Chat now with support
Chat with Support

QoreStor 7.1.2 - User Guide

Introducing QoreStor Accessing QoreStor Configuring QoreStor settings
Licensing QoreStor Configuring SAML Configuring an SSL Certificate for your QoreStor System Configuring Active Directory settings Understanding system operation scheduling Configuring share-level security for CIFS shares Configuring Secure Connect Enabling MultiConnect Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Configuring and using the Recycle Bin Configuring Cloud Reader Configuring RDA immutability
Managing containers Managing local storage Managing cloud storage Managing replications Managing users Monitoring the QoreStor system Managing QoreStor remotely Support, maintenance, and troubleshooting Security recommendations guide About us

Configuring required permissions to restore from Archive Tier

For QoreStor to perform batch operations for restoring objects to Amazon S3 storage from Amazon S3 Glacier or Amazon S3 Glacier Deep Archive storage, you must configure an AWS IAM policy with the required permissions and then attach the policy to your AWS account used to access the for accessing AWS S3 storage.

NOTE: When crating an archive tier after upgrading to QoreStor 7.1, the default mode of restores is Lambda. If you create the archive tier before upgrading to QoreStor 7.1, the upgrade automatically switches the restores from Batch operations to Lambda. To change this option, see Editing an archive tier restore mode using the command line interface.

To configure required permissions to restore from Archive Tier

  1. From the AWS console, go to the IAM dashboard.
  2. On the IAM dashboard, go to the Policies page, and then click Create Policy.
  3. On the Create policy page, click the JSON tab, and then copy and enter the text from the following JSON document:

    NOTE: Enter the "AWS Account ID" and the "S3 Archive Tier Bucket Name" as appropriate. Using "*" as a placeholder for the "S3 Archive Tier Bucket Name" may cause an unimportant warning, which you can ignore.

    JSON Create Policy document

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:RestoreObject",           
                    "lambda:InvokeFunction"
                ],
                "Resource": [
                    "arn:aws:lambda:*:<AWS Account ID>:function:*",     
                    "arn:aws:s3:::<S3 Archive Tier Bucket Name | *>/*"
                ]
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::<S3 Archive Tier Bucket Name | *>/batch/*"
            }
        ]
    }

  4. Note the name of the new policy for the next steps. For example, GlacierTierRolePolicy.
  5. On the IAM dashboard Roles page, click Create Role.
  6. Select a trusted entity, select Custom trust policy, and then copy and enter the following JSON document:
    JSON Custom Trust Policy document
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "batchoperations.s3.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        },
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  7. Add permissions by searching and selecting the policy you created, and then click Next.
  8. Give the new role a name and then note the ARN of the IAM Role for next steps. For example, arn:aws:iam::<AWS Account ID>:role/GlacierTierRole.
  9. Return to the Policies page of the IAM dashboard and click Create Policy.
  10. Select JSON for permissions, and then replace the JSON text with the following policy document and save it:

    NOTE: In the "Resource" portion, for "AWS Account ID" and "IAM Role Name," enter the specific Account ID and ARN of the role. Do not use the lambda function for batch restores. AWS requires you to use "*" in place of the bucket name.

    JSON Create Policy document
    {
     
        "Version": "2012-10-17",
     
        "Statement": [
     
            {
     
                "Sid": "VisualEditor0",
     
                "Effect": "Allow",
     
                "Action": [
     
                    "lambda:CreateFunction",
     
                    "iam:GetRole",
     
                    "lambda:InvokeFunction",
     
                    "lambda:GetFunction",
     
                    "lambda:UpdateFunctionConfiguration",
     
                    "s3:RestoreObject",
     
                    "s3:CreateBucket",
     
                    "lambda:GetFunctionConfiguration",
     
                    "s3:ListBucket",
     
                    "lambda:PutFunctionConcurrency",
     
                    "lambda:UpdateFunctionCode",
     
                    "s3:PutObject",
     
                    "s3:GetObject",
     
                    "iam:PassRole",
     
                    "lambda:GetFunctionConcurrency",
     
                    "lambda:DeleteFunction",
     
                    "lambda:DeleteFunctionConcurrency",
     
                    "s3:DeleteObject",
     
                    "s3:DeleteBucket"
     
