minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

Docs Multiplatform Slice

Browse Source
This commit is contained in:
Ravind Kumar
2022-05-06 16:44:42 -04:00
parent df33ddee6a
commit b99c20a16f
134 changed files with 3689 additions and 2200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
source/administration/object-management/create-lifecycle-management-expiration-rule.rst Normal file
View File

@ -0,0 +1,112 @@
.. _minio-lifecycle-management-create-expiry-rule:
===========================
Automatic Object Expiration
===========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Each procedure on this page creates a new object lifecycle management rule that
expires objects on a MinIO bucket. This procedure supports use cases like
removing "old" objects after a certain time period or calendar date.
.. todo: diagram
Requirements
------------
Install and Configure ``mc``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install :mc:`mc` on a machine with network access to both source and destination
clusters. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for
instructions on downloading and installing ``mc``.
Use the :mc:`mc alias` command to create an alias for the source MinIO cluster
and the destination S3-compatible service. Alias creation requires specifying an
access key for a user on the source and destination clusters. The specified
users must have :ref:`permissions
<minio-lifecycle-management-create-expiry-rule-permissions>` for configuring
and applying expiry operations.
.. _minio-lifecycle-management-create-expiry-rule-permissions:
Required Permissions
~~~~~~~~~~~~~~~~~~~~
MinIO requires the following permissions scoped to the bucket or buckets
for which you are creating lifecycle management rules.
- :policy-action:`s3:PutLifecycleConfiguration`
- :policy-action:`s3:GetLifecycleConfiguration`
MinIO also requires the following administrative permissions on the cluster
in which you are creating remote tiers for object transition lifecycle
management rules:
- :policy-action:`admin:SetTier`
- :policy-action:`admin:ListTier`
For example, the following policy provides permission for configuring object
transition lifecycle management rules on any bucket in the cluster:.
.. literalinclude:: /extra/examples/LifecycleManagementAdmin.json
:language: json
:class: copyable
Expire Objects after Number of Days
-----------------------------------
Use :mc-cmd:`mc ilm add` with :mc-cmd:`~mc ilm add --expiry-days` to
expire bucket contents a number of days after object creation:
.. code-block:: shell
:class: copyable
mc ilm add ALIAS/PATH --expiry-days "DAYS"
- Replace :mc-cmd:`ALIAS <mc ilm add ALIAS>` with the
:mc:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`PATH <mc ilm add ALIAS>` with the path to the bucket on the
S3-compatible host.
- Replace :mc-cmd:`DAYS <mc ilm add --expiry-days>` with the number of days after
which to expire the object. For example, specify ``30`` to expire the
object 30 days after creation.
Expire Versioned Objects
------------------------
Use :mc-cmd:`mc ilm add` to expiring noncurrent object versions and object
delete markers:
- To expire noncurrent object versions after a specific duration in days,
include :mc-cmd:`~mc ilm add --noncurrentversion-expiration-days`.
- To expire delete markers for objects with no remaining versions,
include :mc-cmd:`~mc ilm add --expired-object-delete-marker`.
.. code-block:: shell
:class: copyable
mc ilm add ALIAS/PATH \
--noncurrentversion-expiration-days NONCURRENT_DAYS \
--expired-object-delete-marker
- Replace :mc-cmd:`ALIAS <mc ilm add ALIAS>` with the
:mc:`alias <mc alias>` of the S3-compatible host.
- Replace :mc-cmd:`PATH <mc ilm add ALIAS>` with the path to the bucket on the
S3-compatible host.
- Replace :mc-cmd:`NONCURRENT_DAYS
<mc ilm add --noncurrentversion-expiration-days>` with the number of days after
which to expire noncurrent object versions. For example, specify ``30d`` to
expire a version after it has been noncurrent for at least 30 days.

144
source/administration/object-management/object-lifecycle-management.rst Normal file
View File

@ -0,0 +1,144 @@
.. _minio-lifecycle-management:
===========================
Object Lifecycle Management
===========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 1
MinIO Object Lifecycle Management allows creating rules for time or date
based automatic transition or expiry of objects. For object transition,
MinIO automatically moves the object to a configured remote storage
tier. For object expiry, MinIO automatically deletes the object.
MinIO lifecycle management is built for behavior and syntax compatibility with
:s3-docs:`AWS S3 Lifecycle Management <object-lifecycle-mgmt.html>`. For
example, you can export S3 lifecycle management rules and import them into
MinIO or vice-versa. MinIO uses JSON to describe lifecycle management rules,
and conversion to or from XML may be required.
.. _minio-lifecycle-management-tiering:
Object Transition ("Tiering")
-----------------------------
MinIO supports creating object transition lifecycle management rules, where
MinIO can automatically move an object to a remote storage "tier". MinIO
supports any S3-compatible service as a remote tier *in addition to* the
following public cloud storage services:
- :ref:`Amazon S3 <minio-lifecycle-management-transition-to-s3>`
- :ref:`Google Cloud Storage <minio-lifecycle-management-transition-to-gcs>`
- :ref:`Microsoft Azure Blob Storage
<minio-lifecycle-management-transition-to-azure>`
MinIO object transition supports use cases like moving aged data from MinIO
clusters in private or public cloud infrastructure to low-cost private or public
cloud storage solutions. MinIO manages retrieving tiered objects on-the-fly
without any additional application-side logic.
Use the :mc-cmd:`mc admin tier` command to create a remote target for tiering
data to a supported Cloud Service Provider object storage. You can then use the
:mc-cmd:`mc ilm add --transition-days` command to transition objects to the
remote tier after a specified number of calendar days.
Exclusive Access to Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-bucket-access-desc
:end-before: end-transition-bucket-access-desc
Availability of Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-data-loss-desc
:end-before: end-transition-data-loss-desc
Versioned Buckets
~~~~~~~~~~~~~~~~~
MinIO adopts :s3-docs:`S3 behavior
<intro-lifecycle-rules.html#intro-lifecycle-rules-actions>` for transition rules
on :ref:`versioned buckets <minio-bucket-versioning>`. Specifically, MinIO by
default applies the transition operation to the *current* object version.
To transition noncurrent object versions, specify the
:mc-cmd:`~mc ilm add --noncurrentversion-transition-days` and
:mc-cmd:`~mc ilm add --noncurrentversion-transition-storage-class` options
when creating the transition rule.
.. _minio-lifecycle-management-expiration:
Object Expiration
-----------------
MinIO lifecycle management supports expiring objects on a bucket. Object
"expiration" involves performing a ``DELETE`` operation on the object. For
example, you can create a lifecycle management rule to expire any object
older than 365 days.
