Data
Reader small image

You're reading from  Learning Neo4j 3.x - Second Edition

Product typeBook
Published inOct 2017
Reading LevelIntermediate
PublisherPackt
ISBN-139781786466143
Edition2nd Edition
Languages
Java
Tools
Neo4j
Concepts
Databases
Right arrow
Author (1)
Jerome Baton
Jerome Baton
author image
Jerome Baton

Jérôme Baton started hacking computers at the age of skin problems, gaming first then continued his trip by self-learning Basic on Amstrad CPC, peaking on coding a full screen horizontal starfield, and messing the interlace of the video controller so that sprites appeared twice as high in horizontal beat'em up games. Disks were three inches for 178 Kb then. Then, for gaming reasons, he switched to Commodore Amiga and its fantastic AMOS Basic. Later caught by seriousness and studies, he wrote Turbo Pascal, C, COBOL, Visual C++, and Java on PCs and mainframes at university, and even Logo in high school. Then, Java happened and he became a consultant, mostly on backend code of websites in many different businesses. Jérôme authored several articles in French on Neo4j, JBoss Forge, an Arduino workshop for Devoxx4Kids, and reviewed kilos of books on Android. He has a weakness for wordplay, puns, spoonerisms, and Neo4j that relieves him from join(t) pains. Jérôme also has the joy to teach in French universities, currently at I.U.T de Paris, Université Paris V - René Descartes (Neo4j, Android), and Université de Troyes (Neo4j), where he does his best to enterTRain the students. When not programming, Jérôme enjoys photography, doing electronics, everything DIY, understanding how things work, trying to be clever or funny on Twitter, and spends a lot of time trying to understand his kids and life in general.
Read more about Jerome Baton

Right arrow

Chapter 10. Security

In this chapter, you will learn what the security features of Neo4j are and how they apply, such as with their roles and access restrictions. If security is the number one priority to your admins it is because some data can be so sensitive that it has to be restricted to chosen groups of users. You would not want some unknown jerk to delete your data from somewhere on the internet, would you?

When users can be counted in hundreds, you need a directory (or to have more admins to create accounts; do not do that it is silly).

We will be covering the following topics in the chapter:

  • Authentication and authorization
  • Roles
  • Users management
  • Linking Neo4j to an LDAP directory
  • Configuring Neo4j to use LDAP

Authentication and authorization

Authentication is the capacity for a system to ensure that who you claim to be is who you are and that you belong to the system users. This is usually realized using credentials like a login/password pair.

This pair can be managed by Neo4j or another system to which Neo4j will communicate the pair and receive a result leading to the user entering or not entering the system. These other specialized systems can be directories of the following technologies:

  • LDAP
  • Active directory
  • Kerberos (along with LDAP)

Authorization is the capacity for a system to give different levels of access to different users, from being allowed to perform inconsequential commands like changing one's password to being allowed to add users or modify the graph. In most systems, this is achieved through the use of roles.

Roles

The following are the roles in Neo4j:

  • No role
  • Reader
  • Editor
  • Publisher
  • Architect
  • Admin

They are ordered by ascending possibilities, with admin being the most powerful. When created, users have no role, then an admin grants authorization level via roles.

The possibilities for each role are ascending and are based on those of the previous role. Let's browse the possibilities of each role:

  • No role: This is the default role. It allows you to change one's password and see one's details. It doesn't allow much, and will make users sing, don't leave me this way.
  • Reader: A reader can read the whole graph.
  • Editor: An editor can read and modify the existing data for the whole graph. An editor can create new nodes with existing labels and existing properties, and new relations with existing names.
  • Publisher: A publisher can create new nodes, new labels, and new relations.
  • Architect: An architect has control over the indexes of the graph and over the constraints (CREATE and DROP).
  • Admin: An admin can also create...

Users management

Admins can create new users in the Neo4j browser with this command, which brings up a user interface:

:server user add

Give a name, role, and password to the new user. Check whether the creation worked by viewing the list of users with the following command:

:server user list

From this list, it is possible to disable or delete a user.

Of course, you are not forced to use a web UI with inputs and buttons. There are more built-in procedures to manage users, accessible via the Neo4j browser or via the Cypher shell:

Linking Neo4j to an LDAP directory

I will start this paragraph with a piece of advice. If you are using a cluster, connecting each node to the same LDAP directory is the way to go as users are local to a node and are not propagated.

So, let's connect. We will use a Docker container based on an OpenLdap image.

