ECS 2.1 – Manage a tenant

Table of Contents

Introduction

ECS provides a number of features to support the management of a tenant.

The following features are supported:
Users
The ability to assign a Namespace Admin for the namespace and to create object users for the namespace is described in Add users and assign roles.
Quotas
The ability to set quotas on namespaces and buckets is described in Quotas.
Retention Periods
The ability to create retention policies is described in Retention periods and policies.
Lock buckets and users
The ability to lock buckets and users is described in Lock buckets and users.
Metering
The ability to meter the writing of data to buckets and namespaces is described in Metering.
Audit buckets
The ability to audit the operations associated with buckets is described in Audit buckets.
Back to Top

Quotas

You can set soft and hard quotas on a namespace and on buckets created within a namespace.

Soft quotas cause events to be logged to inform you that the quota has been reached; hard quotas provide a hard limit on the amount of object storage that can be used for a bucket or namespace - when the limit is reached, access to the bucket or namespace is blocked.

Quotas can be set from the ECS Portal or using the API and the CLI.

Setting quotas from the portal

You can set quotas for a namespace from the Manage > Namespace page, as described in Configure a namepace for a tenant.

Quotas for a bucket are set from the Manage > Bucket page, as described in Create and configure buckets .

Setting quotas using the API

The following API paths provide the ability to set quotas:

You can find more information about the ECS Management REST API in: Use the ECS Management REST API and the online reference is here.

Back to Top

Retention periods and policies

ECS provides the ability to prevent data being modified within a specified retention period.

Retention periods can be defined in metadata associated with objects and buckets and is checked each time a request to modify an object is made. Retention periods are supported on all object interfaces S3, Swift, Atmos, and CAS. However, CAS data is immutable so the retention period when applied to CAS refers to the ability to delete CAS objects.

While the retention period for a bucket can be set at the ECS Portal, the assignment of a retention period, or policy, to an object must be performed using the object interface.

There are two ways of defining retention: retention periods and retention policies.

Retention Periods

Retention periods are assigned at the object or bucket level. Where a retention period is assigned on a bucket, each time an attempt is made to modify an object within a bucket, the retention period for the bucket is checked and an expiration time calculated.

For example, where a financial document must be retained for 3 years from the date on which it is created. It is also possible to specify that the object is retained indefinitely.

Retention Policies

Retention policies enable retention use cases to be captured and applied to objects. For example, different types of documents could have different retention periods. You could require the following retention periods:
  • Financial - 3 years
  • Legal - 5 years
  • Email - 6 months

Where a retention policy is applied to a number of objects, by changing the policy, the retention period for all objects to which the policy has been applied can be changed.

How to create retention policies

You can configure the retention policies that are available for the namespace from the ECS Portal, refer to: or you can create them using the ECS Management REST API, a summary of which is provided below.

You can find out how to access the ECS Management REST API in the following article: Use the ECS Management REST API and the online reference is here.

How to apply retention policies and periods

You can apply retention periods to buckets at the ECS Portal.

When you create objects or buckets using the object service protocols, for example, when you create an S3 bucket using a client that supports the S3 protocol, you can apply the retention period or retention policy using x-ems headers.

When you create objects, you can apply the following retention period and retention policy headers:
  • x-emc-retention-period
  • x-emc-retention-policy

When you create a bucket, you can set the retention period using the x-emc-retention-period header.

Back to Top

Lock buckets and users

ECS provides the ability to prevent access to a bucket and to prevent user access.

Support for the bucket and user lock operations is provided by the ECS Management REST API. There is no support for locking buckets and users in the ECS Portal . The following calls are supported:

You can find out how to access the ECS Management REST API in the following article: Use the ECS Management REST API and the online reference is here.

Back to Top

Metering

ECS provides support for metering the use of the object storage at the namespace and bucket level.

Metering using the portal

You can use the ECS Portal to monitor the use of namespace and buckets. The Monitor > Metering page enables a namespace or a specific bucket from a namespace to be selected and its metering data displayed.

Note Image

Metering data is not available immediately as it can take a significant amount of time to gather the statistics for data added to the system and deleted from the system.


Refer to Monitor storage: metering and capacity for more information on accessing these details.

Metering using the API

The following API paths provide the ability to retrieve metering information:

You can find more information about the ECS Management REST API in: Use the ECS Management REST API and the online reference is here.

Back to Top

Audit buckets

The controller API provides the ability to audit the use of the S3, EMC Atmos, and OpenStack Swift object interfaces.

The following operations on object containers (S3 buckets, EMC Atmos subtenants, and OpenStack Swift containers) are logged.
  • Create Bucket
  • Delete Bucket
  • Update Bucket
  • Set Bucket ACL
  • Change Bucket Owner
  • Set Bucket Versioning
  • Set Bucket Versioning Source
  • Set Bucket Metadata
  • Set Bucket Head Metadata
  • Set Bucket Expiration Policy
  • Delete Bucket Expiration Policy
  • Set Bucket Cors Configuration
  • Delete Bucket Cors Configuration

Audit logging at the portal

You can use the Portal Monitor > Events page to detect the generation of an audit log event.

The root user should only be used for initial access to the system. On initial access, the root user password should be changed at the Settings > Password page and one or more new System Admin accounts should be created. From an audit perspective, it is important to know which user carried out changes to the system, so root should not be used, and each System Admin user should have their own account.

You can refer to Monitor events: audit portal, API, and CLI events and system alerts for more information on using the events log.

Audit API

Support for bucket auditing is provided by the following ECS Management REST API calls:

You can find more information about the ECS Management REST API in: Use the ECS Management REST API and the online reference is here.

Back to Top