Transition objects from MinIO AIStor to Azure

The procedure on this page creates a new object lifecycle management rule that transition objects from an MinIO AIStor bucket to a remote storage tier on the storage backend. This procedure supports use cases like moving aged data to low-cost public cloud storage solutions after a certain time period or calendar date.

This procedure uses mc for performing operations on the MinIO AIStor cluster. Install mc on a machine with network access to both source and destination clusters. See the mc Installation Quickstart for instructions on downloading and installing mc.

Use the mc alias set command to create an alias for the source MinIO AIStor cluster. Alias creation requires specifying an access key for a user on the source and destination clusters. The specified users must have permissions for configuring and applying transition operations.

MinIO AIStor requires the following permissions scoped to the bucket or buckets for which you are creating lifecycle management rules.

• s3:PutLifecycleConfiguration
• s3:GetLifecycleConfiguration

MinIO AIStor also requires the following administrative permissions on the cluster in which you are creating remote tiers for object transition lifecycle management rules:

• admin:SetTier
• admin:ListTier

For example, the following policy provides permission for configuring object transition lifecycle management rules on any bucket in the cluster:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Action": [
               "admin:SetTier",
               "admin:ListTier"
            ],
            "Effect": "Allow",
            "Sid": "EnableRemoteTierManagement"
      },
      {
            "Action": [
               "s3:PutLifecycleConfiguration",
               "s3:GetLifecycleConfiguration"
            ],
            "Resource": [
                        "arn:aws:s3:::*"
            ],
            "Effect": "Allow",
            "Sid": "EnableLifecycleManagementRules"
      }
   ]
}

Object transition lifecycle management rules require additional permissions on the remote storage tier. Specifically, MinIO AIStor requires the credentials to provide read, write, list, and delete permissions for the remote storage account and container.

Refer to the Azure RBAC documentation for more complete guidance on configuring the required permissions.

Create the remote Azure storage account and container prior to configuring lifecycle management tiers or rules using that resource as the target. When creating the Azure storage account, ensure the storage account corresponds to either Standard or Premium blob storage with the locally redundant storage (LRS) redundancy option. The Azure Go SDK API used by MinIO AIStor does not support any other redundancy options.

If you set a Storage Account default access tier, MinIO AIStor uses that default if you do not specify a storage class when defining the remote tier. Ensure you document the settings of both your Azure storage account and MinIO AIStor tiering configuration to avoid any potential confusion, misconfiguration, or other unexpected outcomes.

For more information on Azure storage accounts, see Storage accounts.

MinIO AIStor requires exclusive access to the transitioned data on the remote storage tier. Object metadata on the “hot” MinIO AIStor source is strongly linked to the object data on the “warm/cold” remote tier. MinIO AIStor cannot retrieve object data without access to the remote, nor can the remote be used to restore lost metadata on the source.

All access to the transitioned objects must occur through MinIO AIStor via S3 API operations only. Manually modifying a transitioned object - whether the metadata on the “hot” MinIO AIStor tier or the object data on the remote “warm/cold” tier - may result in loss of that object data.

MinIO AIStor ignores any objects in the remote bucket or bucket prefix not explicitly managed by the MinIO AIStor deployment. Automatic transition and transparent object retrieval depend on the following assumptions:

• No external mutation, migration, or deletion of objects on the remote storage.
• No lifecycle management rules (e.g. transition or expiration) on the remote storage bucket.

MinIO AIStor stores all transitioned objects in the remote storage bucket or resource under a unique per-deployment prefix value. This value is not intended to support identifying the source deployment from the backend. MinIO AIStor supports an additional optional human-readable prefix when configuring the remote target, which may facilitate operations related to diagnostics, maintenance, or disaster recovery.

MinIO recommends specifying this optional prefix for remote storage tiers which contain other data, including transitioned objects from other MinIO AIStor deployments. This tutorial includes the necessary syntax for setting this prefix.

MinIO AIStor tiering behavior depends on the remote storage returning objects immediately (milliseconds to seconds) upon request. MinIO AIStor therefore cannot support remote storage which requires rehydration, wait periods, or manual intervention.

MinIO AIStor creates metadata for each transitioned object that identifies its location on the remote storage. Applications cannot trivially identify and access a transitioned object independent of MinIO AIStor. Availability of the transitioned data therefore depends on the same core protections that erasure coding and distributed deployment topologies provide for all objects on the MinIO AIStor deployment. Using object transition does not provide any additional business continuity or disaster recovery benefits.

Workloads that require protections should implement MinIO AIStor Server-Side replication. Replication ensures objects remain preserved on the remote replication site, such that you can resynchronize from the remote in the event of partial or total data loss. See Resynchronization (Disaster Recovery) for more complete documentation on using replication to recover after partial or total data loss.

