Object Lock
Object Lock allows you to protect objects from being deleted or overwritten for a specified period or indefinitely. Object Lock operates in three modes:
- Governance Mode: Protects objects against accidental deletion but allows authorized users to bypass the lock.
- Compliance Mode: Provides immutable protection; no user can delete or modify the object until the retention period expires.
- Legal Hold: Prevents an object from being deleted until the legal hold is explicitly removed, regardless of retention settings.
Governance Mode Override Permissions
By default, the account owner and any user with default project access have Governance Mode override permissions due to Storj's macaroon-based access system, which restricts capabilities rather than explicitly granting permissions.
To avoid unintentionally granting Governance Mode override permissions, use S3 credentials that explicitly restrict this capability for any operations involving Object Lock.
Note: Storj does not currently support role-based access controls (RBAC) for default restrictions by roles. This functionality may be added in the future.
Using Object Lock
- For enabling object lock, and setting bucket level defaults please see Object Lock
- For object lock related object operations please see Objects
Technical Details
New S3 Actions Supported:
Action | API Description | Description of Change(s) |
---|---|---|
GetObjectLockConfiguration | Gets the object lock configuration for a bucket. | Will return the ObjectLockConfiguration with
|
PutObjectLockConfiguration | Enables Object Lock configuration on a bucket. | ObjectLockEnabled: Indicates if Object Lock is enabled on the bucket. Rule (Optional): Specifies the Object Lock rule (mode and period) for the bucket. The period can be either |
PutObjectRetention | Places an object retention configuration on an object. | |
GetObjectRetention | Retrieves an object's retention settings. | |
GetObjectLegalHold | Retrieves the Legal Hold status of an object. | |
PutObjectLegalHold | Applies a Legal Hold to the specified object. |
Existing S3 Actions Updated
Action | API Description | Description of Change(s) |
---|---|---|
CreateBucket | Creates a new bucket. | CreateBucket will now accept the following request parameter:
|
HeadObject | Retrieves metadata from an object without returning the object itself. | HeadObject will now return:
|
GetObject | Retrieves an object from a bucket. | GetObject will now return:
|
PutObject | Adds an object to a bucket. | PutObject will now:
PutObject will now accept the following request parameters:
|
CopyObject | Creates a copy of an object that is already stored on Storj. | CopyObject will now accept the following request parameters:
|
CreateMultipartUpload | This action initiates a multipart upload and returns an upload ID. | CreateMultipartUpload will now accept the following request parameters:
Storj has a unique object level TTL. Any request that has both a TTL and a retention period will be rejected to prevent TTL's from conflicting with object lock retention periods. |
DeleteBucket | Deletes the specified bucket. | Forced deletion of a bucket with locked objects will be prevented. |
DeleteObject | Removes an object from a bucket. | Deletion of an object with a retention set will be prevented. |