混合云对象存储
裸机
纠删码计算器
参考硬件
Transition Objects from MinIO to S3
Table of Contents
The procedure on this page creates a new object lifecycle management rule that transition objects from a MinIO bucket to a remote storage tier on the Amazon Web Services S3 storage backend or an S3-compatible service. This procedure supports use cases such as tiering objects to low-cost or archival storage after a certain time period or calendar date.
Requirements
Install and Configure mc
This procedure uses mc for performing operations on the MinIO cluster.
Install mc on a machine with network access to both source and destination
clusters. See the mc Installation Quickstart for
instructions on downloading and installing mc.
Use the mc alias set command to create an alias for the source MinIO cluster.
Alias creation requires specifying an access key for a user on the source and
destination clusters. The specified users must have permissions for configuring and
applying transition operations.
Required MinIO Permissions
MinIO requires the following permissions scoped to the bucket or buckets for which you are creating lifecycle management rules.
MinIO also requires the following administrative permissions on the cluster in which you are creating remote tiers for object transition lifecycle management rules:
For example, the following policy provides permission for configuring object transition lifecycle management rules on any bucket in the cluster:.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:SetTier",
"admin:ListTier"
],
"Effect": "Allow",
"Sid": "EnableRemoteTierManagement"
},
{
"Action": [
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow",
"Sid": "EnableLifecycleManagementRules"
}
]
}
Required S3 Permissions
Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, MinIO requires the remote tier credentials provide read, write, list, and delete permissions for the remote bucket.
For example, the following policy provides the necessary permission for transitioning objects into and out of the remote tier:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyDestinationBucket"
],
"Sid": ""
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyDestinationBucket/*"
],
"Sid": ""
}
]
}
Modify the Resource for the bucket into which MinIO tiers objects.
Refer to the Amazon S3 Permissions documentation for more complete guidance on configuring the required permissions.
Remote Bucket Must Exist
Create the remote S3 bucket prior to configuring lifecycle management tiers or rules using that bucket as the target.
Considerations
Lifecycle Management Object Scanner
MinIO uses a scanner process to check objects against all configured lifecycle management rules. Slow scanning due to high IO workloads or limited system resources may delay application of lifecycle management rules. See Lifecycle Management Object Scanner for more information.
Exclusive Access to Remote Data
MinIO requires exclusive access to the transitioned data on the remote storage tier. MinIO ignores any objects in the remote bucket or bucket prefix not explicitly managed by the MinIO deployment. Automatic transition and transparent object retrieval depend on the following assumptions:
No external mutation, migration, or deletion of objects on the remote storage.
No lifecycle management rules (e.g. transition or expiration) on the remote storage bucket.
MinIO stores all transitioned objects in the remote storage bucket or resource under a unique per-deployment prefix value. This value is not intended to support identifying the source deployment from the backend. MinIO supports an additional optional human-readable prefix when configuring the remote target, which may facilitate operations related to diagnostics, maintenance, or disaster recovery.
MinIO recommends specifying this optional prefix for remote storage tiers which contain other data, including transitioned objects from other MinIO deployments. This tutorial includes the necessary syntax for setting this prefix.
Availability of Remote Data
MinIO tiering behavior depends on the remote storage returning objects immediately (milliseconds to seconds) upon request. MinIO therefore cannot support remote storage which requires rehydration, wait periods, or manual intervention.
MinIO creates metadata for each transitioned object that identifies its location on the remote storage. Applications cannot trivially identify and access a transitioned object independent of MinIO. Availability of the transitioned data therefore depends on the same core protections that erasure coding and distributed deployment topologies provide for all objects on the MinIO deployment. Using object transition does not provide any additional business continuity or disaster recovery benefits.
Workloads that require BC/DR protections should implement MinIO Server-Side replication. Replication ensures objects remains preserved on the remote replication site, such that you can resynchronize from the remote in the event of partial or total data loss. See Resynchronization (Disaster Recovery) for more complete documentation on using replication to recover after partial or total data loss.