.. todo: Diagram of MinIO Expiration
Use :mc-cmd:`mc ilm add --expiry-days` to expire objects after a specified
number of calendar days.
For buckets with :ref:`replication <minio-bucket-replication>` configured, MinIO
does not replicate objects deleted by a lifecycle management expiration rule.
See :ref:`minio-replication-behavior-delete` for more information.
Versioned Buckets
~~~~~~~~~~~~~~~~~
MinIO adopts :s3-docs:`S3 behavior
<intro-lifecycle-rules.html#intro-lifecycle-rules-actions>` for expiration rules
on :ref:`versioned buckets <minio-bucket-versioning>`. MinIO has two
specific default behaviors for versioned buckets:
- MinIO applies the expiration option to only the *current* object version by
creating a ``DeleteMarker`` as is normal with versioned delete.
To expire noncurrent object versions, specify the
:mc-cmd:`~mc ilm add --noncurrentversion-expiration-days` option
when creating the expiration rule.
- MinIO does not expire ``DeleteMarkers`` *even if* no other versions of
that object exist.
To expire delete markers when there are no remaining versions for that
object, specify the :mc-cmd:`~mc ilm add --expired-object-delete-marker`
option when creating the expiration rule.
.. _minio-lifecycle-management-scanner:
Lifecycle Management Object Scanner
-----------------------------------
MinIO uses a built-in scanner to actively check objects against all
configured lifecycle management rules. The scanner is a low-priority process
that yields to high IO workloads to prevent performance spikes triggered
by rule timing. The scanner may therefore not detect an object as eligible
for a configured transition or expiration lifecycle rule until *after*
the lifecycle rule period has passed.
Delayed application of lifecycle management rules is typically associated to
limited node resources and cluster size. Scanner speed tends to slow as
clusters grow as more time is required to visit all buckets and objects.
This can be exacerbated if the cluster hardware is undersized for regular
workloads, as the scanner will yield to high cluster load to avoid performance
loss. Consider regularly checking cluster metrics, capacity, and resource
usage to ensure the cluster hardware is scaling alongside cluster and workload
growth.
.. toctree::
:hidden:
/administration/object-management/transition-objects-to-s3.rst
/administration/object-management/transition-objects-to-gcs.rst
/administration/object-management/transition-objects-to-azure.rst
/administration/object-management/create-lifecycle-management-expiration-rule.rst

433
source/administration/object-management/object-retention.rst Normal file
View File

@ -0,0 +1,433 @@
.. _minio-object-locking:
.. _minio-object-retention:
====================
MinIO Object Locking
====================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Overview
--------
MinIO Object Locking ("Object Retention") enforces Write-Once Read-Many (WORM)
immutability to protect :ref:`versioned objects <minio-bucket-versioning>` from
deletion. MinIO supports both
:ref:`duration based object retention <minio-object-locking-retention-modes>`
and
:ref:`indefinite Legal Hold retention <minio-object-locking-legalhold>`.
MinIO Object Locking provides key data retention compliance and meets
SEC17a-4(f), FINRA 4511(C), and CFTC 1.31(c)-(d) requirements as per
`Cohasset Associates <https://min.io/cohasset?ref-docs>`__.
.. card-carousel:: 1
.. card:: Bucket Without Locking
.. image:: /images/retention/minio-versioning-delete-object.svg
:alt: Deleting an Object
:align: center
:width: 600px
MinIO versioning preserves the full history of object mutations.
However, applications can explicitly delete specific object versions.
.. card:: Bucket With Locking
.. image:: /images/retention/minio-object-locking.svg
:alt: 30 Day Locked Objects
:align: center
:width: 600px
Applying a default 30 Day WORM lock to objects in the bucket ensures
a minimum period of retention and protection for all object versions.
.. card:: Delete Operations in Locked Bucket
.. image:: /images/retention/minio-object-locking-delete.svg
:alt: Delete Operation in Locked Bucket
:align: center
:width: 600px
Delete operations follow normal behavior in
:ref:`versioned buckets <minio-bucket-versioning-delete>`, where MinIO
creates a ``DeleteMarker`` for the object. However, non-Delete Marker
versions of the object remain under the retention rules and are protected
from any specific deletion or overwrite attempts.
.. card:: Versioned Delete Operations in Locked Bucket
.. image:: /images/retention/minio-object-locking-delete-version.svg
:alt: Versioned Delete Operation in a Locked Bucket
:align: center
:width: 600px
MinIO blocks any attempt to delete a specific object version held under
WORM lock. The earliest possible time after which a client may delete
the version is when the lock expires.
MinIO object locking is
:s3-docs:`feature and API compatible with AWS S3 <object-lock.html>`.
This page summarizes Object Locking / Retention concepts as implemented by
MinIO. See the AWS S3 documentation on
:s3-docs:`How S3 Object Lock works <object-lock.html>` for additional
resources.
You can only enable object locking during bucket creation as per
:s3-docs:`S3 behavior <object-lock-overview.html#object-lock-bucket-config>`.
You cannot enable object locking on a bucket created without locking
enabled. You can then configure object retention rules at any time.
Object locking requires :ref:`versioning <minio-bucket-versioning>` and
enables the feature implicitly.
.. _minio-bucket-locking-interactions-versioning:
Interaction with Versioning
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Objects held under WORM locked are immutable until the lock expires or is
explicitly lifted. Locking is per-object version, where each version is
independently immutable.
If an application performs an unversioned delete operation on a locked object,
the operation produces a :ref:`delete marker <minio-bucket-versioning-delete>`.
Attempts to explicitly delete any WORM-locked object fail with an error.
Delete Markers are *not* eligible for protection under WORM locking.
See the S3 documentation on
:s3-docs:`Managing delete markers and object lifecycles
<object-lock-managing.html#object-lock-managing-lifecycle>` for more
information.
For example, consider the following bucket with
:ref:`minio-object-locking-governance` locking enabled by default:
.. code-block:: shell
$ mc ls --versions play/locking-guide
[DATETIME] 29B 62429eb1-9cb7-4dc5-b507-9cc23d0cc691 v3 PUT data.csv
[DATETIME] 32B 78b3105a-02a1-4763-8054-e66add087710 v2 PUT data.csv
[DATETIME] 23B c6b581ca-2883-41e2-9905-0a1867b535b8 v1 PUT data.csv
Attempting to perform a delete on a *specific version* of ``data.csv`` fails
due to the object locking settings:
.. code-block:: shell
$ mc rm --version-id 62429eb1-9cb7-4dc5-b507-9cc23d0cc691 play/data.csv
Removing `play/locking-guide/data.csv` (versionId=62429eb1-9cb7-4dc5-b507-9cc23d0cc691).
mc: <ERROR> Failed to remove `play/locking-guide/data.csv`.
