# Object Storage - Features

## Structure <a href="#objectstoragearchitecture-structure" id="objectstoragearchitecture-structure"></a>

### **Object Store** <a href="#objectstoragearchitecture-objectstores" id="objectstoragearchitecture-objectstores"></a>

An **Object Store** is a logically delimited container for **Buckets** and **Objects** stored in cegedim.cloud Object Storage Service.

It comes with a dedicated **Object User** which is the only one authorized to view and manage objects within this **Object Store**. You can, create other Object Users.

When creating an Object Store, you have to choose:

* A simple name
* A data center
  * **EB4 -->** data will only be located in **EB4 - Boulogne** data center
  * **ET1 -->** data will only be located in **ET1 - Toulouse** data center
  * **EB4-ET1 -->** Data is replicated over **EB4** and **ET1** and is accessible from both data centers

You are not limited and can create as many **Object Stores** as you need.

Nevertheless, it can be better to use **Bucket separation** for objects within a same application, or different applications.

We recommend to use **Object Store** at the Project or "*Group of projects*" level, and Bucket at the "*File typology*" level.

{% hint style="info" %}
For more information about **Object Store** creation, read [object-storage-get-started](https://academy.cegedim.cloud/storage/object-storage/object-storage-get-started "mention").
{% endhint %}

### **Buckets** <a href="#objectstoragearchitecture-buckets" id="objectstoragearchitecture-buckets"></a>

A **Bucket** is a logically delimited container for objects. Each object in the cegedim.cloud Object Storage Service is located in a **Bucket**.

A **Bucket** can be created using a **S3 client**, and has some attributes you can use to control behavior of the **Bucket** and its objects, for example:

* `VersioningPolicy` which allows you to configure how many versions of files has to be kept by cegedim.cloud Object Storage Service
* BucketPolicy which allows you to configure permissions and restrictions for objects in bucket

### **Objects** <a href="#objectstoragearchitecture-objects" id="objectstoragearchitecture-objects"></a>

An object is what we call a file on classic file system. Each object belongs to a **Bucket** and has a `key` as unique identifier.

Note that folders does not exist in cegedim.cloud Object Storage Service, but you can use **prefixes** and **delimiters** to organize the data that you store in **Buckets**.

A **prefix** is a string of characters at the beginning of the object key name.\
A **delimiter** is a character, usually, the slash '`/`', used to separate each level of objects and simulate file system like structure.

For example, if you store information about customers, organized by years and month:

```
customer1/2020/03
customer1/2020/04
customer1/2021/05
customer2/2020/03
customer2/2021/02
```

In this exemple '`/`' is the delimiter, and '`customer1/2020/`' can be a prefix.

## Diagram

<figure><picture><source srcset="https://835168969-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F2FXoHyOBZPpJv3UALn4V%2Fuploads%2Fgit-blob-9c104d1d7da31945c67589e6b3b1eb84cb2f5d5b%2Fbucket_dark_fr.png?alt=media" media="(prefers-color-scheme: dark)"><img src="https://835168969-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F2FXoHyOBZPpJv3UALn4V%2Fuploads%2Fgit-blob-51de0504d324b966185252f1ca022d749e1d6cab%2Fbucket_light_fr.png?alt=media" alt=""></picture><figcaption><p>Object storage diagram</p></figcaption></figure>

### S3 API Compatibility <a href="#objectstoragearchitecture-s3apicompatibility" id="objectstoragearchitecture-s3apicompatibility"></a>

Check the following page [s3-api-compatibility](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/s3-api-compatibility "mention") for the list of supported, unsupported S3 APIs and the special behaviors of the object storage solution of cegedim.cloud.

## Endpoints <a href="#objectstoragearchitecture-authentification" id="objectstoragearchitecture-authentification"></a>

cegedim.cloud object storage solution provides two access endpoints:

* <https://storage-eb4.cegedim.cloud>
  * Allow you to use Object Storage Service from the **EB4 - Boulogne** data center.
* <https://storage-et1.cegedim.cloud>
  * Allow you to use Object Storage Service from the **ET1 - Toulouse** data center.