Procedure
1) Configure User Accounts and Policies for Lifecycle Management
This step creates users and policies on the MinIO deployment for supporting lifecycle management operations. You can skip this step if the deployment already has users with the necessary permissions.
The following example uses Alpha as a placeholder alias for
the MinIO deployment. Replace this value with the appropriate alias for the
MinIO deployment on which you are configuring lifecycle management rules.
Replace the password LongRandomSecretKey with a long, random, and secure
secret key as per your organizations best practices for password generation.
wget -O - https://minio.org.cn/docs/minio/linux/examples/LifecycleManagementAdmin.json | \
mc admin policy add Alpha LifecycleAdminPolicy /dev/stdin
mc admin user add Alpha alphaLifecycleAdmin LongRandomSecretKey
mc admin policy set Alpha LifecycleAdminPolicy user=alphaLifecycleAdmin
This example assumes that the specified aliases have the necessary permissions for creating policies and users on the deployment. See User Management and MinIO Policy Based Access Control for more complete documentation on MinIO users and policies respectively.
2) Configure the Remote Storage Tier
Use the mc ilm tier add command to add an Amazon S3 service as the
new remote storage tier:
mc ilm tier add s3 TARGET TIER_NAME \
--endpoint https://HOSTNAME \
--access-key ACCESS_KEY \
--secret-key SECRET_KEY \
--bucket BUCKET \
--prefix PREFIX \
--storage-class STORAGE_CLASS \
--region REGION
The example above uses the following arguments:
Argument |
Description |
|---|---|
The |
|
The name to associate with the new S3 remote storage tier. Specify the
name in all-caps, e.g. |
|
The URL endpoint for the S3 storage backend. |
|
The S3 access key MinIO uses to access the bucket. The access key must correspond to an IAM user with the required permissions. |
|
The corresponding secret key for the specified |
|
The name of the bucket on the S3 storage backend to which MinIO transitions objects. |
|
The optional bucket prefix within which MinIO transitions objects. MinIO stores all transitioned objects in the specified MinIO recommends specifying this optional prefix for remote storage tiers which contain other data, including transitioned objects from other MinIO deployments. This prefix should provide a clear reference back to the source MinIO deployment to faciliate ease of operations related to diagnostics, maintenance, or disaster recovery. |
|
The S3 storage class to which MinIO transitions objects. MinIO tiering behavior depends on the remote storage returning objects immediately (milliseconds to seconds) upon request. MinIO therefore cannot support remote storage which requires rehydration, wait periods, or manual intervention. The following S3 storage classes meet MinIO’s requirements as a remote tier:
Omit this value to use the default storage class for the bucket. Specifying this value overrides the bucket storage class. For more information, see Using Amazon S3 storage classes. |
|
The AWS S3 region of the specified |
3) Create and Apply the Transition Rule
Use the mc ilm rule add command to create a new transition rule
for the bucket. The following example configures transition after the
specified number of calendar days:
mc ilm rule add ALIAS/BUCKET \
--transition-tier TIERNAME \
--transition-days DAYS \
--noncurrent-transition-days NONCURRENT_DAYS
--noncurrent-transition-tier TIERNAME
The example above specifies the following arguments:
Argument |
Description |
|---|---|
Specify the |
|
Specify the full path to the bucket for which you are creating the lifecycle management rule. |
|
The remote storage tier to which MinIO transitions objects. Specify the remote storage tier name created in the previous step. If you want to transition noncurrent object versions to a distinct
remote tier, specify a different tier name for
|
|
The number of calendar days after which MinIO marks an object as
eligible for transition. Specify the number of days as an integer,
e.g. |
|
The number of calendar days after which MinIO marks a noncurrent
object version as eligible for transition. MinIO specifically measures
the time since an object became non-current instead of the object
creation time. Specify the number of days as an integer,
e.g. Omit this value to ignore noncurrent object versions. This option has no effect on non-versioned buckets. |
4) Verify the Transition Rule
Use the mc ilm rule ls command to review the configured transition
rules:
mc ilm rule ls ALIAS/PATH --transition
