Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Write-Once-Read-Many (WORM)/ Configuring a Default WORM Policy for a Bucket
Updated on 2026-04-16 GMT+08:00
View PDF
Share

Configuring a Default WORM Policy for a Bucket

Functions

OBS provides Write-Once-Read-Many (WORM) in compliance mode. After a WORM policy is configured for a bucket, if no protection policy or retention period is set for newly uploaded objects, the bucket-level WORM policy will be automatically applied to these objects. You can call this API to configure a default protection policy and retention period for a bucket. For more information about how to configure bucket-level WORM policies, see Configuring WORM to Protect Objects from Being Overwritten or Deleted.

With the bucket's default WORM policy, if you do not specify a WORM policy or a retention period when you upload an object to the bucket, the default policy will be automatically applied to the newly uploaded object. An object-level WORM policy requires configuring a specific date, which indicates an object will be protected until that date. For a default bucket-level WORM policy, a retention period is required, and the protection for an object starts when the object is uploaded to the bucket.

Constraints

  • Before enabling bucket-level WORM, you need to enable versioning. Configuring WORM on OBS Console automatically enables versioning for the bucket, and versioning cannot be suspended afterward. When configuring WORM using APIs, you must first call the API that enables versioning for the bucket. WORM protects objects based on the object version IDs. Only object versions with any WORM retention policy configured can be protected. Assume that object test.txt 001 is protected by WORM. If another file with the same name is uploaded, a new object version test.txt 002 with no WORM policy configured will be generated. In such case, test.txt 002 is not protected and can be deleted. When you download an object without specifying a version ID, the current object version (test.txt 002) will be downloaded.
  • A lifecycle rule cannot delete WORM-protected objects, but can transition their storage class. After an object is no longer protected, it will be deleted when meeting the expiration rule in a lifecycle configuration.
  • Buckets with WORM enabled do not support cross-region replication.
  • If you have deregistered your account or your account has been frozen, the WORM-protected objects will be permanently deleted.
  • WORM-based protection is not available for migration.
  • The metadata of a WORM-protected object can still be modified.
  • Parallel file systems do not support WORM.
  • The WORM mode can only be COMPLIANCE.
  • The retention period can be set to 1 to 36500 days or 1 to 100 years.
  • You can modify or even delete the default WORM policy of a bucket. The change applies only to the objects uploaded after the change, but not to those uploaded before.
  • During a multipart upload, the object parts uploaded are not protected before they are assembled. After object parts are assembled, the new object is protected by the default bucket-level WORM policy. You can also configure an object-level WORM policy for the new object.

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure a default WORM policy for a bucket. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

  • If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
    • If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketObjectLockConfiguration permission. For details, see Creating a Custom IAM Policy.
    • If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketObjectLockConfiguration permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

      Action

      Access Level

      Resource Type (*: Required)

      Condition Key

      Alias

      Dependencies

      obs:bucket:putBucketObjectLockConfiguration

      Write

      bucket *

      -

      -

      -
      • obs:EpochTime
      • obs:SourceIp
      • obs:TlsVersion
      • obs:CustomDomain
  • If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketObjectLockConfiguration permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

PUT /?object-lock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml
Content-Length: length
<ObjectLockConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <ObjectLockEnabled>Enabled</ObjectLockEnabled>
    <Rule>
       <DefaultRetention>
          <Days>integer</Days>
          <Mode>COMPLIANCE</Mode>
          <Years>integer</Years>
       </DefaultRetention>
    </Rule>
</ObjectLockConfiguration>

URI Parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 1.

Request Body

Table 1 Request body parameters

Parameter

Mandatory

Type

Description

ObjectLockConfiguration

Yes

Container

Definition

Container for bucket-level WORM configurations. ObjectLockConfiguration is the parent node of ObjectLockEnabled and Rule.

Constraints

N/A

Range

For details, see Table 2.

Default Value

N/A
Table 2 Parameters in ObjectLockConfiguration

Parameter

Mandatory

Type

Description

ObjectLockEnabled

No

String

Definition

Bucket-level WORM status.

Constraints

N/A

Range

Enabled: Bucket-level WORM is enabled.

Default Value

N/A

Rule

Yes when ObjectLockEnabled is set to Enabled. If this parameter is not specified, the default bucket-level WORM policy will be cleared.

Container

Definition

Rule container of a bucket-level WORM policy. Rule is the parent node of DefaultRetention.

Constraints

N/A

Range

For details, see Table 3.

Default Value

N/A
Table 3 Rule parameter description

Parameter

Mandatory

Type

Description

DefaultRetention

Yes if Rule is specified

Container

Definition

Container of a bucket-level WORM policy. DefaultRetention is the parent node of Mode, Days, and Years.

Constraints

N/A

Range

For details, see Table 4.

Default Value

N/A
Table 4 DefaultRetention parameters

Parameter

Mandatory

Type

Description

Mode

Yes if DefaultRetention is specified

String

Definition

WORM retention policy of a bucket.

Constraints

N/A

Range

COMPLIANCE: compliance mode

Default Value

N/A

Days

If the DefaultRetention container is included, you must specify either Days or Years, but you cannot specify both at the same time.

Integer

Definition

Number of retention days.

Constraints

Only one of Days and Years can be set to a value other than 0. The value must be within the allowed range.

Range

1 to 36500

Default Value

N/A

Years

If the DefaultRetention container is included, you must specify either Years or Days, but you cannot specify both at the same time.

Integer

Definition

Default retention years.

Constraints

  • One year is considered as 365 days, regardless of the leap year.
  • Only one of Days and Years can be set to a value other than 0. The value must be within the allowed range.

Range

1 to 100

Default Value

N/A

Response Syntax

HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

Table 5 describes possible special errors in this request.

Table 5 Error Responses

Error Code

Description

HTTP Status Code

InvalidRequest

The object lock is disabled for the bucket.

400

MalformedXML

Invalid policy configuration format.

400

InvalidBucketState

Versioning must be 'Enabled' on the bucket to apply an Object Lock configuration.

409

For other errors, see Table 2.

Sample Request 1

Configure the default bucket-level WORM policy with a retention period of 2 years.

PUT /?object-lock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: WED, 01 Jul 2015 02:25:05 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Type: application/xml
Content-Length: 157
<ObjectLockConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <ObjectLockEnabled>Enabled</ObjectLockEnabled>
    <Rule>
       <DefaultRetention>
          <Mode>COMPLIANCE</Mode>
          <Years>2</Years>
       </DefaultRetention>
    </Rule>
</ObjectLockConfiguration>

Sample Response 1

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: WED, 01 Jul 2015 02:25:06 GMT
Content-Length: 0

Sample Request 2

Delete the configuration of the default bucket-level WORM policy.

PUT /?object-lock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: WED, 01 Jul 2015 02:25:05 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Type: application/xml
Content-Length: 157
<ObjectLockConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
</ObjectLockConfiguration>

Sample Response 2

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: WED, 01 Jul 2015 02:25:06 GMT
Content-Length: 0

References

Parent Topic: Write-Once-Read-Many (WORM)