### Geo-Replicated

For **Geo-replicated** Object Stores between **EB4-ET1.** Both endpoints allow you to access to your objects.

{% hint style="info" %}
If you upload an object using the **EB4** endpoint, **EB4** will become the '***owner***' of the object, and vice versa for **ET1**.
{% endhint %}

## Authentification <a href="#objectstoragearchitecture-authentification" id="objectstoragearchitecture-authentification"></a>

### Object User <a href="#objectstoragearchitecture-objectuser" id="objectstoragearchitecture-objectuser"></a>

Access to **Buckets** is done using an Object User.

When an Object Store is created, an Object User known as "**Initial S3 user**" is automatically created. Each Object User has an `access_Key` and a `secret_Key.` Both are randomly generated by cegedim.cloud Object Storage Service.

You can have more than one Object User by Object Store. An Object User is linked to only one Object Store, and can't be used to perform operation on another Object Store.

{% hint style="info" %}
For more information about **Object Users**, refer to [manage-object-users](https://academy.cegedim.cloud/storage/object-storage/object-storage-get-started/manage-object-users "mention").
{% endhint %}

### Secret Key Renewal <a href="#objectstoragearchitecture-secretkeyrenewal" id="objectstoragearchitecture-secretkeyrenewal"></a>

At any time, you have the possibility to re-generate the secret key of an **Object user**, for security reason or when the **Object User** is compromised.

When changing the secret key, you can add a "*grace period***"**, during which, both old and new secret keys are valid and accepted by cegedim.cloud Object Storage Service.

## Authorizations <a href="#objectstoragearchitecture-autorisations" id="objectstoragearchitecture-autorisations"></a>

Authorizations are managed at the **Bucket** level, using **Bucket Policies**.

**Bucket Policies** allow you to have fine management of permission to apply on objects and Object Users, based or not on conditional statements, like the `access_key` of the Object User or the `Source Address IP`

When creating a Bucket, there is no Bucket Policy by default and the bucket **is not public**.

That mean only the Object User who created the bucket can access to it.

{% hint style="info" %}
For more information about Bucket Policy, refer to [bucket-policies](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/bucket-policies "mention").
{% endhint %}

## Secured Transport <a href="#objectstoragearchitecture-securedtransport" id="objectstoragearchitecture-securedtransport"></a>

cegedim.cloud Object Storage Service is only available through the protocol **HTTPS** on port **443**.

## Log Management <a href="#objectstoragearchitecture-logmanagement" id="objectstoragearchitecture-logmanagement"></a>

{% hint style="warning" %}
**S3 Bucket logging** is not supported by cegedim.cloud Object Storage Service.
{% endhint %}

Any request or operation on the cegedim.cloud Object Storage Service are logged by cegedim.cloud internally.

Logs include operations on **Object Store**, **Object User** and also operations done at buckets and objects level (GET, PUT, DELETE,...)

If you need logs extraction on your **Object Storage** resources, Please contact cegedim.cloud support teams.

## Features

### Presigned URL <a href="#title-text" id="title-text"></a>

cegedim.cloud Object Storage Service supports the setting sharing objects using presigned URLs. You can share objects with other by creating presigned URL.

When you create a presigned URL, you must provide:

* Your security credentials
* A bucket name and an object key
* An HTTP method (PUT for uploading objects)
* An expiration time

The presigned URLs are valid only for the specified duration.

{% hint style="info" %}
For more information about **Presigned URL**, refer to [presigned-url](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/presigned-url "mention").
{% endhint %}

### Bucket Policy Support <a href="#objectstoragearchitecture-bucketpolicysupport" id="objectstoragearchitecture-bucketpolicysupport"></a>

cegedim.cloud Object Storage Service supports the setting of **S3 bucket policies**.

Bucket policies provides specific users, or all users, conditional and granular permissions for specific actions.

Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects.

