Skip to content

img0

Object Lock

Disable Root

Warning

Disabling the root account is a non-reversable action in the lab

Instructions

  1. Login as root user to the Config Controller Node (node1) node using the password provided by your trainer
  2. Change directory to /opt/cloudian-staging/8.2.5 and run the script cloudianInstall.sh 
    /opt/cloudian-staging/8.2.5/cloudianInstall.sh

Instructions

  1. Select Advanced Configuration (Option 4)
  2. Select Disable Root Password (Option m)
  3. Type "yes" in response to the prompt

Note

HSH must be enabled before you can disable the root password.

Instructions

  1. Exit from menu and logout as root user. The root user account is now disabled

Create Object Locked Bucket

Instructions

  1. Login as your storage user to CMC
  2. Select + Add New Bucket
  3. Enter mylockedrf3bucket for bucket name
  4. Click Object Lock Button to enable Object Lock
  5. Ensure SRF3 is selected for Storage Policy
  6. Click Create

Instructions

  1. Read the Warning (and do read the warning) It is important to understand these changes are permanent for the bucket.
  2. Click OK to proceed.

Instructions

You will now see your new bucket, with a padlock next to the name, denoting this bucket as object locked.

  1. Select the OBJECTS tab
  2. Note that we have a selector to either show or hide versions
  3. Upload the 5k file to the mylockedrf3bucket
  4. Try to delete the 5k object. Were you succesful? Why?
  5. As you can see, the bucket is configured for Object Lock but there is no retention policy set, so objects uploaded are not locked using a bucket default value and would rely on the API defining the retention period.

Instructions

  1. Click on the Bucket Properties
  2. Click on Object Lock tab
  3. Notice Default Object Lock Policy is set to None
  4. Notice the Modes
    1. Governance : Protects against
      1. Accidental Deletions
      2. Standard Users deliberations
      3. Misconfigured Applications
    2. Compliance : Protects against
      1. Everything covered by Governance and additionally
      2. Privileged users with bypass permission
  5. Select Governance Mode
  6. Set a retention period of 1 day. This is the minimum that can be set via CMC.
  7. Click Save

Instructions

  1. Upload the 5k file to the mylockedrf3bucket
  2. Notice this time, the Object now has a version and the version has a padlock next to it. Can you delete it now?
  3. As the object is protected for Govenance, the IAM root (or an account that has the s3:BypassGovernanceRetention permission) can delete the Object
  4. In the Properties for the object, select the Object Lock tab
  5. Select none and save - the bucket retains the Governance protection but the object can now be deleted.

Instructions

  1. Lets set it to compliance instead. In the Properties for the object, select the Object Lock tab
  2. Select Compliance
  3. Enter a retain until date of at least 1 day and save the object.

Note

The object cannot be deleted until the retention period has expired.

Instructions

  1. Click on the Object properties, and then the Object Lock Tab.

Note

You cannot change Mode. You can also see when the retention period for this object ends.
You can extend the Retain Until date but not reduce it.
You may also enable a LEGAL HOLD against the object from here.