Object, 'data.csv (Version ID=62429eb1-9cb7-4dc5-b507-9cc23d0cc691)' is
WORM protected and cannot be overwritten
Attempting to perform an unversioned delete on ``data.csv`` succeeds and creates
a new ``DeleteMarker`` for the object:
.. code-block:: shell
$ mc rm play/locking-guide/data.csv
[DATETIME] 0B acce329f-ad32-46d9-8649-5fe8bf4ec6e0 v4 DEL data.csv
[DATETIME] 29B 62429eb1-9cb7-4dc5-b507-9cc23d0cc691 v3 PUT data.csv
[DATETIME] 32B 78b3105a-02a1-4763-8054-e66add087710 v2 PUT data.csv
[DATETIME] 23B c6b581ca-2883-41e2-9905-0a1867b535b8 v1 PUT data.csv
Interaction with Lifecycle Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO :ref:`object expiration <minio-lifecycle-management-expiration>`
respects any active object lock and retention settings for objects covered by
the expiration rule.
- For expiration rules operating on only the *current* object version,
MinIO creates a Delete Marker for the locked object.
- For expiration rules operating on *non-current object versions*,
MinIO can only expire the non-current versions *after* the retention period
has passed *or* has been explicitly lifted (e.g. Legal Holds).
For example, consider the following bucket with
:ref:`minio-object-locking-governance` locking enabled by default for 45 days:
.. code-block:: shell
$ mc ls --versions play/locking-guide
[7D] 29B 62429eb1-9cb7-4dc5-b507-9cc23d0cc691 v3 PUT data.csv
[30D] 32B 78b3105a-02a1-4763-8054-e66add087710 v2 PUT data.csv
[60D] 23B c6b581ca-2883-41e2-9905-0a1867b535b8 v1 PUT data.csv
Creating an expiration rule for *current* objects older than 7 days results in
a Delete Marker for the object:
.. code-block:: shell
$ mc ls --versions play/locking-guide
[0D] 0B acce329f-ad32-46d9-8649-5fe8bf4ec6e0 v4 DEL data.csv
[7D] 29B 62429eb1-9cb7-4dc5-b507-9cc23d0cc691 v3 PUT data.csv
[30D] 32B 78b3105a-02a1-4763-8054-e66add087710 v2 PUT data.csv
[60D] 23B c6b581ca-2883-41e2-9905-0a1867b535b8 v1 PUT data.csv
However, an expiration rule for *non-current* objects older than 7 days would
only take effect *after* the configured WORM lock expires. Since the bucket
has a 45 day ``GOVERNANCE`` retention set, only the ``v1`` version of
``data.csv`` is unlocked and therefore eligible for deletion.
Tutorials
---------
Create Bucket with Object Locking Enabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You must enable object locking during bucket creation as per S3 behavior.
You can create a bucket with object locking enabled using the MinIO Console,
the MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
.. tab-set::
.. tab-item:: MinIO Console
:sync: console
Select the :guilabel:`Buckets` section of the MinIO Console to access
bucket creation and management functions. Select the bucket row from the
list of buckets. You can use the :octicon:`search` :guilabel:`Search` bar
to filter the list.
.. image:: /images/minio-console/console-bucket.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Click the :guilabel:`Create Bucket` button to open the bucket creation
modal. Toggle the :guilabel:`Object Locking` selector to enable object
locking on the bucket.
.. image:: /images/minio-console/console-bucket-create-bucket-with-locking.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
.. tab-item:: MinIO CLI
:sync: cli
Use the :mc-cmd:`mc mb` command with the :mc-cmd:`~mc mb --with-lock`
option to create a bucket with object locking enabled:
.. code-block:: shell
:class: copyable
mc mb --with-lock ALIAS/BUCKET
- Replace ``ALIAS`` with the :mc:`alias <mc alias>` of a configured
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`name <mc version ALIAS>` of the bucket to create.
Configure Bucket-Default Object Retention
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can configure object locking rules ("object retention") using the
MinIO Console, the MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
MinIO supports setting both bucket-default *and* per-object retention rules.
The following examples set bucket-default retention. For per-object retention
settings, defer to the documentation for the ``PUT`` operation used by your
preferred SDK.
.. tab-set::
.. tab-item:: MinIO Console
:sync: console
Select the :guilabel:`Buckets` section of the MinIO Console to access bucket creation and management functions. You can use the :octicon:`search` :guilabel:`Search` bar to filter the list.
.. image:: /images/minio-console/console-bucket.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Each bucket row has a :guilabel:`Manage` button that opens the management view for that bucket.
.. image:: /images/minio-console/console-bucket-manage.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
From the :guilabel:`Retention` section, select :guilabel:`Enabled`.
This section is only visible for buckets created with object locking enabled.
From the :guilabel:`Set Retention Configuration` modal, set the desired bucket default retention settings.
- For :guilabel:`Retention Mode`, select either :ref:`COMPLIANCE <minio-object-locking-compliance>` or :ref:`GOVERNANCE <minio-object-locking-governance>`.
- For :guilabel:`Duration`, select the retention duration units of :guilabel:`Days` or :guilabel:`Years`.
- For :guilabel:`Retention Validity`, set the duration of time for which MinIO holds objects under the specified retention mode for the bucket.
.. tab-item:: MinIO CLI
:sync: cli
Use the :mc-cmd:`mc retention set` command with the
:mc-cmd:`--recursive <mc retention set --recursive>` and
:mc-cmd:`--default <mc retention set --default>` options to set the
default retention mode for a bucket:
.. code-block:: shell
:class: copyable
mc retention set --recursive --default MODE DURATION ALIAS/BUCKET
- Replace :mc-cmd:`MODE <mc retention set MODE>` with either either
:ref:`COMPLIANCE <minio-object-locking-compliance>` or
:ref:`GOVERNANCE <minio-object-locking-governance>`.
- Replace :mc-cmd:`DURATION <mc retention set VALIDITY>` with the
duration for which the object lock remains in effect.
- Replace :mc-cmd:`ALIAS <mc retention set ALIAS>` with the
:mc:`alias <mc alias>` of a configured MinIO deployment.
- Replace :mc-cmd:`BUCKET <mc retention set ALIAS>` with the
name of the bucket on which to set the default retention rule.
Enable Legal Hold Retention
~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can enable or disable indefinite Legal Hold retention for an object using the MinIO Console, the MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
You can place a legal hold on an object already held under a :ref:`COMPLIANCE <minio-object-locking-compliance>` or :ref:`GOVERNANCE <minio-object-locking-governance>` lock.
The object remains WORM locked under the legal hold even when the retention lock expires.
You or another user with the necessary permissions must explicitly lift the legal hold to remove the WORM lock.
.. tab-set::
.. tab-item:: MinIO Console
:sync: console
Select the :guilabel:`Buckets` section of the MinIO Console to access bucket creation and management functions.
You can use the :octicon:`search` :guilabel:`Search` bar to filter the list.
.. image:: /images/minio-console/console-bucket.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Each bucket row has a :guilabel:`Manage` button that opens the management view for that bucket.
.. image:: /images/minio-console/console-object-browser.png
:width: 600px
:alt: MinIO Console Bucket Object Browser
:align: center
Browse to the object and select it to open the object details view.
Select the :guilabel:`Legal Hold` button to toggle the Legal Hold status of the object.
.. tab-item:: MinIO CLI
:sync: cli
Use the :guilabel:`mc legalhold set` command to toggle the legal hold status on an object.
.. code-block:: shell
:class: copyable
mc legalhold set ALIAS/PATH
- Replace :mc-cmd:`ALIAS <mc legalhold set ALIAS>` with the
:mc:`alias <mc alias>` of a configured MinIO deployment.
- Replace :mc-cmd:`PATH <mc legalhold set ALIAS>` with the
path to the object for which to enable the legal hold.
.. _minio-object-locking-retention-modes:
Object Retention Modes
----------------------
MinIO implements the following
:s3-docs:`S3 Object Locking Modes <object-lock-overview.html>`:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Mode
- Summary
* - :ref:`minio-object-locking-governance`
- Prevents any operation that would mutate or modify the object or its
locking settings by non-privileged users.
Users with the :policy-action:`s3:BypassGovernanceRetention` permission
on the bucket or object can modify the object or its locking settings.
MinIO lifts the lock automatically after the configured retention rule
duration has passed.
* - :ref:`minio-object-locking-compliance`
- Prevents any operation that would mutate or modify the object or its
locking settings.
No MinIO user can modify the object or its settings, including the
:ref:`MinIO root <minio-users-root>` user.
MinIO lifts the lock automatically after the configured retention rule
duration has passed.
.. _minio-object-locking-governance:
GOVERNANCE Mode
~~~~~~~~~~~~~~~
An object under ``GOVERNANCE`` lock is protected from write operations by
non-privileged users.
``GOVERNANCE`` locked objects enforce managed-immutability for locked objects,
where users with the :policy-action:`s3:BypassGovernanceRetention` action can
modify the locked object, change the retention duration, or lift the lock
entirely. Bypassing ``GOVERNANCE`` retention also requires setting the
``x-amz-bypass-governance-retention:true`` header as part of the request.
The MinIO ``GOVERNANCE`` lock is functionally identical to the
:s3-docs:`S3 GOVERNANCE mode
<object-lock-overview.html#object-lock-retention-modes>`.
.. _minio-object-locking-compliance:
COMPLIANCE Mode
~~~~~~~~~~~~~~~
An object under ``COMPLIANCE`` lock is protected from write operations by *all*
users, including the :ref:`MinIO root <minio-users-root>` user.
``COMPLIANCE`` locked objects enforce complete immutability for locked objects.
You cannot change or remove the lock before the configured retention
duration has passed.
The MinIO ``COMPLIANCE`` lock is functionally identical to the
:s3-docs:`S3 GOVERNANCE mode
<object-lock-overview.html#object-lock-retention-modes>`.
.. _minio-object-locking-legalhold:
Legal Hold
----------
An object under Legal Hold is protected from write operations by *all*
users, including the :ref:`MinIO root <minio-users-root>` user.
Legal Holds are indefinite and enforce complete immutability for locked objects.
Only privileged users with the :policy-action:`s3:PutObjectLegalHold` permission can set or lift the Legal Hold.
Legal holds are complementary to both :ref:`minio-object-locking-governance` and :ref:`minio-object-locking-compliance` retention settings.
An object held under both legal hold *and* a ``GOVERNANCE/COMPLIANCE`` retention rule remains WORM locked until the legal hold is lifted *and* the rule expires.
For ``GOVERNANCE`` locked objects, the legal hold prevents mutating the object *even if* the user has the necessary privileges to bypass retention.

306
source/administration/object-management/object-versioning.rst Normal file
View File

@ -0,0 +1,306 @@
.. _minio-bucket-versioning:
=================
Bucket Versioning
=================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
Overview
--------
MinIO supports keeping multiple "versions" of an object in a single bucket.
Write operations which would normally overwrite an existing object instead
result in the creation of a new versioned object. MinIO versioning protects from
unintended overwrites and deletions while providing support for "undoing" a
write operation. Bucket versioning is a prerequisite for configuring
:ref:`object locking and retention rules <minio-object-locking>`.
For versioned buckets, any write operation that mutates an object results in a
new version of that object with a unique version ID. MinIO marks the "latest"
version of the object that clients retrieve by default. Clients can then
explicitly choose to list, retrieve, or remove a specific object version.
.. card-carousel:: 1
.. card:: Object with Single Version
.. image:: /images/retention/minio-versioning-single-version.svg
:alt: Object with single version
:align: center
MinIO adds a unique version ID to each object as part of write operations.
.. card:: Object with Multiple Versions
.. image:: /images/retention/minio-versioning-multiple-versions.svg
:alt: Object with Multiple Versions
:align: center
MinIO retains all versions of an object and marks the most recent
version as the "latest".
.. card:: Retrieving the Latest Object Version
.. image:: /images/retention/minio-versioning-retrieve-latest-version.svg
:alt: Object with Multiple Versions
:align: center
.. card:: Retrieving a Specific Object Version
.. image:: /images/retention/minio-versioning-retrieve-single-version.svg
:alt: Object with Multiple Versions
:align: center
:ref:`Deleting <minio-bucket-versioning-delete>` an object results in a special
``DeleteMarker`` tombstone that marks an object as deleted while retaining
all previous versions of that object.
