Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Neo4j 4 on Aura permissions adjustment due to PUBLIC role #1612

Closed
moxious opened this issue Aug 2, 2020 · 6 comments · Fixed by #1821
Closed

Neo4j 4 on Aura permissions adjustment due to PUBLIC role #1612

moxious opened this issue Aug 2, 2020 · 6 comments · Fixed by #1821
Assignees
@conker84
Labels
Larus

Comments

@moxious
Copy link
Contributor

moxious commented Aug 2, 2020

For Neo4j 4 running on Aura, the neo4j user was adjusted to have the role PUBLIC, with some special exceptions. The reasons why this is the case are complicated, but that's how it works.

APOC has some security checks in it (I think) which is causing some functions to fail specifically on Neo4j 4 running on Aura.

Specific example, this succeeds in the "Neo4j 4 on Aura" environment:

CREATE INDEX location_type FOR (l:Location) ON (l.type)

But this fails:

CALL apoc.cypher.doIt("CREATE INDEX whatever FOR (w:Whatever) ON (w.type)", {}) YIELD value RETURN value

Schema operations are not allowed for user 'neo4j' with roles [PUBLIC] restricted to TOKEN_WRITE.
@craigtaverner
Copy link
Contributor

This is due to a security feature introduced in Neo4j 3.1 allowing procedures to run with adjusted security settings, so that Neo4j could provide a kind of fine-grained access control. Now that real fine-grained access control is available in Neo4j 4.0, all that is missing to facilitate the removal of the old mechanism is procedure privileges. There are plans to add these to Neo4j, hopefully soon. Until that happens, Cypher run through a procedure can be affected by the mode of the procedure, as we see here.

@jexp
Copy link
Member

jexp commented Aug 31, 2020

@moxious can you clarify with @conker84 what / if we need to do?

@jexp
Copy link
Member

jexp commented Aug 31, 2020

We also need to add a apoc.cypher.runSchema() procedure that has Mode.SCHEMA for operations like this.

@jexp
Copy link
Member

jexp commented Aug 31, 2020

Probably we should also add an alias apoc.cypher.runWrite for apoc.cypher.doIt

@moxious
Copy link
Contributor Author

moxious commented Aug 31, 2020

@jexp I don't know what needs to be done, other than adjusting the mode of the procedure as suggested by @craigtaverner . Also not sure if this is something you want to do -- in theory any APOC call which can run Cypher needs every possible permission that the database could grant to a procedure, since you can do pretty much anything with cypher.

Less clear to me is whether apoc.cypher.doIt should work if it's not cypher (are index creations cypher? CREATE USER definitely isn't cypher)

@conker84 conker84 added the Larus label Jan 26, 2021
vga91 added a commit to vga91/neo4j-apoc-procedures that referenced this issue Feb 18, 2021
@vga91
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
37daf81 
…to PUBLIC role
@vga91 vga91 mentioned this issue Feb 18, 2021
Closed
@vga91
Copy link
Collaborator

vga91 commented Feb 18, 2021
edited
Loading

@jexp I created a pr with the procedure apoc.cypher.runSchema.
In addition to the procedure apoc.cypher.doIt, are there any other procedures to add with the analogous Mode.SCHEMA?
The apoc.do.when, for example?

@vga91 vga91 mentioned this issue Mar 1, 2021
Merged
vga91 added a commit to vga91/neo4j-apoc-procedures that referenced this issue Mar 29, 2021
@vga91
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
df4d37b 
…to PUBLIC role
fbiville pushed a commit that referenced this issue Apr 9, 2021
@vga91
fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBLIC role
7515f25
conker84 pushed a commit to conker84/neo4j-apoc-procedures that referenced this issue Jun 4, 2021
@vga91 @conker84
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
9c2ef24 
…to PUBLIC role
github-actions bot pushed a commit that referenced this issue Jun 10, 2021
@conker84 @vga91
fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBLIC role (
9e84eed 
#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
conker84 added a commit that referenced this issue Jun 10, 2021
@github-actions @conker84 @vga91
fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBLIC role (
4c2404e 
#1968) (#1981)

Co-authored-by: Giuseppe Villani <[email protected]>

Co-authored-by: Andrea Santurbano <[email protected]>
Co-authored-by: Giuseppe Villani <[email protected]>
github-actions bot added a commit that referenced this issue Jun 10, 2021
@github-actions @conker84 @vga91
fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBLIC role (
c6e99d1 
#1968) (#1981)

Co-authored-by: Giuseppe Villani <[email protected]>

Co-authored-by: Andrea Santurbano <[email protected]>
Co-authored-by: Giuseppe Villani <[email protected]>
conker84 pushed a commit that referenced this issue Jun 15, 2021
@github-actions
AUTO: fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBL…
2d0f15d 
…IC role (#1968) (#1981) (#1983)
conker84 added a commit to conker84/neo4j-apoc-procedures that referenced this issue Jun 15, 2021
@conker84 @vga91
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
a18c50d 
…to PUBLIC role (neo4j-contrib#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
conker84 added a commit to conker84/neo4j-apoc-procedures that referenced this issue Jun 16, 2021
@conker84 @vga91
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
1ee0a96 
…to PUBLIC role (neo4j-contrib#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
neo4j-oss-build pushed a commit to conker84/neo4j-apoc-procedures that referenced this issue Jul 16, 2021
@conker84 @vga91 @fbiville
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
6cc74d1 
…to PUBLIC role (neo4j-contrib#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
conker84 added a commit to conker84/neo4j-apoc-procedures that referenced this issue Jul 19, 2021
@conker84 @vga91
fixes neo4j-contrib#1612: Neo4j 4 on Aura permissions adjustment due …
c454f90 
…to PUBLIC role (neo4j-contrib#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
fbiville pushed a commit that referenced this issue Jul 19, 2021
@conker84 @vga91 @fbiville
fixes #1612: Neo4j 4 on Aura permissions adjustment due to PUBLIC role (
6e85eed 
#1968)

Co-authored-by: Giuseppe Villani <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conker84 conker84

Labels
Larus
Projects
None yet
Milestone
No milestone
5 participants
@jexp @craigtaverner @conker84 @moxious @vga91