Metadata Access Control
Metadata of JuiceFS (such as directory, file attributes, timestamps and etc. ) are stored in JuiceFS servers with access control via JuiceFS tokens. Users may manage JuiceFS tokens in JuiceFS web console. It supports rules for IP range, read/write permission and subdir mount restrictions.
Access token
JuiceFS access token is a random string for granting access of each file system. The default token can be found in the file system setting page. User shall be asked to input this token when running juicefs mount
or juicefs auth
in an interactive terminal.
$ sudo juicefs mount example /jfs
Token for example:
$ sudo juicefs auth example
Token for example:
User may pass it as command line argument for non-interactive authentication, e.g. in automated deployment or CI environments.
$ sudo juicefs auth example --token=${JFS_TOKEN}
The token will be stored in ${HOME}/.juicefs/example.conf
after authentication. Make sure to keep it safe.
Token Management
The default token grants user full access to the file system from any IP range. Finer access control can be configured in Access Control
tab.
There are two types of tokens, one for client to access file system content, the other for accessing monitoring API only.
Client Access Token
Client access token grants client access to file system under specified conditions:
IP range
: allow access from specified IP range onlyRead / Write Permission
Read only
: allow read operations only (e.g. open, read, readdir and etc.)Read, append only
: in addition to read operations, allow open file with append option to write, but deny overwrite and truncation of existing content.Read write
: allow all read write operations.
Mount options
Mount subdir
: restrict mount subdir under this path only, must add--subdir
when mounting this file system.Allow background jobs
: allow running background jobs such as chunk delete, merge, synchronization and etc.
API Only Token
JuiceFS exports monitoring metrics of each file system via Prometheus API. API only token grant access to the monitoring API only, no file system access is allowed.