Neo4j Network security

Introducing Neo4j 3.1
New Security and Clustering Architecture

New Binary Protocol Procedures
New Language Drivers

High Availability
Error!
503: Service Unavailable

High Availability
✓
Error!
503: Service Unavailable

Data Redundancy
Massive Throughput High Availability

Data Redundancy
3.0

Data Redundancy
3.0
Bigger Clusters Consensus Commit Built-in load balancing
3.1
Causal
Clustering

• Small group of Neo4j databases
• Fault-tolerant Consensus Commit
• Responsible for data safety
Core

Writing to the Core Cluster
Neo4j Driver Neo4j Cluster

Neo4j Driver
CREATE (:User {...})
✓
Neo4j Cluster

Neo4j Driver
CREATE (:User {...})
✓
✓
✓
Neo4j Cluster

Neo4j Driver
✓
✓
✓
Success
Neo4j Cluster

Neo4j Driver
✓
✓
✓
Success
Neo4j Cluster
✓
✓

• For massive query throughput
• Read-only replicas
• Not involved in Consensus Commit
• Disposable, suitable for auto-scaling
Replica

Propagating updates to the Replica

Propagating updates to the Replica
Write

Reading from the Replica
Read

Replica
Core Updating the graph
Queries, analysis, reporting

Writing an application for
Neo4j Causal Clustering

App
Server
Neo4j
Driver
Bolt protocol

Java
<dependency>
<groupId>org.neo4j.driver</groupId>
<artifactId>neo4j-java-driver</artifactId>
</dependency>
Python
pip install neo4j-driver
.NET
PM> Install-Package Neo4j.Driver
JavaScript
npm install neo4j-driver

https://neo4j.com/developer/language-guides

bolt://
GraphDatabase.driver( "bolt://aServer" )

bolt+routing://
GraphDatabase.driver( "bolt+routing://aCoreServer" )

GraphDatabase.driver( "bolt+routing://aCoreServer" )
Bootstrap: specify any
core server to route load
across the whole cluster
bolt+routing://

Application
Server
Neo4j
Driver
Max
Jim
Jane
Mark

Routed write statements
driver = GraphDatabase.driver( "bolt+routing://aCoreServer" );
try ( Session session = driver.session( AccessMode.WRITE ) )
{
try ( Transaction tx = session.beginTransaction() )
{
tx.run( "MERGE (user:User {userId: {userId}})",
parameters( "userId", userId ) );
tx.success();
}
}

Routed read queries
driver = GraphDatabase.driver( "bolt+routing://aCoreServer" );
try ( Session session = driver.session( AccessMode.READ ) )
{
try ( Transaction tx = session.beginTransaction() )
{
tx.run( "MATCH (user:User {userId: {userId}})-[*]-(:Product) RETURN *",
parameters( "userId", userId ) );
tx.success();
}
}

Register
Login
You need
to login in
to continue
your
purchase!

Register
Login
You need
to login in
to continue
your
purchase!
Username:
Password:
Create Account

Register
Login
You need
to login in
to continue
your
purchase!
Username:
jim_w
Password:
********
Create Account

Register
Login
You need
to login in
to continue
your
purchase!
Username:
Password:
Login

Username:
jim_w
Password:
********
Login

Purchase
Login
Successful
Try again
No account
found!
Username:
jim_w
Password:
********
Login

Username:
jim_w
Password:
********
A few moments later...
✓
Login

Purchase
Login
Successful
Username:
jim_w
Password:
********
Login
A few moments later...
✓

Q Why didn’t this work?
A Eventual Consistency

0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9
Create Account
App
Server A Driver

0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9
CREATE (:User)
Create Account
App
Server A Driver

0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9
CREATE (:User)
Create Account
App
Server A Driver

0 1 2 3 4 5 6 7 8 9 10 11
CREATE (:User)
Create Account
App
Server A Driver
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
0 1 2 3 4 5 6 7 8 9

0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
CREATE (:User)
Create Account
App
Server A Driver

