Deployment
Users deploying or upgrading the IBM Cloud Object Storage System to use Object Lock need to have all devices in the Storage System upgraded to a version 3.17.2 or greater. This includes all Accesser Devices in all access pools, all Slicestor Devices in all storage pools and the Manager. From version 3.17.2, as part of retention only COMPLIANCE mode was supported. To use GOVERNANCE mode as well, similar to above, all devices need to be upgraded to version 3.19.4.
Once upgraded, the System Administrator can configure Object Lock on the system. Object Lock support enablement is tiered to allow System Administrators to customize deployment of this feature. The tiers of Object Lock support are:
- System
- Storage Pool
- Container Vault
- Container
The below explanations are stated in a general manner, for specifics refer to the IBM Manager Administration Guide, and the IBM Manager REST API Developer Guide.
- System Object Lock Configuration, as performed by the System Administrator.
By default, Object Lock support is disabled on the system and no references to Object Lock are present on the Manager User Interface. System Administrators can choose to enable Object Lock at the system Level under “Settings” on the Manager User Interface. Once Enabled, more granular configuration is available on the Storage Pool Configuration page. When Enabling the feature on the System, Admins are required to configure access log upload to the Management Vault. See the below section for more details.
- Storage Pool Object Lock Configuration, as performed by the System Administrator.
After Object Lock support has been enabled at the System level, the administrator can edit the Storage Pool Configuration page to enable the feature support for that Storage Pool. During Object Lock enablement at the Storage Pool, users can optionally bulk enable feature support on specific container vaults within the storage pool from. Once enabled on the storage pool, the underlying Container Vault configuration pages for that Storage Pool allows users to enable feature support per Container Vault.
- Container Vault Object Lock Configuration, as performed by the System Administrator. After Object Lock support has been enabled at the Storage Pool, if users are creating new Container Vaults or editing existing Container Vaults, they can choose to enable Object Lock feature then. Note that the container vault configuration page should reflect the object lock support setting of the associated storage pool and the user has the ability to change this setting for the selected container vault. After the feature support is enabled on the Container Vault, end users can create buckets with Object Lock Configuration OR add Object Lock Configuration on existing Containers by means of the S3 API.Important: Once Object Lock support has been enabled on the Container Vault, it cannot be disabled. Once Object Lock has been enabled on a single Container Vault in the system, the feature cannot be disabled at the Storage Pool and System configuration pages.
- Container Object Lock Configuration, as performed by system clients (Bucket Owners) looking to
enable the feature on their individual containers.
For all feature enablement tiers above, enablement was only to support the feature, but the feature is not yet actively in use. After all the above configuration has been set, a client can create a new bucket with Object Lock Configuration enabled OR edit an existing bucket to add Object Lock Configuration. This can be done through the S3 API.