                ],
     
                "Resource": [
        
            "arn:aws:iam::<AWS Account ID>:role/<IAM Role Name>",              
     
                   "arn:aws:lambda:*:<AWS Account ID>:function:QorestorArchiveRestore",   
     
            "arn:aws:s3:::*"                                                                                                
                ]
     
            },
     
            {
     
                "Sid": "VisualEditor1",
     
                "Effect": "Allow",
     
                "Action": "s3:ListAllMyBuckets",
     
                "Resource": "*"
     
            },
     
            {
     
                "Sid": "VisualEditor2",
     
                "Effect": "Allow",
     
                "Action": [
     
                    "s3:DescribeJob",
     
                    "s3:UpdateJobPriority",
     
                    "s3:UpdateJobStatus"
     
                ],
     
                "Resource": "arn:aws:s3:*:<AWS Account ID>:job/*"            
     
            },
     
            {
     
                "Sid": "VisualEditor3",
     
                "Effect": "Allow",
     
                "Action": [
     
                    "s3:ListJobs",
     
                    "s3:CreateJob"
     
                ],
     
                "Resource": "arn:aws:s3:*:<AWS Account ID>:job/*"
     
            }
     
        ]
     
    }

    The policy creation is complete. Check that the permissions you entered are saved in the policy JSON document.

  11. To create an IAM User for the archive tier, go to the Users page of the IAM dashboard, click Add User, and complete the following steps:
    1. On the Add user page under Select AWS access type, to generate the access_key and secret_key, select Programmatic access.
    2. On the Permissions page, select Attach existing policy directly, and then select the policy you created in Step 10 to attach to this user.
  12. Following the directions in the remaining two tabs to finish creating the user.

    NOTE: Be sure to download the access_keys for this user to use when creating an archive tier in QoreStor.

Modifying an Archive Tier after an upgrade

If you created an Archive Tier after an upgrade to QoreStor 7.1, then the default mode of restores is Lambda. If you created the Archive Tier prior to upgrading to QoreStor 7.1, then the upgrade process automatically switched the default restore mode from Batch operations to Lambda. To revert this change back to the Batch option, complete the following procedure in the CLI.

To modify an Archive Tier after an upgrade

  1. In the CLI, use the following commands:

    Restore mode change commands

    cloud_tier --update 
    [--cloud_password]
     
    [--cloud_archive]
     
    [--archive_retention_in_warm <1 to 365 days>]
     
    [--archive_role_arn <archive role arn>]
     
    [--archive_restore_type <Batch|Lambda>]
     
    [root@jayant-ol82-tst1 ~]
    # cloud_tier --update --archive_role_arn arn:aws:iam::177436582181:role/GlacierTierRole  --archive_restore_type Lambda --cloud_archive
    Validating Role-arn string format for group name DefaultCloudArchiveTier ...
    Role-arn string format is valid  We do basic format validation for the role ARN string. We cannot validate permissions at the time of addition/update – AWS does that during restore operation itself.
    Archive Tier updated successfully.
    [root@jayant-ol82-tst1 ~]
    #
     
    [root@jayant-ol82-tst1 ~]
    # cloud_tier --show --verbose --cloud_archive
    Cloud_tier Entry ID : 8
    Cloud_tier Name : DefaultCloudArchiveTier
    Cloud_tier Compression Type : Fast
    Cloud_tier Encryption Set : On
    Cloud_tier Encryption Type : Static
    Cloud_tier Rotate Period : 0
    Cloud_tier Passphrase set : Yes
    Cloud_tier Type : Cloud
    Cloud_tier Cloud container name : jayantcloud1
    Cloud_tier Cloud provider name : AWS-S3
    Cloud_tier Cloud archive service name : S3-Glacier
    Cloud_tier Archive retention in warm : 2 days
    Cloud_tier Archive role ARN string : arn:aws:iam::177436582181:role/GlacierTierRole 
    Cloud_tier Archive Restore Type : Lambda Function
    Cloud_tier Cloud connection string : loglevel=trace;region=us-east-1;
    Cloud_tier Created On : Mon Aug 9 14:29:07 2021 PDT
    Cloud_tier Created Bld : 24E2B069
    Cloud_tier status : Online
    Storage_group Is Storage Agent Group : No
    DefaultCloudArchiveTier's Containers
    ------------------------------------
    None
     
