New required S3 methods

[DanielJ]

Since version 7 requires several new S3 methods, I wonder if all of the new methods are strictly required? Some of the methods are relevant to object lock, which we are not planning on using for now. Will the upgrade process do some check of the S3 storage which methods are supported?

[Polina]

Hi Daniel,

To the best of my knowledge, there're no such verifications during/after the upgrade. If you don't plan to use the immutability feature, there's nothing to worry about.

[DanielJ]

Sounds hopeful. As far as I can see, these are the methods that have been added as requirements in v7:

s3:GetBucketVersioning
s3:ListBucketVersions
s3:GetObjectRetention
s3:PutObjectRetention
s3:DeleteObjectVersion

Can you verify that all of them are used only for immutability/object lock?

[Polina]

Correct, all of those are required to perform lock and versioning checks.

And to add to my previous post: After you upgrade, your existing repositories will continue to work, but to add a new object storage repository and to re-add/re-sync an existing object storage repository, you will have to have these new permissions.

Thanks!

[DanielJ]

All right, thanks. It looks like we will have to postpone the upgrade indefinitely.

[DanielJ]

I found that our S3 platform (Red Hat Ceph) does have support for these:

s3:GetBucketVersioning
s3:ListBucketVersions
s3:DeleteObjectVersion

But the next two are listed as "S3 resource tags" instead of under "Supported S3 actions". Not sure what that means.

s3:GetObjectRetention
s3:PutObjectRetention

Then there are these actions, which we don't have support for, but they are listed as required already in v6:

s3:GetBucketObjectLockConfiguration
s3:RestoreObject

Since it's working now, we apparently don't need them. But will v7 check specifically for them when adding a repository?

[Polina]

When creating/re-adding a repository, v7 uses s3:GetBucketVersioning to check if versioning is enabled. If the immutability checkbox is active, the s3:GetBucketObjectLockConfiguration is used to get the Object Lock configuration.

All the rest permissions are not validated. If any of them is missing when required to perform an operation, such an operation will fail. For example, s3:RestoreObject is required to retrieve backup copies from an archive tier object storage, and s3:GetObjectRetention/s3:PutObjectRetention are only used when immutability is enabled on the repository.

[DanielJ]

Then it sounds like it should work for us as we won't be using immutability. I know that Red Hat Ceph is listed as "compatible" (without immutability) on veeam-backup-for-microsoft-365-f47/unof ... 78250.html but I don't know if that info has been updated for v7.

[Polina]

The list was last updated mid-March, and already includes systems that are/are not compatible with immutability. Check the S3 Object Storage section listing 'Compatible + Immutability (for backup copy jobs)' and only 'Compatible'.