Versioning is Per-Namespace
~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO uses the full namespace (the bucket and path to an object) for each object
as part of determining object uniqueness. For example, all of the following
namespaces are "unique" objects, where mutations of each object result in
the creation of new object versions *at that namespace*:
.. code-block:: shell
databucket/object.blob
databucket/blobs/object.blob
blobbucket/object.blob
blobbucket/blobs/object.blob
While ``object.blob`` might be the same binary across all namespaces,
MinIO only enforces versioning with a specific namespace and therefore
considers each ``object.blob`` above as distinct and unique.
Versioning and Storage Capacity
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO does not perform incremental or differential-type versioning. For
mutation-heavy workloads, this may result in substantial disk usage by
older or aged object versions.
For example, consider a 1GB object containing log data. An application
appends 100MB of data to the log and uploads to MinIO. MinIO would then contain
both the 1GB and 1.1GB versions of the object. If the application repeated
this process every day for 10 days, the bucket would eventually contain more
than 14GB of data associated to a single object.
MinIO supports configuring configuring :ref:`object lifecycle management rules
<minio-lifecycle-management>` to automatically expire or transition aged
object versions and free up storage capacity. For example, you can configure
a rule to automatically expire object versions 90 days after they become
non-current (i.e. no longer the "latest" version of that object). See
:ref:`MinIO Object Expiration <minio-lifecycle-management-expiration>` for
more information.
You can alternatively perform manual removal of object versions using the
following commands:
- :mc-cmd:`mc rm --versions` - Removes all versions of an object.
- :mc-cmd:`mc rm --versions --older-than <mc rm --older-than>` -
Removes all versions of an object older than the specified calendar date.
.. _minio-bucket-versioning-id:
Version ID Generation
~~~~~~~~~~~~~~~~~~~~~
MinIO generates a unique and immutable identifier for each versioned object as
part of write operations. Each object version ID consists of a 128-bit
fixed-size :rfc:`UUIDv4 <4122#section-4.4>`. UUID generation is sufficiently
random to ensure high likelihood of uniqueness for any environment, are
computationally difficult to guess, and do not require centralized registration
process and authority to guarantee uniqueness.
.. image:: /images/retention/minio-versioning-multiple-versions.svg
:alt: Object with Multiple Versions
:width: 600px
:align: center
MinIO does not support client-managed version ID allocation. All version ID
generation is handled by the MinIO server process.
For objects created while versioning is disabled or suspended, MinIO
uses a ``null`` version ID. You can access or remove these objects by specifying
``null`` as the version ID as part of S3 operations.
.. _minio-bucket-versioning-delete:
Versioned Delete Operations
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Performing a ``DELETE`` operation on a versioned object creates a
0-byte ``DeleteMarker`` as the latest version of that object. Clients performing
``GET`` operations on that object do not return any results, as MinIO does not
return the ``DeleteMarker`` back as part of the response. Similarly, performing
a ``LIST`` operation by default returns only objects which are *not* a
``DeleteMarker``.
To permanently delete an object version, perform the ``DELETE`` operation and
specify the version ID of the object to delete. Versioned delete operations
are **irreversible**.
.. card-carousel:: 1
.. card:: Deleting an Object
.. image:: /images/retention/minio-versioning-delete-object.svg
:alt: Deleting an Object
:align: center
Performing a ``DELETE`` operation on a versioned object produces a
``DeleteMarker`` for that object.
.. card:: Reading a Deleted Object
.. image:: /images/retention/minio-versioning-retrieve-deleted-object.svg
:alt: Object with Multiple Versions
:align: center
Clients by default retrieve the "latest" object version. MinIO returns
a ``404``-like response if the latest version is a ``DeleteMarker``.
.. card:: Retrieve Previous Version of Deleted Object
.. image:: /images/retention/minio-versioning-retrieve-version-before-delete.svg
:alt: Retrieve Version of Deleted Object
:align: center
Clients can retrieve any previous version of the object by specifying the
version ID, even if the "Latest" version is a ``DeleteMarker``.
.. card:: Delete a Specific Object Version
.. image:: /images/retention/minio-versioning-delete-specific-version.svg
:alt: Retrieve Version of Deleted Object
:align: center
Clients can delete a specific object version by specifying the version ID
as part of the ``DELETE`` operation. Deleting a specific version is
**permanent** and does not result in the creation of a ``DeleteMarker``.
The following :mc:`mc` commands operate on ``DeleteMarkers`` or versioned
objects:
- Use :mc-cmd:`mc ls --versions` to view all versions of an object,
including delete markers.
- Use :mc-cmd:`mc cp --version-id=UUID ... <mc cp --version-id>` to
retrieve the version of the "deleted" object with matching ``UUID``.
- Use :mc-cmd:`mc rm --version-id=UUID ... <mc rm --version-id>` to delete
the version of the object with matching ``UUID``.
- Use :mc-cmd:`mc rm --versions` to delete *all* versions of an object.
Tutorials
---------
Enable Bucket Versioning
~~~~~~~~~~~~~~~~~~~~~~~~
You can enable versioning using the MinIO Console, the MinIO :mc:`mc` CLI, or
using an S3-compatible SDK. Versioning is a bucket-scoped feature. You cannot
enable versioning on only a prefix or subset of objects in a bucket.
.. tab-set::
.. tab-item:: MinIO Console
Select the :guilabel:`Buckets` section of the MinIO Console to access bucket creation and management functions. You can use the :octicon:`search` :guilabel:`Search` bar to filter the list.
.. image:: /images/minio-console/console-bucket.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Each bucket row has a :guilabel:`Manage` button that opens the management view for that bucket.
.. image:: /images/minio-console/console-bucket-manage.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Toggle the :guilabel:`Versioning` field to enable versioning on the bucket.
The MinIO Console also supports enabling versioning as part of bucket
creation. See :ref:`minio-console-admin-buckets` for more information on
bucket management using the MinIO Console.
.. tab-item:: MinIO CLI
Use the :mc-cmd:`mc version enable` command to enable versioning on an
existing bucket:
.. code-block:: shell
:class: copyable
mc version ALIAS/BUCKET
- Replace ``ALIAS`` with the :mc:`alias <mc alias>` of a configured
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`target bucket <mc version ALIAS>` on which to enable
versioning.
Objects created prior to enabling versioning have a
``null`` :ref:`version ID <minio-bucket-versioning-id>`.
Suspend Bucket Versioning
~~~~~~~~~~~~~~~~~~~~~~~~~
You can suspend bucket versioning at any time using the MinIO Console, the
MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
.. tab-set::
.. tab-item:: MinIO Console
Select the :guilabel:`Buckets` section of the MinIO Console to access bucket creation and management functions. You can use the :octicon:`search` :guilabel:`Search` bar to filter the list.
.. image:: /images/minio-console/console-bucket.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Each bucket row has a :guilabel:`Manage` button that opens the management view for that bucket.
.. image:: /images/minio-console/console-bucket-manage.png
:width: 600px
:alt: MinIO Console Bucket Management
:align: center
Select the :guilabel:`Versioning` field and follow the instructions to suspend versioning in the bucket.
See :ref:`minio-console-admin-buckets` for more information on bucket
management using the MinIO Console.
.. tab-item:: MinIO CLI
Use the :mc-cmd:`mc version suspend` command to enable versioning on an
existing bucket:
.. code-block:: shell
:class: copyable
mc version suspend ALIAS/BUCKET
- Replace ``ALIAS`` with the :mc:`alias <mc alias>` of a configured
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`target bucket <mc version ALIAS>` on which to disable
versioning.
Objects created while versioning is suspended are assigned a ``null`` :ref:`version ID <minio-bucket-versioning-id>`.
Any mutations to an object while versioning is suspended result in overwriting that ``null`` versioned object.
MinIO does not remove or otherwise alter existing versioned objects as part of suspending versioning.
Clients can continue interacting with any existing object versions in the bucket.

213
source/administration/object-management/transition-objects-to-azure.rst Normal file
View File

@ -0,0 +1,213 @@
.. _minio-lifecycle-management-transition-to-azure:
======================================
Transition Objects from MinIO to Azure
======================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
The procedure on this page creates a new object lifecycle management rule that
transition objects from a MinIO bucket to a remote storage tier on the
:abbr:`Azure (Microsoft Azure)` storage backend. This procedure supports use
cases like moving aged data to low-cost public cloud storage solutions after a
certain time period or calendar date.
.. todo: diagram
Requirements
------------
Install and Configure ``mc``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install :mc:`mc` on a machine with network access to both source and destination
clusters. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for
instructions on downloading and installing ``mc``.
Use the :mc:`mc alias` command to create an alias for the source MinIO cluster.
Alias creation requires specifying an access key for a user on the source and
destination clusters. The specified users must have :ref:`permissions
<minio-lifecycle-management-transition-to-azure-permissions>` for configuring
and applying transition operations.
.. _minio-lifecycle-management-transition-to-azure-permissions:
Required MinIO Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO requires the following permissions scoped to the bucket or buckets
for which you are creating lifecycle management rules.
- :policy-action:`s3:PutLifecycleConfiguration`
- :policy-action:`s3:GetLifecycleConfiguration`
MinIO also requires the following administrative permissions on the cluster
in which you are creating remote tiers for object transition lifecycle
management rules:
- :policy-action:`admin:SetTier`
- :policy-action:`admin:ListTier`
For example, the following policy provides permission for configuring object
transition lifecycle management rules on any bucket in the cluster:.
.. literalinclude:: /extra/examples/LifecycleManagementAdmin.json
:language: json
:class: copyable
.. _minio-lifecycle-management-transition-to-azure-permissions-remote:
Required Azure Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~
Object transition lifecycle management rules require additional permissions on
the remote storage tier. Specifically, MinIO requires the
:abbr:`Azure (Microsoft Azure)` credentials provide read, write, list, and
delete permissions for the remote bucket.
Refer to the `Azure RBAC
<https://docs.microsoft.com/en-us/azure/role-based-access-control/>`__
documentation for more complete guidance on configuring the required
permissions.
Considerations
--------------
Exclusive Access to Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-bucket-access-desc
:end-before: end-transition-bucket-access-desc
.. important::
MinIO does *not* support changing the account name associated to an Azure
remote tier. Azure storage backends are tied to the account, such that
changing the account would change the storage backend and prevent access
to any objects transitioned to the original account/backend.
Please contact `MinIO Support <https://min.io/pricing?ref=docs>`__ if you need
situation-specific guidance around configuring Azure remote tiers.
Availability of Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-data-loss-desc
:end-before: end-transition-data-loss-desc
Procedure
---------
1) Configure User Accounts and Policies for Lifecycle Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. |permissions| replace:: :ref:`permissions <minio-lifecycle-management-transition-to-azure-permissions>`
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-user-desc
:end-before: end-create-transition-user-desc
2) Configure the Remote Storage Tier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc admin tier add` command to add a new remote storage tier:
.. code-block:: shell
:class: copyable
mc admin tier add --azure TARGET TIER_NAME \
--endpoint https://HOSTNAME
--bucket BUCKET \
--prefix PREFIX
--account-name ACCOUNT \
--account-key KEY \
--region REGION
The example above uses the following arguments:
.. list-table::
:header-rows: 1
:widths: 30 70
:width: 100%
* - Argument
- Description
* - :mc-cmd:`TARGET <mc admin tier add TARGET>`
- The :mc:`alias <mc alias>` of the MinIO deployment on which to configure
the remote tier.
* - :mc-cmd:`TIER_NAME <mc admin tier add TIER_NAME>`
- The name to associate with the new :abbr:`Azure (Microsoft Azure)` blob
remote storage tier. Specify the name in all-caps, e.g. ``AZURE_TIER``.
This value is required in the next step.
* - :mc-cmd:`HOSTNAME <mc admin tier add --endpoint>`
- The URL endpoint for the :abbr:`Azure (Microsoft Azure)` storage
backend.
* - :mc-cmd:`BUCKET <mc admin tier add --bucket>`
- The name of the bucket on the :abbr:`Azure (Microsoft Azure)` storage
backend to which MinIO transitions objects.
* - :mc-cmd:`PREFIX <mc admin tier add --prefix>`
- The optional bucket prefix within which MinIO transitions objects.
MinIO stores all transitioned objects in the specified ``BUCKET`` under a
unique per-deployment prefix value. Omit this argument to use only that
value for isolating and organizing data within the remote storage.
MinIO recommends specifying this optional prefix for remote storage tiers
which contain other data, including transitioned objects from other MinIO
deployments. This prefix should provide a clear reference back to the
source MinIO deployment to faciliate ease of operations related to
diagnostics, maintenance, or disaster recovery.
* - :mc-cmd:`ACCOUNT <mc admin tier add --account-name>`
- The account name MinIO uses to access the bucket. The account name
*must* correspond to an :abbr:`Azure (Microsoft Azure)` user with the
required :ref:`permissions
<minio-lifecycle-management-transition-to-azure-permissions-remote>`.
You cannot change this account name after creating the tier.
* - :mc-cmd:`KEY <mc admin tier add --account-key>`
- The corresponding key for the specified ``ACCOUNT``.
