Consider legal holds on NeoFS objects #90

New issue

Open

opened 2025-12-28 18:08:29 +00:00 by sami · 2 comments

sami commented

2025-12-28 18:08:29 +00:00

Owner

Originally created by @alexvanin on GitHub (Jun 9, 2022).

S3 protocol defines Object Lock legal hold operation. This operation locks object for indefinite period of time. This lock can be removed.

As we decided here, NeoFS locks cannot be removed and must have expiration, see https://github.com/nspcc-dev/neofs-api/pull/221. This is suitable for retention locks in compliance mode, but it does not work with legal holds.

Describe the solution you'd like

As we discussed this with @realloc some time ago, there was a proposal to implement legal holds as a smart contract. This way we avoid API changes.

sequenceDiagram
    actor User
    User->> Alphabet Nodes: Lock cid/oid
    note right of User: Notary invocation of Legal Hold contract
    Alphabet Nodes-->>Alphabet Nodes: Collect multisignature
    Alphabet Nodes->>Legal Hold Contract: Lock cid/oid
    Legal Hold Contract ->> Storage Nodes: Notification
    User ->> Storage Nodes: Delete cid/oid
    activate Storage Nodes
    Storage Nodes --x User: Deny
    deactivate Storage Nodes
   
    User->> Alphabet Nodes: Unlock cid/oid
    Alphabet Nodes-->>Alphabet Nodes: Collect multisignature
    Alphabet Nodes->>Legal Hold Contract: Unlock cid/oid
    Legal Hold Contract ->> Storage Nodes: Notification
    User ->> Storage Nodes: Delete cid/oid
    activate Storage Nodes
    Storage Nodes ->> User: Ok
    deactivate Storage Nodes

Q: Who has the right to trigger legal hold?
A: In public network -- nobody. In private network -- some set of keys defined in legal hold contract.

Q: How storage node stores legal hold information?
A: In metabase. Maybe we can ask contract on every DELETE request.

Q: What if metabase is lost in SN?
A: Resync the list of legal hold objects from contract at startup.

Originally created by @alexvanin on GitHub (Jun 9, 2022). ## Is your feature request related to a problem? Please describe. S3 protocol defines [Object Lock legal hold](https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-legal-hold.html) operation. This operation locks object for indefinite period of time. This lock can be removed. As we decided [here](https://github.com/nspcc-dev/neofs-node/issues/1227#issuecomment-1083186577), NeoFS locks cannot be removed and must have expiration, see https://github.com/nspcc-dev/neofs-api/pull/221. This is suitable for retention locks in compliance mode, but it does not work with legal holds. ## Describe the solution you'd like As we discussed this with @realloc some time ago, there was a proposal to implement legal holds as a smart contract. This way we avoid API changes. ```mermaid sequenceDiagram actor User User->> Alphabet Nodes: Lock cid/oid note right of User: Notary invocation of Legal Hold contract Alphabet Nodes-->>Alphabet Nodes: Collect multisignature Alphabet Nodes->>Legal Hold Contract: Lock cid/oid Legal Hold Contract ->> Storage Nodes: Notification User ->> Storage Nodes: Delete cid/oid activate Storage Nodes Storage Nodes --x User: Deny deactivate Storage Nodes User->> Alphabet Nodes: Unlock cid/oid Alphabet Nodes-->>Alphabet Nodes: Collect multisignature Alphabet Nodes->>Legal Hold Contract: Unlock cid/oid Legal Hold Contract ->> Storage Nodes: Notification User ->> Storage Nodes: Delete cid/oid activate Storage Nodes Storage Nodes ->> User: Ok deactivate Storage Nodes ``` Q: Who has the right to trigger legal hold? A: In public network -- nobody. In private network -- some set of keys defined in legal hold contract. Q: How storage node stores legal hold information? A: In metabase. Maybe we can ask contract on every `DELETE` request. Q: What if metabase is lost in SN? A: Resync the list of legal hold objects from contract at startup.

sami added the

feature

labels

2025-12-28 18:08:29 +00:00

sami commented

2025-12-28 18:08:30 +00:00

Author

Owner

@fyrchik commented on GitHub (Jun 23, 2022):

Add methods to the container contract.
Node make some local marks.
Syncronize during restart and on epoch tick.
TODO determine who can create legal holds
TODO try hold containers, check if it plays nicely with S3 spec
Container with active holds should not be removed.

@fyrchik commented on GitHub (Jun 23, 2022): 1. Add methods to the container contract. 2. Node make some local marks. 3. Syncronize during restart and on epoch tick. 4. TODO determine who can create legal holds 5. TODO try hold containers, check if it plays nicely with S3 spec 6. Container with active holds should not be removed.

sami commented

2025-12-28 18:08:30 +00:00

Author

Owner

@KirillovDenis commented on GitHub (Jul 4, 2022):

Determine who can create legal holds
AWS allows create legal hold users that have s3:PutObjectLegalHold persmission (it's related to revising ACL in s3-gw) https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html. So we can either:

Add to the contract keys of the s3 gateways to allows them to check if user has appropriate s3:PutObjectLegalHold permission.
Change some eACL logic (it seems we will do this because of https://github.com/nspcc-dev/neofs-s3-gw/issues/493 and https://github.com/nspcc-dev/neofs-s3-gw/issues/553) to allows contract to check the container eACL and check user permission. It seems the contract can handle service records (if they will be introduced) in eACL. PoC of using the service records can be found in this old draft PR

Try hold containers, check if it plays nicely with S3 spec
I don't see any appropriate S3 API method that can be used to hold the bucket/container. There is only one method to change legal hold PutObjectLegalHold and it's per object version. Besides the bucket cannot be deleted if it isn't empty. So it's strange to introduce method to hold bucket in AWS mind.

There is one option though.
Using https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLockConfiguration.html. We can extend body to accept param to hold bucket. But this will be incompatible with S3 protocol so I don't like it.

@KirillovDenis commented on GitHub (Jul 4, 2022): **Determine who can create legal holds** AWS allows create legal hold users that have `s3:PutObjectLegalHold` persmission (it's related to revising ACL in s3-gw) https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html. So we can either: * Add to the contract keys of the s3 gateways to allows them to check if user has appropriate `s3:PutObjectLegalHold` permission. * Change some eACL logic (it seems we will do this because of https://github.com/nspcc-dev/neofs-s3-gw/issues/493 and https://github.com/nspcc-dev/neofs-s3-gw/issues/553) to allows contract to check the container eACL and check user permission. It seems the contract can handle `service records` (if they will be introduced) in eACL. PoC of using the `service records` can be found in [this old draft PR](https://github.com/nspcc-dev/neofs-s3-gw/pull/256/files#diff-ff228cf27f22369da924c8a7d379d9e161978ebdbf582bdabdc517471e2f45b3) **Try hold containers, check if it plays nicely with S3 spec** I don't see any appropriate S3 API method that can be used to hold the bucket/container. There is only one method to change legal hold [PutObjectLegalHold](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLegalHold.html) and it's per object version. Besides the bucket cannot be deleted if it isn't empty. So it's strange to introduce method to hold bucket in AWS mind. There is one option though. Using https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectLockConfiguration.html. We can extend body to accept param to hold bucket. But this will be incompatible with S3 protocol so I don't like it.