Skip to main content

Metadata Access Control

Metadata of JuiceFS (such as directory, file attributes, timestamps and etc. ) are stored in JuiceFS servers with access control via JuiceFS tokens. Users may manage JuiceFS tokens in JuiceFS web console. It supports rules for IP range, read/write permission and subdir mount restrictions.

Access token

JuiceFS access token is a random string for granting access of each file system. The default token can be found in the file system setting page. User shall be asked to input this token when running juicefs mount or juicefs auth in an interactive terminal.

$ sudo juicefs mount example /jfs
Token for example:

$ sudo juicefs auth example
Token for example:

User may pass it as command line argument for non-interactive authentication, e.g. in automated deployment or CI environments.

$ sudo juicefs auth example --token=${JFS_TOKEN}

The token will be stored in ${HOME}/.juicefs/example.conf after authentication. Make sure to keep it safe.

Token Management

The default token grants user full access to the file system from any IP range. Finer access control can be configured in Access Control tab.

There are two types of tokens, one for client to access file system content, the other for accessing monitoring API only.

Client Access Token

Client access token grants client access to file system under specified conditions:

  • IP range: allow access from specified IP range only
  • Read / Write Permission
    • Read only: allow read operations only (e.g. open, read, readdir and etc.)
    • Read, append only: in addition to read operations, allow open file with append option to write, but deny overwrite and truncation of existing content.
    • Read write: allow all read write operations.
  • Mount options
    • Mount subdir: restrict mount subdir under this path only, must add --subdir when mounting this file system.
    • Allow background jobs: allow running background jobs such as chunk delete, merge, synchronization and etc.

API Only Token

JuiceFS exports monitoring metrics of each file system via Prometheus API. API only token grant access to the monitoring API only, no file system access is allowed.