Creating IAM policies.

AWS Amazon IAM Management Console

Creating a policy on Wasabi

  1. On Wasabi, in Wasabi Management Console, select Policies in the menu and then click Create policy.
  2. Enter the <policy_name> and insert the SEP sesam policy statement (above).
    Wasabi Management Console
  3. Complete the procedure. For more information see Creating a Policy.

Create a backup user

The backup user is used by SEP sesam to access the cloud storage bucket. In your cloud storage management console create a user <user_name>, for example, Si3Sesam. Select the programatic access and attach the SEP sesam policy statement to this user.

Follow the recommendation and use your root user credentials only to create your backup user.

Creating a backup user on S3

  1. On S3, in IAM Management Console, select Users in the menu and then click Add users.
  2. Enter the <user_name> and select the option Access key - Programmatic access.
    AWS Amazon IAM Management Console
  3. In the Set permissionswindow, click Attach existing policy directly.
  4. Select the check-mark in front of your policy (Si3LockSesam) to attach it to the backup user.
    AWS Amazon IAM Management Console
  5. Follow the wizard to complete the procedure. For more information see IAM users.

AWS Amazon IAM Management Console

Information sign.png Note
AWS access keys consist of an access key ID and a secret access key. Both keys are required to authenticate access. These credentials are also required to create an Si3 NG data store for S3.

The S3 credentials are stored encrypted (not in plain text) in the ini file.

For more information and procedures see the AWS Identity and Access Management documentation.

Creating a backup user on Wasabi

  1. On Wasabi, in Wasabi Management Console, select Users in the menu and then click Create user.
  2. Enter the <user_name> and under Type of Access select the option Programmatic (create API key).
    Wasabi Management Console
  3. In the Policies window, find and select your policy (Si3LockSesam) to attach it to the backup user.
    Wasabi Management Console
  4. Complete the procedure. For more information see Creating a User.

Wasabi Management Console

Create a bucket

The term bucket is used to describe the container for backup data. To use the Object Lock function, the cloud storage bucket must have versioning enabled.

In your cloud storage management console create a bucket <bucket_name>, for example, si3sesamlock. Enable bucket versioning and Object Lock functions.

Information sign.png Note
Uppercase characters and special characters are not permitted in the bucket name. Bucket name must be DNS-compliant. For more information refer to Bucket naming rules.

Creating a bucket on S3

  1. On S3, in S3 Management Console, select Buckets in the menu and then click Create bucket.
  2. Enter the <bucket_name>.
    AWS Amazon S3 Management Console
  3. In the Bucket Versioning section, enable Bucket Versioning.
    AWS Amazon S3 Management Console
  4. Expand the Advanced settings section and enable Object Lock.
    AWS Amazon S3 Management Console
  5. Complete the procedure. For more information see Creating a Bucket.

Creating a bucket on Wasabi

  1. On Wasabi, in Wasabi Management Console, select Buckets in the menu and then click Create bucket.
  2. Enter the <bucket_name> and select the region (geographic location) where you want your bucket to reside.
    Wasabi Management Console
  3. In the Set Properties window, enable Bucket Versioning and Object Locking.
    Wasabi Management Console
  4. Complete the procedure. For more information see Creating a Bucket.

Wasabi Management Console

Configure the Si3 NG deduplication store with Object Lock

Configuring the Si3 NG deduplication store that uses S3 with Object Lock function involves creating a new data store for your S3 bucket, setting the drive parameters and data store size properties. This section deals only with the specific information on configuring the Object Lock.

  1. In the Main selection -> Components, click Data Stores and then select New Data Store.
  2. From the Data Stores menu, select New Data Store. A New Data Store dialog appears.
  3. Configure the data store as required. For details refer to Configuring Si3 NG Deduplication Store.
  4. Right-click the newly created S3 data store and the click Properties.
  5. In the Storage Backend tab, select the option Enable Object lock and then enter the retention time in days in the Object lock retention time field.
Information sign.png Note
Object lock retention time setting defines Object Lock retention period in days. Si3 periodically extends locks on objects and pages. Every version of objects and pages is preserved and Si3 is periodically removing versions older than retention time days.


S3 DataStore ObjectLock.jpg

Modifying retention period

SEP sesam backup user can add or extend the retention period on an object. To extend the retention period, change the Object lock retention time setting in the Storage Backend tab. The retention period is recalculated for all objects in the S3 bucket.

You can also shorten the Object lock retention time setting. In this case, new retention period is immediately valid for new objects, and the retention period on existing objects is recalculated only after the previously set retention period is shorter than the new one.