Neo4j

tony_chiboucas · ‎08-15-2019

Issue

Plugin loads and run fine in both the Desktop and the Server (other utilities still work fine in both environments).

Checks

// Function registered in dbms?
CALL dbms.functions() YIELD name, description
WHERE name CONTAINS "myplugin"
RETURN name, description

// Try to call the function
RETURN myplugin.test("Testify")

Deskop Result

function is registered in dbms.functions
function returns expected results

Server Result

function is not registered in dbms.functions
Neo.ClientError.Statement.SyntaxError: Unknown function 'myplugin.test'

Details

Neo4j Desktop 1.2.1

Browser 3.2.20
Neo4j 3.5.8

Neo4j Ubuntu 18.04

Browser 3.2.20 (loaded in Chrome via http://[IP]:7474/browser
Neo4j 3.5.8 Enterprise

Build IntelliJ IDEA and Maven 3

Build plugin to jar
put jar in $NEO4J_HOME/plugins/
restart neo4j database

Plugin "myplugin" 0.0.1 Dependencies

org.neo4j 3.5.8
javax.ws.rs 2.1

    @UserFunction
    @Description("myplugin.test('this is not a test')")
    public String test( @Name("any") String any ) {
        return any;
    }

stefan_armbrust · ‎08-16-2019

Please provide snippet of server's logs/debug.log containing a startup sequence.

View solution in original post

stefan_armbrust · ‎08-16-2019

Please provide snippet of server's logs/debug.log containing a startup sequence.

tony_chiboucas · ‎08-16-2019

Just to clarify:

dbms.security.procedures.unrestricted allows plugins to access insecure Neo4j components (e.g.: anything other than Log, TerminationGuard or GraphDatabaseService)
dbms.security.procedures.whitelist defaults to allow all functions from all plugins, but if specified only whitelisted functions will be loaded.

I was confusing the purpose of whitelist.

stefan_armbrust · ‎08-17-2019

Your explanation is good, but not 100% precisely correct. It's not about accessing insecure components. It's about accessing components that potentially allow you to break out of the current security context. E.g. if your database user has only read permission, calling a unrestricted procedure might result in a write operation. So handle with care.

tony_chiboucas · ‎08-16-2019

Thank you, found and fixed. I probably should have started in the debug log myself.

2019-08-16 18:01:21.405+0000 WARN [o.n.k.i.p.Procedures] The function 'myplugin.test' is not on the whitelist and won't be loaded.

Documenting for anyone else who comes across this.

My understanding from Neo4j Docs: Securing Extensions was that dbms.security.procedures.unrestricted and dbms.security.procedures.whitelist was only necessary if the function or procedure needed anything other than Log, TerminationGuard, or GraphDatabaseService.

While this is true, whitelist has additional behaviors only mentioned at the bottom of the Securing Extensions doc:

There are a few things that should be noted about dbms.security.procedures.whitelist :

If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.

The default of the setting is * . This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.

If the extensions pointed out by this parameter are programmed to access internal APIs, they also have to be explicitly allowed, as described in Section 9.1.1, “Sandboxing”.

Cause

Neo4j Desktop `neo4j.conf`

dbms.security.procedures.unrestricted=apoc.*

Neo4j Server `neo4j.conf`

dbms.security.procedures.whitelist=apoc.*

Fix

Neo4j Server `neo4j.conf`

dbms.security.procedures.unrestricted=apoc.*

Neo4j

Custom Plugin UserFunction works desktop, not on server

Issue

Checks

Deskop Result

Server Result

Details

Neo4j Desktop 1.2.1

Neo4j Ubuntu 18.04

Build IntelliJ IDEA and Maven 3

Plugin "myplugin" 0.0.1 Dependencies

Cause

Neo4j Desktop neo4j.conf

Neo4j Server neo4j.conf

Fix

Neo4j Server neo4j.conf

Neo4j Desktop `neo4j.conf`

Neo4j Server `neo4j.conf`

Neo4j Server `neo4j.conf`