1. Configure user accounts and policies for lifecycle management

   This step creates users and policies on the MinIO AIStor deployment for supporting lifecycle management operations. You can skip this step if the deployment already has users with the necessary permissions.

   The following example uses myaistor as a placeholder alias for the MinIO AIStor deployment. Replace this value with the appropriate alias for the MinIO AIStor deployment on which you are configuring lifecycle management rules. Replace the password LongRandomSecretKey with a long, random, and secure secret key as per your organizations best practices for password generation.

   wget -O - https://docs.min.io/enterprise/aistor-object-store/LifecycleManagementAdmin.json | \
   mc admin policy create myaistor LifecycleAdminPolicy /dev/stdin
   mc admin user add myaistor alphaLifecycleAdmin LongRandomSecretKey
   mc admin policy attach myaistor LifecycleAdminPolicy --user=alphaLifecycleAdmin
   

   This example assumes that the specified aliases have the necessary permissions for creating policies and users on the deployment. See User Management and MinIO AIStor Policy Based Access Control for more complete documentation on MinIO AIStor users and policies respectively.

2. Configure the remote storage tier

   Use the mc ilm tier add command to add a new remote storage tier:

   mc ilm tier add azure TARGET TIER_NAME \
      --account-name ACCOUNT \
      --account-key KEY \
      --bucket CONTAINER \
      --endpoint ENDPOINT \
      --prefix PREFIX \
      --storage-class STORAGE_CLASS
   

   The example above uses the following arguments:

   Argument	Description
   TARGET	The alias of the MinIO AIStor deployment on which to configure the remote tier.
   TIER_NAME	The name to associate with the new blob remote storage tier. Specify the name in all-caps, for example AZURE_TIER. This value is required in the next step.
   ACCOUNT	The Storage Account to use as the remote storage resource. You cannot change this account name after creating the tier.
   KEY	The corresponding shared account key for the specified ACCOUNT. The account key must have an assigned Azure policy with the required permissions. See Managing storage account access keys for more information.
   CONTAINER	The name of the container on the storage backend to which MinIO AIStor transitions objects.
   ENDPOINT	(Optional) The full URL of the Azure blob storage backend to which MinIO AIStor transitions objects. Defaults to https://ACCOUNT.blob.core.windows.net if not specified.
   PREFIX	The optional container prefix within which MinIO AIStor transitions objects. MinIO AIStor stores all transitioned objects in the specified BUCKET under a unique per-deployment prefix value. Omit this argument to use only that value for isolating and organizing data within the remote storage. MinIO recommends specifying this optional prefix for remote storage tiers which contain other data, including transitioned objects from other MinIO AIStor deployments. This prefix should provide a clear reference back to the source MinIO AIStor deployment to facilitate ease of operations related to diagnostics, maintenance, or disaster recovery.
   STORAGE_CLASS	The Azure access tier MinIO AIStor applies to objects transitioned to the Azure container. MinIO AIStor tiering behavior depends on the remote storage returning objects immediately (milliseconds to seconds) upon request. MinIO AIStor therefore cannot support remote storage which requires rehydration, wait periods, or manual intervention. The following Azure access tiers meet MinIO’s requirements as a remote tier: - Hot - Cool For more information, see Hot, cool, and archive access tiers for blob data.

3. Create and apply the transition rule

   Use the mc ilm rule add command to create a new transition rule for the bucket. The following example configures transition after the specified number of calendar days:

   mc ilm rule add ALIAS/BUCKET \
   --transition-tier TIERNAME \
   --transition-days DAYS \
   --noncurrent-transition-days NONCURRENT_DAYS
   --noncurrent-transition-tier TIERNAME
   

   The example above specifies the following arguments:

   Argument	Description
   ALIAS	Specify the alias of the MinIO AIStor deployment for which you are creating the lifecycle management rule.
   BUCKET	Specify the full path to the bucket for which you are creating the lifecycle management rule.
   TIERNAME	The remote storage tier to which MinIO AIStor transitions objects. Specify the remote storage tier name created in the previous step. If you want to transition noncurrent object versions to a distinct remote tier, specify a different tier name for --noncurrent-transition-tier.
   DAYS	The number of calendar days after which MinIO AIStor marks an object as eligible for transition. Specify the number of days as an integer, e.g. 30 for 30 days.
   NONCURRENT_DAYS	The number of calendar days after which MinIO AIStor marks a noncurrent object version as eligible for transition. MinIO AIStor specifically measures the time since an object became non-current instead of the object creation time. Specify the number of days as an integer, for example 90 for 90 days. Omit this value to ignore noncurrent object versions. This option has no effect on non-versioned buckets.

4. Verify the transition rule

   Use the mc ilm rule ls command to review the configured transition rules:

   mc ilm rule ls ALIAS/PATH --transition
   

   • Replace ALIAS with the alias of the MinIO AIStor deployment.
   • Replace PATH with the name of the bucket for which to retrieve the configured lifecycle management rules.