s3 retention hold support

[udf2457]

Something to consider would be introducing support for S3 retention hold / object lock

The intent would be to protect backups from changes or deletion, whether malicious or accidental.

An example scenario could be a cyber attack where credentials were compromised. A retention hold on the S3 bucket would prevent an attacker from simply trashing all the old backups.

Clearly you can implement this today by simply setting backup schedules to $days+1 , however this would be rather fragile without integrated support (i.e. pgbackrest checking for the existence of locks and not just erroring out) and indeed pgbackrest should be able to add locks itself.

So I guess the purpose of this suggestion is to open up the discussion about the possibility, and how an implementation might look.

[dwsteele]

This is something we have been considering. Ideally versions would be locked rather than preventing the object from being overwritten (which would cause problems for metadata files). As far as I can see, this is how object lock works (or at least it can be made to work this way). If the lock duration can be set with a bucket property then even better.

There would also need to be a way to expose the bucket at a particular time, or we would build that functionality into pgBackRest. Probably the latter is more practical.