    [root@jayant-ol82-tst1 ~]
    #

Adding an archive tier

To add an archive tier

  1. In the navigation menu, click Cloud Storage to expand the menu, then click Archive Tier.
  2. In the Archive Tier pane, click Configure to add a cloud tier.
  3. In the archive provider drop-down, select AWS S3.
  4. Provide the name for your S3 bucket.
  5. Enter your Connection String using one of the two methods below:
    • Default - this option will compile your connection string into the correct format using the inputs below.
      • Access key - The access key is typically 20 upper-case English characters
      • Secret key - The secret key is generated automatically by AWS. It is typically 40 characters, including mixed upper and lower-case and special symbols.
      • Region - The region specifies the Amazon-specific region in which you want to deploy your backup solution. Your region name can be obtained from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
    • Custom - this option allows you to enter your connection string with additional parameters.
      • Your connection string uses the following syntax:
        "accesskey=<ABDCEWERS>;secretkey=< >; loglevel=warn; region=<aws-region>;"

        Please note the following:

        1. The access key is typically 20 upper-case English characters
        2. The secret key is generated automatically by AWS. It is typically 40 characters, including mixed upper and lower-case and special symbols.
        3. The region specifies the Amazon-specific region in which you want to deploy your backup solution. Your region name can be obtained from https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region

        An example of a connection string with this syntax follows. Logically, each connection string is unique.

        accesskey=AKIARERFUCFODHFJUCWK;secretkey=p+8/T+o5WeZkX11QbuPazHX1IdWbwgFplxuVlO8J;loglevel=warn;region=eu-central-1;
  6. To apply encryption, in the Archive Tier Encryption section enter the following:

    • Passphrase — the passphrase is user-defined and is used to generate a passphrase key that encrypts the file in which the content encryption keys are kept. The passphrase is a human readable key, which can be up to 255 bytes in length. It is mandatory to define a passphrase to enable encryption.

      IMPORTANT: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. If this passphrase is lost or forgotten, data in the cloud will be unrecoverable.

    • Confirm Passphrase — re-enter the passphrase used above.

  7. In the Archive Tier Options section, enter the following:
    • Archive Retention in Warm Cloud - When restore operation succeeds, a temporary copy of the Glacier object is created in standard S3 storage. This setting specifies the number of days this temporary copy is held in S3 before it is deleted. Valid values are any integral values from 1 through 365.
    • Archive Role ARN - S3 must have permissions to perform Lambda and batch operations on behalf of the user. An IAM role must be created that has "Create Job", "Pass Role" and other permissions to access the buckets as well as perform the Lambda and batch operations. The account admin is expected to create such roles.

      NOTE: For more information on required permissions and lambda and batch operations, refer to Configuring required permissions to restore from Archive Tier and the AWS documents Granting permissions for Amazon S3 Batch Operations, What is AWS Lambda?, and The basics: S3 Batch Operations.

    • Archive Service Name- Select between S3-Glacier or S3 Deep Archive.
  8. Click Configure. A Cloud Storage Group will be created.
  9. To enable replication to the cloud, you must link a local container to the cloud using the procedures in Adding a cloud tiering policy.

Editing an archive tier restore mode using the command line interface

If you create an archive tier after an upgrade to 7.1, the default mode of restores is Lambda. If the archive tier was been created prior to a 7.1 upgrade, the upgrade switches the restores from Batch operations to Lambda. You can change this option using the command line interface (CLI) or the user interface (UI).

