JuiceFS combines object storage with a metadata engine (for example Redis/MySQL/PostgreSQL). Security must cover both layers plus client mount hosts.
- Restrict metadata database access to JuiceFS services only.
- Enable authentication and TLS on metadata backend.
- Backup metadata frequently and protect backup access.
- Use scoped access keys for JuiceFS buckets.
- Enforce bucket policies and server-side encryption.
- Block public bucket access unless explicitly required.
- Run JuiceFS mount processes as restricted service accounts.
- Limit mount visibility to required users/groups.
- Protect cache directories and local metadata files.
¶ Credentials and Secrets
- Store object and metadata credentials in secret managers.
- Avoid plaintext credentials in shell history and unit files.
- Rotate keys periodically and on incident triggers.
¶ Monitoring and Audit
- Monitor mount failures, metadata latency, and auth failures.
- Log administrative changes to volumes and backends.
- Alert on unusual object API access patterns.