Backing up Object Store: Difference between revisions
No edit summary |
m (Slight re-wording of first para. Minor spelling corrections.) |
||
| Line 1: | Line 1: | ||
__FORCETOC__ | __FORCETOC__ | ||
Object Store data, while stored redundantly via Ceph, is not backed up. Object Store buckets are backed up to the TSM tape system upon request only by following the procedures listed on this page. | |||
The following contents and policies apply to backups by default: | |||
What is in the backup? | What is in the backup? | ||
* Only bucket data is backed up | * Only the bucket data is backed up. We are not currently backing up the IAM policies of the buckets or objects. | ||
* Only current version of the data is seen by the | * Only the current version of the data is seen by the backup system. Object chunks or versioned objects are not seen by the backups system. | ||
What is the backup policy? | What is the backup policy? | ||
* | * Backups are run on a daily basis. | ||
* | * The current object and one modified version of object are kept (this is different than full bucket versioning). | ||
* The modified version is | * The modified version is kept for 6 month - after that period only the current object is kept. | ||
* Deleted objects are | * Deleted objects are kept for 6 months. | ||
= Backup Procedure = | = Backup Procedure = | ||
Please follow this procedure to request backups of your buckets. | |||
==List bucket== | ==List bucket== | ||
| Line 24: | Line 26: | ||
You need to configure the iam policy statement of '''all the buckets''' you want to back up so your TSM robot user in charge of the backup can access them. Here is the policy that needs to be added. | You need to configure the iam policy statement of '''all the buckets''' you want to back up so your TSM robot user in charge of the backup can access them. Here is the policy that needs to be added. | ||
For example, using the [https://docs.aws.amazon.com/cli/latest/ aws cli] | For example, using the [https://docs.aws.amazon.com/cli/latest/ aws cli], apply the policy on <code>my-bucket</code> using the <code>my-profile</code> identity. | ||
First, we make sure that <code>my-bucket</code> has | First, we make sure that <code>my-bucket</code> currently has no policy. | ||
<pre>$aws s3api --profile my-project get-bucket-policy --bucket my-bucket | <pre>$aws s3api --profile my-project get-bucket-policy --bucket my-bucket | ||
| Line 70: | Line 72: | ||
==Give us permission== | ==Give us permission== | ||
You will be asked to create a bucket for each bucket you want to restore to | You will be asked to create a bucket for each bucket you want to restore to restore with the <code>-restore</code> suffix. | ||
<div class="filename">'''File :''' policy.json </div> | <div class="filename">'''File :''' policy.json </div> | ||
<syntaxhighlight lang="json" file="my-policy.json"> | <syntaxhighlight lang="json" file="my-policy.json"> | ||
Revision as of 19:36, 3 June 2025
Object Store data, while stored redundantly via Ceph, is not backed up. Object Store buckets are backed up to the TSM tape system upon request only by following the procedures listed on this page.
The following contents and policies apply to backups by default:
What is in the backup?
* Only the bucket data is backed up. We are not currently backing up the IAM policies of the buckets or objects. * Only the current version of the data is seen by the backup system. Object chunks or versioned objects are not seen by the backups system.
What is the backup policy?
* Backups are run on a daily basis. * The current object and one modified version of object are kept (this is different than full bucket versioning). * The modified version is kept for 6 month - after that period only the current object is kept. * Deleted objects are kept for 6 months.
Backup Procedure
Please follow this procedure to request backups of your buckets.
List bucket
Send a list of buckets to back up to sd4h support with the name and ID of the project where the buckets live.
Give us permission
You need to configure the iam policy statement of all the buckets you want to back up so your TSM robot user in charge of the backup can access them. Here is the policy that needs to be added.
For example, using the aws cli, apply the policy on my-bucket using the my-profile identity.
First, we make sure that my-bucket currently has no policy.
$aws s3api --profile my-project get-bucket-policy --bucket my-bucket An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist
If that command returns something, you need to add the new statement the existing policy. But we are not covering that here.
Adding policy.json to my-bucket
{
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/tsm"]},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bycket"
]
}
]
}
Then loading the policy to the bucket:
$aws s3api --profile my-profile put-bucket-policy --policy file://my-policy.json --bucket my-bucket
Restore Procedure
List bucket
Send us list of buckets or object to restore to sd4h support.
Give us permission
You will be asked to create a bucket for each bucket you want to restore to restore with the -restore suffix.
{
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/tsm"]},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::my-bucket-restore/*",
"arn:aws:s3:::my-bycket-restore"
]
}
]
}
Once it is done we will restore you data to that folder.