To edit an archive tier restore mode using the command line interface

  1. To change an archive tier that was created before upgrading to QoreStor 7.1. go to the CLI and enter the following commands:

    Commands for editing restore mode

    cloud_tier --update [--cloud_password]
    [--cloud_archive]
    [--archive_retention_in_warm <1 to 365 days>]
    [--archive_role_arn <archive role arn>]
    [--archive_restore_type <Batch|Lambda>]
     
    [root@qorestor-ol82-tst1 ~]# cloud_tier --update --archive_role_arn arn:aws:iam::177436582181:role/IAMLambdaOps_Restrictive --archive_restore_type Lambda --cloud_archive
    Validating Role-arn string format for group name DefaultCloudArchiveTier ...
    Role-arn string format is valid  We do basic format validation for the role ARN string. We cannot validate permissions at the time of addition/update – AWS does that during restore operation itself.
    Archive Tier updated successfully.
    [root@jayant-ol82-tst1 ~]#
     
    [root@qorestor-ol82-tst1 ~]# cloud_tier --show --verbose --cloud_archive
    Cloud_tier Entry ID : 8
    Cloud_tier Name : DefaultCloudArchiveTier
    Cloud_tier Compression Type : Fast
    Cloud_tier Encryption Set : On
    Cloud_tier Encryption Type : Static
    Cloud_tier Rotate Period : 0
    Cloud_tier Passphrase set : Yes
    Cloud_tier Type : Cloud
    Cloud_tier Cloud container name : jayantcloud1
    Cloud_tier Cloud provider name : AWS-S3
    Cloud_tier Cloud archive service name : S3-Glacier
    Cloud_tier Archive retention in warm : 2 days
    Cloud_tier Archive role ARN string : arn:aws:iam::177436582181:role/IAMLambdaOps_Restrictive
    Cloud_tier Archive Restore Type : Lambda Function
    Cloud_tier Cloud connection string : loglevel=trace;region=us-east-1;
    Cloud_tier Created On : Mon Aug 9 14:29:07 2021 PDT
    Cloud_tier Created Bld : 24E2B069
    Cloud_tier status : Online
    Storage_group Is Storage Agent Group : No
    DefaultCloudArchiveTier's Containers
    ------------------------------------
    None

  2. To change the restore operations of an archive tier while adding the archive tier, go to the CLI and enter the following commands:

    Changing Archive Tier restore operations after upgrade

    cloud_tier --add --cloud_container <bucket name>
    --cloud_provider <AWS-S3|AZURE|Wasabi-S3|Google-S3|IBM-S3|S3-Compatible>
    [--cloud_archive_service <S3-Glacier|S3-Deep-Archive>]
    [--archive_retention_in_warm <1 to 365 days>]
    [--archive_role_arn <archive role arn>]
    [--archive_restore_type <Batch|Lambda>]
     
    [root@jayant-ol82-tst1 ~]# cloud_tier --add --cloud_container jayantcloud1 --cloud_provider AWS-S3 --cloud_archive_service S3-Glacier --archive_retention_in_warm 2 --archive_role_arn arn:aws:iam::177436582181:role/IAMLambdaOps –archive_restore_type=Lambda

Deleting an archive tier

Before deleting a archive tier, review the details below:

  • The metadata for the files archived to the cloud will be removed locally. This makes those files unrecoverable.
  • Data in the cloud bucket has to be deleted manually.
  • Archive policy settings on the source containers are unaffected.

Deleting an archive tier from the GUI

To delete an archive tier, complete the following steps.

  1. In the navigation menu, click Cloud Storage to expand the menu, then click Archive Tier.
  2. Click Delete.
  3. When prompted to confirm, click Delete.
  4. In the Passphrase field, enter the passphrase used for Archive Tier encryption. This provides validation that the person deleting the archive tier has the appropriate authorization.
  5. Review the containers linked to the archive tier and confirm that data in these containers can be deleted.
  6. Click Delete.

Deleting an archive tier from the CLI

  1. Access the QoreStor CLI. Refer to Accessing the CLI commands for more information.
  2. Delete your archive tier using the command below. Refer to the QoreStor Command Line Reference Guide for more information.
    cloud_tier --delete --cloud_archive
    
  3. At the prompt, enter y for yes and press [Enter].
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating