Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Object Storage Service/ User Guide/ Data Security/ Configuring WORM to Protect Objects from Being Overwritten or Deleted

Configuring WORM to Protect Objects from Being Overwritten or Deleted

Updated on 2024-11-26 GMT+08:00

OBS provides write-once-read-many (WORM) to protect objects from being deleted or tampered with within a specified period. WORM works at both the bucket and object levels in compliance mode.

Scenarios

In compliance mode, a WORM-protected object version cannot be overwritten or deleted by anyone, including the root user in your account.

When WORM is configured for a bucket, the protection applies to all objects in the bucket. When WORM is configured for an object version, the protection applies to the current object version only. No matter which type of WORM protection you want to use, you must enable WORM for the bucket first. A bucket-level WORM retention policy takes effect only for objects uploaded after the policy was configured. If an object is protected by a bucket-level WORM policy and an object-level WORM policy at the same time, the object-level WORM policy takes precedence.

Precautions

  • When you enable WORM for a bucket, OBS automatically enables versioning and versioning cannot be suspended later for that bucket. WORM protects objects based on the object version IDs. Only object versions with any WORM retention policy configured can be protected. Assume that object test.txt 001 is protected by WORM. If another file with the same name is uploaded, a new object version test.txt 002 with no WORM policy configured will be generated. In such case, test.txt 002 is not protected and can be deleted. When you download an object without specifying a version ID, the current object version (test.txt 002) will be downloaded.
  • A lifecycle rule cannot delete WORM-protected objects, but can transition their storage class. After an object is no longer protected, it will be deleted when meeting the expiration rule in a lifecycle configuration.
  • Once you enable WORM for a bucket, you cannot disable it or suspend versioning for the bucket, but you can disable the default WORM policy for the bucket.
  • Buckets with WORM enabled do not support cross-region replication.
  • If you have deregistered your account or your account has been frozen, the WORM-protected objects will be permanently deleted.
  • WORM-based protection is not available for migration.
  • The metadata of a WORM-protected object can still be modified.

Configuring WORM for a Bucket

You can use OBS Console or APIs to configure WORM for a bucket.

Skipping the WORM Retention Configuration

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Overview.
  4. In the Basic Configurations area, click WORM Retention. The Configure WORM Retention dialog box is displayed.
  5. Select Skip and click OK.

    Figure 2 Skipping the WORM retention configuration

Extending the Retention Period

After WORM is configured for an object, you can go to the object details page and extend the retention period of an object version on the Versions page. Before the specified date, OBS prevents protected object versions from being deleted.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the object list, click the object you want to go to the object details page.
  4. On the Versions tab page, view all versions of the object.
  5. Locate the object version for which you want to extend the retention period, choose More > Extend Retention Period, and select a date.

    Figure 3 Extending the retention period
    NOTE:

    A retention period can only be extended, but not shortened.

    Assume that an object version was configured to be protected until March 30, 2023. If you want to extend the retention period on March 1, 2023, you can extend it to March 31, 2023 or a later date. If you extend the retention period on April 1, 2023, you can extend it to the current day (April 1, 2023) or a later date. If the current day is used, the object version will no longer be protected by WORM after 24:00 on that day.

Manually and Permanently Deleting Objects from a WORM-Enabled Bucket

In a WORM-enabled bucket, if an object has no retention policy configured or its retention policy has expired, you can delete a desired version of the object. If an object version is within the retention period, it cannot be deleted.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. Enable Historical Versions.
  4. Select the object version to be permanently deleted and click Permanently Delete above the search bar.

    Figure 4 Permanently deleting an object version

  5. Click OK.

Using a Lifecycle Rule to Delete Objects from a WORM-Enabled Bucket

You can configure a lifecycle rule to let OBS automatically expire and delete objects in a WORM enabled bucket. To realize this, the objects must have no retention policies configured or their retention policies have expired. If the objects are within their retention period, they cannot be deleted.

NOTE:

In a WORM-enabled bucket, folders cannot be permanently deleted from the Deleted Objects list. To permanently delete a folder, you can only configure a lifecycle rule.

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket you want to operate. The Objects page is displayed.
  3. In the navigation pane, choose Basic Configurations > Lifecycle Rules.
  4. Click Create.

    Figure 5 Creating a lifecycle rule

  5. Configure a lifecycle rule.

    Configure parameters under Basic Information:
    • Status: Select Enable to enable this lifecycle rule after the configuration.
    • Rule Name: It identifies a lifecycle rule. The rule name must be no longer than 255 characters.
    • Prefix: It is optional.
      • If this field is configured, objects with the specified prefix will be managed by the lifecycle rule. The prefix cannot start with a slash (/) or contain two consecutive slashes (//), and cannot contain the following special characters: \:*?"<>|
      • If this field is not configured, all objects in the bucket will be managed by the lifecycle rule.

    Configure parameters under Current Version or Historical Version:

    Delete Objects After (Days): After this number of days since the last update, OBS will expire and then delete the objects meeting the specified conditions. The days set here must be larger than any of the days configured for the transition actions.

    Suppose that you last updated the following files in OBS on November 7, 2023:
    • log/notConfigured-1.log (This file has no WORM retention policy configured.)
    • log/expired-1.log (The WORM retention policy configured for this file has expired.)
    • doc/withinRetention-1.doc (The WORM retention policy configured for this file expires on November 30, 2023.)
    Then on November 10, 2023, you last updated the following files:
    • log/notConfigured-2.log (This file has no WORM retention policy configured.)
    • log/expired-2.log (The WORM retention policy configured for this file has expired.)
    • doc/withinRetention-2.doc (The WORM retention policy configured for this file expires on November 30, 2023.)

    On November 10, 2023, you set the objects prefixed with log to expire one day later. You might encounter the following situations:

    • Objects log/notConfigured-1.log and log/expired-1.log last updated on November 7, 2023 might be deleted after the last system scan. The deletion could happen on November 10, 2023 or November 11, 2023, depending on the time of the last system scan. doc/withinRetention-1.doc will not be deleted.
    • Objects log/notConfigured-2.log and log/expired-2.log last uploaded on November 10, 2023 might be deleted on November 11, 2023 or November 12, 2023, depending on whether they have been stored for over one day (since their last update) when the system scan happened. doc/withinRetention-2.doc will not be deleted.
    NOTE:

    For more information, see Creating a Lifecycle Rule.

  6. Click OK.

Related Operations

When uploading an object, configure a retention policy for the object. For details, see Streaming Upload (PUT).

To normally delete objects from a WORM-enabled bucket, see Deleting an Object.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback