Workflow
Refer to the IBM Cloud Storage Object API 2.5 Development Guide for additional specific API information for the scenarios discussed in this chapter.
Enable Object Lock on a bucket
Object Lock can be enabled on a bucket in two ways.
- Enable object lock during bucket creation.
- Enable object lock on an existing bucket.
After bucket creation, clients can enable Object Lock on the bucket that uses the PUT bucket?object-lock request. When enabling Object Lock to on an existing bucket, object versioning must be enabled before enabling Object Lock.
Once Object Lock is enabled on a bucket, it cannot be disabled.
Adding/Modifying Default Configuration on a bucket
After bucket creation, clients can add or modify Object Lock Configuration to an existing bucket. Now clients can choose to do one of the following:
- Enable Object Lock (if not done during bucket creation)
- Enable Object Lock and configure Object Lock Default Retention.
- Modify the existing Object Lock Default Retention on the bucket.
When a Default Retention is configured on the bucket, objects that are uploaded to the bucket have the default retention that is applied to the object at the time of object write, unless the object write request includes retention or legal hold headers. If the Default Retention is not configured for a bucket with object lock enabled, object versions that are written without retention or legal hold headers cannot be protected. Any changes to the bucket Default Retention only impact object versions added after the change. Existing objects in the bucket will not be impacted by such changes.
- x-amz-object-lock-mode
- x-amz-object-lock-retain-until-date
- x-amz-object-lock-legal-hold
Object Upload
Objects Uploaded to an Object Lock enabled bucket can have the following protection states.
| Object Protection State | Related Headers for Object Upload | Notes |
| Protected with Object specific Retention |
x-amz-object-lock-retain-until-date x-amz-object-lock-mode |
|
| Protected with Legal Hold | x-amz-object-lock-legal-hold |
|
| Protected with Retention and Legal Hold |
x-amz-object-lock-retain-until-date x-amz-object-lock-mode x-amz-object-lock-legal-hold |
|
| Protected with Bucket Default Retention | None |
|
| Unprotected | None |
|
Add/remove/modify Protection After Object Upload
Clients can choose to add or modify Protection on an object version that uses the PUT object?retention or PUT object?legal-hold commands.
When using the PUT Object?retention request, clients can
update the retain until date of an object, provided the new date is later than the current time and
later than the existing retain until date. However, if the object is in GOVERNANCE mode, and the
requester has the BypassGovernanceRetention permission along with the
x-amz-bypass-governance-retention: true header, the retain until date can also be
shortened, or entirely removed.
Reading Object Lock Protection for Objects
When reading objects from an Object Lock Enabled Bucket, only bucket owners see object lock response headers.
Object Deletion
Object versions that are protected with either Active Retention
Period or an Active Legal Hold or both, cannot be deleted. Object
versions can only be deleted when the time of the delete request has exceeded the Retain
Until Date for the object version and the Legal Hold has been removed
from the object. However, if object is in GOVERNANCE mode and Legal Hold is off, object can be
deleted even before Retain Until Date when the requester has the necessary
BypassGovernanceRetention permission, and the
x-amz-bypass-governance-retention: true header included in the request. In all
cases, deletion must reference the specific version of the object to be removed.