Starting the directory 

Let's prepare the folder where the configuration will be. In a shell, execute the following in your home folder:

mkdir data/ldap/environment -p
mkdir data/ldap/db -p

In this first new folder, create a file named users.ldif with the following content:

dn: dc=learningneo4j,dc=com
dc: learningneo4j
description: Directory of all the readers
objectClass: top
objectClass: dcObject
objectClass: organization
o: Readers Directory

dn: ou=users,dc=learningneo4j,dc=com
ou: users
objectClass: organizationalRole
cn: users

# =============================================================== ROLES
dn: ou=ldapreaders,dc=learningneo4j,dc=com
objectClass: top
objectClass: organizationalRole...

Configuring Neo4j to use LDAP

You already know that the action takes place in $NEO_HOME/conf/neo4j.conf. What must be done is a mapping of the LDAP groups to the Neo4j default roles. Add these few lines at the end of the file:

dbms.security.auth_provider=ldap
dbms.security.ldap.host=ldap://127.0.0.1:389
dbms.security.ldap.use_starttls=false
dbms.security.ldap.authentication.mechanism=simple
dbms.security.ldap.authentication.user_dn_template=cn={0},ou=users,dc=learningneo4j,dc=com
dbms.security.ldap.authentication.cache_enabled=false
dbms.security.ldap.authorization.use_system_account=true
dbms.security.ldap.authorization.system_username=cn=admin,dc=learningneo4j,dc=com
dbms.security.ldap.authorization.system_password=agentSmith
dbms.security.ldap.authorization.user_search_base=dc=learningneo4j,dc=com
dbms.security.ldap.authorization.user_search_filter=(&(objectClass=*)(cn={0}))
dbms.security.ldap.authorization.group_membership_attributes=memberOf
dbms.security.ldap.authorization.group_to_role_mapping...

Test questions

A. What is a role for ?

  1. Grouping people for granting them authorization
  2. Grouping people for granting them authentication
  3. To be on stage

B. How many roles are there in Neo4j?

  1. Five
  2. Four
  3. More

C. What roles can manage users?

  1. Publisher
  2. Architect
  3. Admin

D. What advantage does using an LDAP directory bring?

  1. Reusing existing hardware, software and procedures
  2. Neo4j admin does not have to create all the users in Neo4j 
  3. All of the above
  4. None

Summary

In this chapter specific for the Enterprise version of Neo4j, we have seen the use and importance of roles, how to give them to users, how to create roles, and how to restrict procedures calls to specific roles--which is perfect for restricting the view on the graph of users, provided they cannot access the web application we called Neo4j browser throughout this book (configure this in neo4j.conf ).

We have seen how to run a containerized OpenLDAP server with a chosen dataset and connect this directory to a Neo4j server so that authentication becomes delegated to the OpenLDAP server. This way, the Neo4j admin does not have to recreate users in Neo4j and users do not have another password to remember.

In Chapter 11Visualization for Neo4j, we will see a completely different domain and see how to do some visualization of our data.

 

 

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 18 of 24
Next Chapter
You have been reading a chapter from
Learning Neo4j 3.x - Second Edition
Published in: Oct 2017Publisher: PacktISBN-13: 9781786466143
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Jerome Baton

Jérôme Baton started hacking computers at the age of skin problems, gaming first then continued his trip by self-learning Basic on Amstrad CPC, peaking on coding a full screen horizontal starfield, and messing the interlace of the video controller so that sprites appeared twice as high in horizontal beat'em up games. Disks were three inches for 178 Kb then. Then, for gaming reasons, he switched to Commodore Amiga and its fantastic AMOS Basic. Later caught by seriousness and studies, he wrote Turbo Pascal, C, COBOL, Visual C++, and Java on PCs and mainframes at university, and even Logo in high school. Then, Java happened and he became a consultant, mostly on backend code of websites in many different businesses. Jérôme authored several articles in French on Neo4j, JBoss Forge, an Arduino workshop for Devoxx4Kids, and reviewed kilos of books on Android. He has a weakness for wordplay, puns, spoonerisms, and Neo4j that relieves him from join(t) pains. Jérôme also has the joy to teach in French universities, currently at I.U.T de Paris, Université Paris V - René Descartes (Neo4j, Android), and Université de Troyes (Neo4j), where he does his best to enterTRain the students. When not programming, Jérôme enjoys photography, doing electronics, everything DIY, understanding how things work, trying to be clever or funny on Twitter, and spends a lot of time trying to understand his kids and life in general.
Read more about Jerome Baton

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages

Create a user

CALL dbms.security.createUser(usernamepasswordrequirePasswordChange)

Delete a user

CALL dbms.security.deleteUser(username​)

Assign a role to a user

CALL dbms.security.addRoleToUser(roleNameusername)

Remove a role from a user

CALL dbms.security.removeRoleFromUser(roleNameusername)

Create a role

CALL dbms.security.createRole('newRoleName')

Delete a role

CALL dbms.security.deleteRole('newRoleName')

Change a user’s password

CALL dbms.security.changeUserPassword(username...