Bucket policy example:

{% code lineNumbers="true" %}

```json
{
    "Version": "2012-10-17",
    "Id": "policyExample",
    "Statement":[
        {
            "Sid":"Granting PutObject permission to user24",
            "Effect":"Allow",
            "Principal": "user24 ",
            "Action":["s3:PutObject"],
            "Resource":["mybucket/*"],
            "Condition": {
                "StringEquals": {"s3:x-amz-server-side-encryption": [ "AES256"]
            }
        }
    ]For more information about Bucket Policies, refer to the How To
}
```

{% endcode %}

{% hint style="info" %}
For more information about **Bucket Policies**, refer to [bucket-policies](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/bucket-policies "mention").
{% endhint %}

### Object lifecycle management <a href="#objectstoragearchitecture-objectlifecyclemanagement" id="objectstoragearchitecture-objectlifecyclemanagement"></a>

cegedim.cloud Object Storage Service support **S3 Lifecycle Configuration** on both version-enabled buckets and non-version-enabled buckets.

An S3 Lifecycle Configuration is a set of rules that define actions applies to a group of objects. Only **Expiration actions** are supported.

You can define a **S3 Lifecycle Configuration** to automatically delete objects.

Lifecycle configuration example:

{% code lineNumbers="true" %}

```json
{
    "Rules": [
        {
            "Expiration": {
                "Days": 30
            },
            "ID": "lifecycle-expire-non-current-and-mpu",
            "Prefix": "",
            "Status": "Enabled",
            "NoncurrentVersionExpiration": {
                "NoncurrentDays": 1
            },
            "AbortIncompleteMultipartUpload": {
                "DaysAfterInitiation": 1
            }
        }
    ]
}
```

{% endcode %}

{% hint style="info" %}
For more information about **Lifecycle Configuration**, refer to [bucket-lifecycle](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/bucket-lifecycle "mention").
{% endhint %}

### S3 Object Lock <a href="#objectstoragearchitecture-s3objectlock" id="objectstoragearchitecture-s3objectlock"></a>

cegedim.cloud Object Storage Service supports **Object Lock configuration**.

**Object Lock** prevents object version deletion during a user-defined retention period. Immutable S3 objects are protected using **object-** or **bucket-**&#x6C;evel configuration of **WORM** and retention attributes.

The retention policy is defined using the **S3 API** or bucket-level defaults.

Objects are locked for the duration of the retention period, and legal hold scenarios are also supported.

There are two lock types for **Object lock**:

* **Retention period:** Specifies a fixed period of time during which an object version remains locked. During this period, your object version is **WORM-protected** and can't be overwritten or deleted.
* **Legal hold:** Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.

There are **two modes** for the retention period:

<details>

<summary>Governance mode</summary>

Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.

With **Governance mode**, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.

You can also use **Governance mode** to test retention-period settings before creating a compliance-mode retention period.

* Users cannot overwrite or delete an object version.
* Users with `s3:PutObjectRetention` permission can increase an object retention period.
* Users with special `s3:BypassGovernanceRetention` permission can remove or shorten an object retention.
* Users with `s3:BypassGovernanceRetention` permission can also delete locked objects.

</details>

<details>

<summary>Compliance mode</summary>

A protected object version **can't be overwritten** or **deleted** by any user, including the root user in your account.

When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened.

**Compliance mode** helps ensure that an object version can't be overwritten or deleted for the duration of the retention period.

* Users cannot overwrite or delete an object version.
* Users with `s3:PutObjectRetention` permission can **increase** an object retention period.
* User **cannot remove** or shorten an object retention.

</details>

{% hint style="danger" %}
In **Compliance mode**, if you applied a wrong retention period (e.g 6 years instead of 6 days) cegedim.cloud have no possibility to delete or shorten the retention period.

A good practice is to start with **Governance mode** to perform tests, and then switch to **Compliance mode.**
{% endhint %}

{% hint style="info" %}
For more information about **Object Lock**, refer to [object-lock](https://academy.cegedim.cloud/storage/object-storage/object-storage-features/object-lock "mention").
{% endhint %}