0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9
CREATE (:User)
Create Account
App
Server A Driver
MATCH (:User)
Login
App
Server B Driver

Bookmark
• Session token
• String (for portability)
• Opaque to application
• Represents ultimate user’s most recent
view of the graph
• More capabilities to come

Let’s try again, with Causal Consistency

0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
CREATE (:User)
Create Account
MATCH (:User)
Login
App
Server A
App
Server B
Driver
Driver

0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10 11
0 1 2 3 4 5 6 7 8 9 10
0 1 2 3 4 5 6 7 8 9 10
CREATE (:User)
Create Account
MATCH (:User)
Login
App
Server A
App
Server B
Driver
Driver
11

Neo4j 3.0 Neo4j 3.1
High Availability Cluster Causal Cluster
Master-Slave architecture
Paxos consensus used for master
election
Raft protocol used for leader election,
membership changes and
commitment of all transactions
Two part cluster: writeable Core and
read-only read replicas.
Transaction committed once
written durably on the master
Transaction committed once written durably
on a majority of the core members
Practical deployments: 10s servers Practical deployments: 100s servers

# Choose LDAP connector as both authentication and authorization provider
dbms.security.auth_provider=ldap
# Configure LDAP connector to point to the AD server
dbms.security.ldap.host=ldap://myactivedirectory.example.com
# In case where defined users are not allowed to search for themselves,
# we can specify credentials for user with read access to all users and groups
dbms.security.ldap.authorization.use_system_account=true
dbms.security.ldap.system_username=CN=admin,OU=people,DC=example,DC=com
dbms.security.ldap.system_password=admin-password
# Provide details on user structure within LDAP
dbms.security.ldap.user_dn_template=CN={0},OU=people,DC=example,DC=com
dbms.security.ldap.authorization.user_search_base=OU=people,dc=example,dc=com
dbms.security.ldap.authorization.user_search_filter=(&(objectClass=*)(CN={0}))
dbms.security.ldap.authorization.group_membership_attributes=memberOf
./conf/neo4j.conf

dbms.security.ldap.authorization.group_to_role_mapping=
"CN=Neo4j Read Only,OU=groups,DC=example,DC=com" = reader;
"CN=Neo4j Read-Write,OU=groups,DC=example,DC=com" = publisher;
"CN=Neo4j Schema Manager,OU=groups,DC=example,DC=com" = architect;
"CN=Neo4j Administrator,OU=groups,DC=example,DC=com" = admin;
"CN=Neo4j Procedures,OU=groups,DC=example,DC=com" = allowed_role
./conf/neo4j.conf

# Configure mapping between groups in the LDAP and roles in Neo4j
dbms.security.ldap.authorization.group_to_role_mapping=
“CN=Neo4j Accounting,OU=groups,DC=example,DC=com” = accounting;

“CN=Neo4j Operator,OU=groups,DC=example,DC=com” = operator
CALL dbms.security.createRole(‘accounting’)
CALL dbms.security.addRoleToUser(‘accounting’, ‘bobsmith’)

https://neo4j.com/blog/cypher-graphql-neo4j-3-1-preview/

https://neo4j.com/docs/operations-manual/beta/tools/cypher-shell/

neo4j-admin restore --from=<backup-directory> --database=<database-name> [--force]
Restore a backed up database.
neo4j-admin dump
neo4j-admin load
neo4j-admin backup [--from=<address>] --to=<backup-path> [--check-consistency] [--additional-config=<config-file-path>] [--timeout=<timeout>]
Perform a backup, over the network, from a running Neo4j server into a local copy of the database store (the backup).
neo4j-admin check-consistency --database=<database> [--additional-config=<file>] [--verbose]
Check the consistency of a database.
neo4j-admin import --mode={database|csv} --database=<database-name>
Import a collection of CSV files with --mode=csv, or a database from a pre-3.0 installation with --mode=database.

Neo4j Network security

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Similar to Neo4j Network security

Similar to Neo4j Network security (20)

Recently uploaded

Recently uploaded (20)

Neo4j Network security