* - :mc-cmd:`REGION <mc admin tier add --region>`
- The :abbr:`Azure (Microsoft Azure)` blob storage region of the specified
``BUCKET``. You can safely omit this option if the ``HOSTNAME`` includes
the region.
3) Create and Apply the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-rule-desc
:end-before: end-create-transition-rule-desc
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell
:class: copyable
mc ilm ls ALIAS/PATH --transition
- Replace :mc-cmd:`ALIAS <mc ilm ls ALIAS>` with the :mc:`alias <mc alias>`
of the MinIO deployment.
- Replace :mc-cmd:`PATH <mc ilm ls ALIAS>` with the name of the bucket for
which to retrieve the configured lifecycle management rules.

207
source/administration/object-management/transition-objects-to-gcs.rst Normal file
View File

@ -0,0 +1,207 @@
.. _minio-lifecycle-management-transition-to-gcs:
====================================
Transition Objects from MinIO to GCS
====================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
The procedure on this page creates a new object lifecycle management rule that
transition objects from a MinIO bucket to a remote storage tier on the Google
Cloud Storage backend. This procedure supports use cases like moving aged data
to low-cost public cloud storage solutions after a certain time period or
calendar date.
.. todo: diagram
Requirements
------------
Install and Configure ``mc``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install :mc:`mc` on a machine with network access to both source and destination
clusters. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for
instructions on downloading and installing ``mc``.
Use the :mc:`mc alias` command to create an alias for the source MinIO cluster.
Alias creation requires specifying an access key for a user on the source and
destination clusters. The specified users must have :ref:`permissions
<minio-lifecycle-management-transition-to-gcs-permissions>` for configuring and
applying transition operations.
.. _minio-lifecycle-management-transition-to-gcs-permissions:
Required MinIO Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO requires the following permissions scoped to the bucket or buckets
for which you are creating lifecycle management rules.
- :policy-action:`s3:PutLifecycleConfiguration`
- :policy-action:`s3:GetLifecycleConfiguration`
MinIO also requires the following administrative permissions on the cluster
in which you are creating remote tiers for object transition lifecycle
management rules:
- :policy-action:`admin:SetTier`
- :policy-action:`admin:ListTier`
For example, the following policy provides permission for configuring object
transition lifecycle management rules on any bucket in the cluster:.
.. literalinclude:: /extra/examples/LifecycleManagementAdmin.json
:language: json
:class: copyable
.. _minio-lifecycle-management-transition-to-gcs-permissions-remote:
Required GCS Permissions
~~~~~~~~~~~~~~~~~~~~~~~~
Object transition lifecycle management rules require additional permissions on
the remote storage tier. Specifically, MinIO requires the
:abbr:`GCS (Google Cloud Storage)` credentials provide read, write, list, and
delete permissions for the remote bucket.
Refer to the `GCS IAM permissions
<https://cloud.google.com/storage/docs/access-control/iam-permissions>`__
documentation for more complete guidance on configuring the required
permissions.
Considerations
--------------
Lifecycle Management Object Scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO uses a scanner process to check objects against all configured
lifecycle management rules. Slow scanning due to high IO workloads or
limited system resources may delay application of lifecycle management
rules. See :ref:`minio-lifecycle-management-scanner` for more information.
Exclusive Access to Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-bucket-access-desc
:end-before: end-transition-bucket-access-desc
Availability of Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-data-loss-desc
:end-before: end-transition-data-loss-desc
Procedure
---------
1) Configure User Accounts and Policies for Lifecycle Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. |permissions| replace:: :ref:`permissions <minio-lifecycle-management-transition-to-gcs-permissions>`
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-user-desc
:end-before: end-create-transition-user-desc
2) Configure the Remote Storage Tier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc admin tier add` command to add a new Google Cloud Storage
service as the remote storage tier:
.. code-block:: shell
:class: copyable
mc admin tier add --gcs TARGET TIER_NAME \
--endpoint https://HOSTNAME \
--bucket BUCKET \
--prefix PREFIX \
--credentials-file CREDENTIALS \
--region REGION
The example above uses the following arguments:
.. list-table::
:header-rows: 1
:widths: 30 70
:width: 100%
* - Argument
- Description
* - :mc-cmd:`TARGET <mc admin tier add TARGET>`
- The :mc:`alias <mc alias>` of the MinIO deployment on which to configure
the :abbr:`GCS (Google Cloud Storage)` remote tier.
* - :mc-cmd:`TIER_NAME <mc admin tier add TIER_NAME>`
- The name to associate with the new :abbr:`GCS (Google Cloud Storage)`
remote storage tier. Specify the name in all-caps, e.g. ``GCS_TIER``.
This value is required in the next step.
* - :mc-cmd:`HOSTNAME <mc admin tier add --endpoint>`
- The URL endpoint for the :abbr:`GCS (Google Cloud Storage)` storage
backend.
* - :mc-cmd:`BUCKET <mc admin tier add --bucket>`
- The name of the bucket on the :abbr:`GCS (Google Cloud Storage)` storage
backend to which MinIO transitions objects.
* - :mc-cmd:`PREFIX <mc admin tier add --prefix>`
- The optional bucket prefix within which MinIO transitions objects.
MinIO stores all transitioned objects in the specified ``BUCKET`` under a
unique per-deployment prefix value. Omit this argument to use only that
value for isolating and organizing data within the remote storage.
MinIO recommends specifying this optional prefix for remote storage tiers
which contain other data, including transitioned objects from other MinIO
deployments. This prefix should provide a clear reference back to the
source MinIO deployment to faciliate ease of operations related to
diagnostics, maintenance, or disaster recovery.
* - :mc-cmd:`CREDENTIALS <mc admin tier add --credentials-file>`
- The `credential file
<https://cloud.google.com/docs/authentication/getting-started>`__ for a
user on the remote GCS tier. The specified user credentials *must*
correspond to a GCS user with the required
:ref:`permissions
<minio-lifecycle-management-transition-to-gcs-permissions-remote>`.
* - :mc-cmd:`REGION <mc admin tier add --region>`
- The :abbr:`GCS (Google Cloud Storage)` region of the specified
``BUCKET``. You can safely omit this
option if the ``HOSTNAME`` includes the region.
3) Create and Apply the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-rule-desc
:end-before: end-create-transition-rule-desc
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell
:class: copyable
mc ilm ls ALIAS/PATH --transition
- Replace :mc-cmd:`ALIAS <mc ilm ls ALIAS>` with the :mc:`alias <mc alias>`
of the MinIO deployment.
- Replace :mc-cmd:`PATH <mc ilm ls ALIAS>` with the name of the bucket for
which to retrieve the configured lifecycle management rules.

