Using S3 Object Lock with StorNext

S3 Object Lock is an S3 feature that allows objects to be stored using a write once, read many (WORM) model. Enabling Object Lock on a bucket can prevent objects from being deleted or overwritten, can be used to enforce retention periods, or can be used to meet regulatory compliance requirements.

S3 object versioning is enabled automatically when Object Lock is enabled. With S3 Versioning, multiple variants of the same object are maintained, and objects are not removed permanently when deleted.

If Object Lock is enabled for a bucket, objects can be protected for a fixed amount of time by configuring a bucket default retention period or protected indefinitely with a legal hold. Only after the retention period expires or a legal hold is removed, can the object version be deleted.

StorNext is incognizant of both S3 Object Lock and S3 object versioning and will be unaware of the bucket-level configuration settings and object holds. The implications of using this feature with StorNext should be well understood before attempting to do so.

It is important to note that, because StorNext is unable to monitor or manage the retention of deleted objects, external monitoring and management procedures will be needed to prevent uncontrolled storage use.

StorNext Behavior with S3 Object Lock

• If you configure a default retention period for a bucket, then StorNext cannot store an object to the bucket.

• If you run the fsclean command on a bucket with Object Lock enabled, then the command completes successfully, but any such object is tagged with a delete marker and remains in the bucket either indefinitely or, if configured externally to StorNext, until the retention period has expired, or the legal hold is removed.

• Although you can find a deleted version of an object in the bucket, the fsclean processing removes the metadata needed for StorNext to reference the object, so it is not accessible or recoverable by Storage Manager.

• StorNext does not provide a means of removing an object tagged with a delete marker.

• The fsobjimport command only imports the current version of an object found in a bucket. It does not import a previous version of any object, or any object tagged with a delete marker.