Capabilities
Prior to the 3.19.4 release , only COMPLIANCE mode was supported. Now, both COMPLIANCE and GOVERNANCE modes are supported for object retention. Two methods of object protection are offered.
- Retain Until Date – A date, after object upload, when objects are eligible to be deleted.
- Prior to this date, the object version is under active retention and cannot be deleted or modified:
-
In COMPLIANCE mode, the restriction is absolute — no user, including administrators, can delete or modify the object before the retention date expires.
-
In GOVERNANCE mode, the object is protected, but authorized users with special permissions and the appropriate bypass header can override this protection to delete or modify the object before the retention date.
- This fixed date can be extended further into the future, but:
-
Shortening the retention period is only possible in GOVERNANCE mode, with necessary permissions and the bypass mechanism.
-
In COMPLIANCE mode, the retention period cannot be shortened or removed.
- Legal Hold- Object versions protected under a legal hold cannot be deleted or modified while the legal hold is enabled. A legal hold enabled on an object version provides an indefinite protection that operates independent of any retention set by the retain until date protection. It can be added or removed at any time.
Objects written to a bucket that has Object Lock Configuration enabled can have a both Retain Until Date and Legal Hold, only one of the two types, or neither protection configured on it.
Protection settings can be provided for an object during upload using specific object lock headers during the request. If no object lock headers are provided during upload, but the bucket has been configured with default retention settings, then the object will inherit the bucket default retention settings.
Alternatively, protection settings can be provided for the object version after it has been uploaded. It is possible to add or extend the Retain Until Date of the object and/or turn the legal hold ON or OFF on the object version.
Object Lock is built on top of the container versioning solution. When Object Lock protection is applied, it is done so on specific versions of the object. Thus, an object named “ObjectFile.txt” may have multiple versions for that object. Each version of the object can be unprotected or its own specific object lock protection applied.
Limitations & Incompatibilities
Incompatible Configurations
- Object Lock is NOT supported for Vault Mode buckets. (To utilize Object Lock on COS Systems running in Vault Mode, the administrator will need to enable Container Mode and create one or more Container Vaults in the system in which containers can be created and Object Lock utilized.)
- Object Lock is NOT supported for Mirrored bucket configurations.
- Object Lock and IBM Immutable Object Storage cannot be enabled at the same time on a bucket (though the system can have multiple buckets, each with one type of object protection enabled, cohabitated within the same Container Vault.)
Limitations
- Users must wait two minutes after enabling or changing object lock configuration on a bucket for the policy changes to take effect across the system, for the bucket.
- When the system has been fully upgraded to include software that contains the Object Lock
feature, the sub-resource requests listed below will be properly interpreted by the system, even if
the Object Lock feature is disabled on the system. Prior to the introduction of this feature, those
sub-resources were not interpreted by the system. If this presents a problem for your workflows,
contact IBM Customer Support prior to the upgrade.
- GET bucket?object-lock,
- GET object?retention
- GET object?legal-hold