225
source/administration/object-management/transition-objects-to-s3.rst Normal file
View File

@ -0,0 +1,225 @@
.. _minio-lifecycle-management-transition-to-s3:
===================================
Transition Objects from MinIO to S3
===================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
The procedure on this page creates a new object lifecycle management rule that
transition objects from a MinIO bucket to a remote storage tier on the Amazon
Web Services S3 storage backend *or* an S3-compatible service. This procedure
supports use cases such as tiering objects to low-cost or archival storage after
a certain time period or calendar date.
.. todo: diagram
Requirements
------------
Install and Configure ``mc``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install :mc:`mc` on a machine with network access to both source and destination
clusters. See the ``mc`` :ref:`Installation Quickstart <mc-install>` for
instructions on downloading and installing ``mc``.
Use the :mc:`mc alias` command to create an alias for the source MinIO cluster.
Alias creation requires specifying an access key for a user on the source and
destination clusters. The specified users must have :ref:`permissions
<minio-lifecycle-management-transition-to-s3-permissions>` for configuring and
applying transition operations.
.. _minio-lifecycle-management-transition-to-s3-permissions:
Required MinIO Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO requires the following permissions scoped to the bucket or buckets
for which you are creating lifecycle management rules.
- :policy-action:`s3:PutLifecycleConfiguration`
- :policy-action:`s3:GetLifecycleConfiguration`
MinIO also requires the following administrative permissions on the cluster
in which you are creating remote tiers for object transition lifecycle
management rules:
- :policy-action:`admin:SetTier`
- :policy-action:`admin:ListTier`
For example, the following policy provides permission for configuring object
transition lifecycle management rules on any bucket in the cluster:.
.. literalinclude:: /extra/examples/LifecycleManagementAdmin.json
:language: json
:class: copyable
.. _minio-lifecycle-management-transition-to-s3-permissions-remote:
Required S3 Permissions
~~~~~~~~~~~~~~~~~~~~~~~
Object transition lifecycle management rules require additional permissions
on the remote storage tier. Specifically, MinIO requires the remote
tier credentials provide read, write, list, and delete permissions for the
remote bucket.
For example, the following policy provides the necessary permission
for transitioning objects into and out of the remote tier:
.. literalinclude:: /extra/examples/LifecycleManagementUser.json
:language: json
:class: copyable
Modify the ``Resource`` for the bucket into which MinIO tiers objects.
Refer to the :aws-docs:`Amazon S3 Permissions
<service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions>`
documentation for more complete guidance on configuring the required
permissions.
Considerations
--------------
Lifecycle Management Object Scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO uses a scanner process to check objects against all configured
lifecycle management rules. Slow scanning due to high IO workloads or
limited system resources may delay application of lifecycle management
rules. See :ref:`minio-lifecycle-management-scanner` for more information.
Exclusive Access to Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-bucket-access-desc
:end-before: end-transition-bucket-access-desc
Availability of Remote Data
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-transition-data-loss-desc
:end-before: end-transition-data-loss-desc
Procedure
---------
1) Configure User Accounts and Policies for Lifecycle Management
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. |permissions| replace:: :ref:`permissions <minio-lifecycle-management-transition-to-s3-permissions>`
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-user-desc
:end-before: end-create-transition-user-desc
2) Configure the Remote Storage Tier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc admin tier add` command to add an Amazon S3 service as the
new remote storage tier:
.. code-block:: shell
:class: copyable
mc admin tier add --s3 TARGET TIER_NAME \
--endpoint https://HOSTNAME \
--bucket BUCKET \
--prefix PREFIX
--access-key ACCESS_KEY \
--secret-key SECRET_KEY \
--region REGION \
--storage-class STORAGE_CLASS
The example above uses the following arguments:
.. list-table::
:header-rows: 1
:widths: 30 70
:width: 100%
* - Argument
- Description
* - :mc-cmd:`TARGET <mc admin tier add TARGET>`
- The :mc:`alias <mc alias>` of the MinIO deployment on which to configure
the S3 remote tier.
* - :mc-cmd:`TIER_NAME <mc admin tier add TIER_NAME>`
- The name to associate with the new S3 remote storage tier. Specify the
name in all-caps, e.g. ``S3_TIER``. This value is required in the next
step.
* - :mc-cmd:`HOSTNAME <mc admin tier add --endpoint>`
- The URL endpoint for the S3 storage backend.
* - :mc-cmd:`BUCKET <mc admin tier add --bucket>`
- The name of the bucket on the S3 storage backend to which MinIO
transitions objects.
* - :mc-cmd:`PREFIX <mc admin tier add --prefix>`
- The optional bucket prefix within which MinIO transitions objects.
MinIO stores all transitioned objects in the specified ``BUCKET`` under a
unique per-deployment prefix value. Omit this argument to use only that
value for isolating and organizing data within the remote storage.
MinIO recommends specifying this optional prefix for remote storage tiers
which contain other data, including transitioned objects from other MinIO
deployments. This prefix should provide a clear reference back to the
source MinIO deployment to faciliate ease of operations related to
diagnostics, maintenance, or disaster recovery.
* - :mc-cmd:`ACCESS_KEY <mc admin tier add --access-key>`
- The S3 access key MinIO uses to access the bucket. The
access key *must* correspond to an IAM user with the
required
:ref:`permissions
<minio-lifecycle-management-transition-to-s3-permissions-remote>`.
* - :mc-cmd:`SECRET_KEY <mc admin tier add --secret-key>`
- The corresponding secret key for the specified ``ACCESS_KEY``.
* - :mc-cmd:`REGION <mc admin tier add --region>`
- The AWS S3 region of the specified ``BUCKET``. You can safely omit this
option if the ``HOSTNAME`` includes the region.
* - :mc-cmd:`STORAGE_CLASS <mc admin tier add --storage-class>`
- The S3 storage class to which MinIO transitions objects. Specify
one of the following supported storage classes:
- ``STANDARD``
- ``REDUCED``
3) Create and Apply the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/common-minio-tiering.rst
:start-after: start-create-transition-rule-desc
:end-before: end-create-transition-rule-desc
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell
:class: copyable
mc ilm ls ALIAS/PATH --transition
- Replace :mc-cmd:`ALIAS <mc ilm ls ALIAS>` with the :mc:`alias <mc alias>`
of the MinIO deployment.
- Replace :mc-cmd:`PATH <mc ilm ls ALIAS>` with the name of the bucket for
which to retrieve the configured lifecycle management rules.