Restore failures due to object lock
Explanation:
During restore, if you select the option, NetBackup applies the object lock properties.
Viewing the Activity monitor logs:
Warning bpbrm (pid=21103) from client ip-10-176-97-167.us-east-2.compute.internal: WRN - Cannot set Object lock on the object. Access to perform the operation was denied. Jul 25, 2023 11:26:00 AM - Error bpbrm (pid=21103) from client ip-10-176-97-167.us-east-2.compute.internal: ERR - Cannot complete restore for any of the objects. Jul 25, 2023 11:26:00 AM - Warning bpbrm (pid=21103) from client ip-10-176-97-167.us-east-2.compute.internal: WRN - The 3 files restored partially as object lock cannot be applied. Jul 25, 2023 11:26:00 AM - Info tar (pid=1697) done. status 5
Viewing the nbcosp logs:
{"level":"info","SDK log body":"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied
</Code><Message>Access Denied</Message><RequestId>ZNT4GXHP70HX573A</RequestId>
<HostId>
3scBmke9LmOwtuK5lnYv0ozyKgbne+ey04qXtSt6s/OQbpSCyfxiwvdi2CPG3cHU+H/ztz7C3mHeoX5Cnvb2xg==</HostId>
</Error>\n","time":"2023-07-25T05:56:00.708117368Z","caller":
"internal/logging.ExtendedLog.Log:zerolog_wrapper.go:18","message":"SDK log entry"}
{"level":"debug","status code":403,"errmsg":"AccessDenied:
Access Denied\n\tstatus code: 403, request id: ZNT4GXHP70HX573A,
host id: 3scBmke9LmOwtuK5lnYv0ozyKgbne+ey04qXtSt6s/OQbpSCyfxiwvdi2CPG3cHU+H/ztz7C3mHeoX5Cnvb2xg==",
"time":"2023-07-25T05:56:00.708145345Z","caller":"main.s3StatusCode:s3_ops.go:8447",
"message":"s3StatusCode(): get http status code"}
{"level":"error","error":"AccessDenied: Access Denied\n\tstatus code: 403,
request id: ZNT4GXHP70HX573A,
host id: 3scBmke9LmOwtuK5lnYv0ozyKgbne+ey04qXtSt6s/OQbpSCyfxiwvdi2CPG3cHU+H/ztz7C3mHeoX5Cnvb2xg==",
"object key":"cudtomer35jul/squash.txt","time":"2023-07-25T05:56:00.708160142Z",
"caller":"main.(*OCSS3).commitBlockList:s3_ops.go:2655",
"message":"s3Storage.svc.PutObjectRetention Failed to Put ObjectRetention"}Workaround:
You must have the required permissions for object retention. These are the necessary permissions that your role must have:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectLock",
"Effect": "Allow",
"Action": [
"s3:PutObjectRetention",
"s3:BypassGovernanceRetention"
],
"Resource": [
"*"
]
}
]
}