Security & Access Control - Neo4j

 Neo4j has a Role-Based Access Control (RBAC) model that lets you manage users, roles, and permissions in the database. This is essential when you want to control who can read/write/delete which parts of the graph.

🔑 Neo4j Security: Users, Roles & Permissions

1. Users


  • A user has:

    • username

    • password

    • roles (one or more)

  • Users authenticate with username/password.

📌 Example:

// Create a new user
CREATE USER ravi SET PASSWORD 'StrongPass123' CHANGE NOT REQUIRED;

2. Roles

  • Roles are collections of privileges.

  • A user can belong to multiple roles.

  • Built-in roles come with Neo4j, and you can also create custom roles.

📌 Assign role to a user:

GRANT ROLE reader TO ravi;

3. Built-in Roles

Neo4j comes with some predefined roles:

RolePermissions
readerCan only read data (MATCH queries, no writes).
publisherCan read & write data (CREATE, MERGE, DELETE nodes/relationships).
architectCan do everything publisher can + create indexes & constraints.
adminFull access: manage users, roles, DB settings, all privileges.
PUBLICAll users have this role by default (minimal access, usually none).

4. Privileges (Fine-grained access control)

If you use Neo4j Enterprise Edition, you get granular privileges.

Examples:

  • Read-only access to certain labels

GRANT MATCH {*} ON GRAPH myGraph NODE User TO reader;

  • Allow writes to specific labels

GRANT WRITE ON GRAPH myGraph NODE Project TO developer;

  • Restrict deletes

DENY DELETE ON GRAPH myGraph NODE User TO developer;

  • Allow procedure execution

GRANT EXECUTE PROCEDURE apoc.* TO analyst;

5. Custom Roles

You can define your own roles to match business needs.

📌 Example: Create a developer role with write access only to Project nodes

CREATE ROLE developer;
GRANT WRITE ON GRAPH * NODE Project TO developer;

📌 Assign to user:

GRANT ROLE developer TO ravi;

6. Managing Users & Roles

  • List users

SHOW USERS;

  • List roles

SHOW ROLES;

  • See role assignments

SHOW USER ravi;

✅ Example Use Case: Social Network App

  • admin → can manage everything.

  • analyst → can run MATCH queries for reports.

  • developer → can CREATE/UPDATE User and Post nodes, but cannot delete.

  • moderator → can delete Post nodes but not User nodes.

👉 In summary:

  • Users authenticate.

  • Roles define permissions.

  • You can use built-in roles or fine-grained custom privileges (Enterprise).


securing Neo4j connections with SSL/TLS is critical when running in production, especially if clients connect remotely.

Here’s a clear breakdown:

🔒 Securing Connections in Neo4j with SSL/TLS

Neo4j supports TLS/SSL encryption for:

  • Bolt protocol (used by drivers and Neo4j Browser)

  • HTTPS protocol (Neo4j Browser & REST API)

1. Generate Certificates

Neo4j requires certificates in X.509 format.

Options:

  • Use a trusted CA certificate (recommended for production).

  • Or use a self-signed certificate (for dev/test).

📌 Example: Generate a self-signed certificate

openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out public.crt

  • private.key → your private key

  • public.crt → public certificate

Place them in the Neo4j certificates directory:

$NEO4J_HOME/certificates/

2. Certificate Directory Structure

Neo4j expects:

$NEO4J_HOME/certificates/
    bolt/
        public.crt
        private.key
    https/
        public.crt
        private.key

  • bolt/ → used for driver connections

  • https/ → used for browser/REST API

3. Enable SSL in neo4j.conf

Edit conf/neo4j.conf:

# Enable Bolt + TLS
dbms.connector.bolt.enabled=true
dbms.connector.bolt.listen_address=:7687
dbms.connector.bolt.tls_level=REQUIRED

# Enable HTTPS + TLS
dbms.connector.http.enabled=false
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=:7473

Values for dbms.connector.bolt.tls_level:

  • DISABLED → no encryption

  • OPTIONAL → supports both encrypted & unencrypted connections

  • REQUIRED → only encrypted connections allowed (recommended for production)

4. Restart Neo4j

After updating config:

bin/neo4j restart

Neo4j now listens:

  • Bolt TLS: bolt+s://localhost:7687

  • HTTPS TLS: https://localhost:7473

5. Client Connection

When using drivers, specify secure scheme:

  • Python:

from neo4j import GraphDatabase

driver = GraphDatabase.driver(
    "bolt+s://localhost:7687", 
    auth=("neo4j", "password")
)

  • Java:

Driver driver = GraphDatabase.driver(
    "bolt+s://localhost:7687", 
    AuthTokens.basic("neo4j", "password")
);

6. Production Best Practices

✅ Use CA-signed certs (not self-signed).
✅ Store private keys securely (permissions 600).
✅ Rotate certs before expiry.
✅ Disable unencrypted HTTP (dbms.connector.http.enabled=false).
✅ Consider mutual TLS (client certs) if higher security is needed.

⚡ In short:

  • Put certs in certificates/bolt & certificates/https.

  • Configure neo4j.conf for TLS.

  • Use bolt+s and https schemes for secure connections.

Let’s go through Authentication & Authorization best practices for Neo4j, especially with a production deployment (like in Kubernetes/OpenShift).

🔑 Authentication & Authorization in Neo4j

Neo4j has built-in security features that you should enable and configure for production.

1. Enable Authentication

By default, authentication is enabled (auth-enabled=true). Never disable it in production.

📌 In neo4j.conf:

dbms.security.auth_enabled=true

  • Default user is neo4j (you’ll be forced to set a password on first login).

  • Use strong passwords and consider rotating them periodically.

2. Use Role-Based Access Control (RBAC)

Neo4j has predefined roles + custom roles (Enterprise Edition).

Predefined roles:

  • reader → read-only access

  • publisher → can read/write data

  • architect → can create/drop schema (indexes, constraints)

  • admin → full access, manage users/roles

📌 Example: Create a user and assign role:

CREATE USER alice SET PASSWORD 'StrongP@ssw0rd' CHANGE REQUIRED;
GRANT ROLE reader TO alice;

👉 In OpenShift, you should store passwords in Kubernetes Secrets instead of hardcoding them.

apiVersion: v1
kind: Secret
metadata:
  name: neo4j-auth
type: Opaque
data:
  NEO4J_AUTH: bmVvNGo6U3Ryb25nUDBzc3cwcmQ=   # base64("neo4j:StrongP@ssw0rd")

3. Custom Roles (Enterprise Feature)

If you need fine-grained access:

CREATE ROLE data_scientist;
GRANT MATCH {*} ON GRAPH neo4j NODES Person TO data_scientist;
GRANT MATCH {*} ON GRAPH neo4j RELATIONSHIPS KNOWS TO data_scientist;
GRANT ROLE data_scientist TO bob;

✅ This way, Bob can only read Person nodes & KNOWS relationships, nothing else.

4. Principle of Least Privilege

  • Don’t give everyone admin.

  • Developers → use publisher or a custom limited role.

  • BI tools or dashboards → use reader.

  • Automation pipelines → use separate service accounts with only the needed privileges.

5. Secure Password & Credential Handling

  • Store secrets in Kubernetes/OpenShift Secrets, mount them into pods as env vars.

  • Rotate credentials regularly.

  • For multiple apps using Neo4j, create separate service accounts (per-app isolation).

6. Enable TLS for Authentication

Combine with SSL/TLS setup (we discussed earlier):

  • Prevents password sniffing in plain text.

  • Use bolt+s:// or https:// schemes.

7. Audit & Monitoring

  • Enable query logging and security logs.
    In neo4j.conf:

dbms.security.log_successful_authentication=true
dbms.security.log_failed_authentication=true

  • Integrate logs with OpenShift logging stack (EFK or Loki).

8. Kubernetes/OpenShift Deployment Tips

  • Use K8s RBAC to restrict who can access Neo4j Secrets/ConfigMaps.

  • Run Neo4j pods with non-root users.

  • Set resource requests/limits for predictability.

  • Use NetworkPolicies in OpenShift to restrict Neo4j to only trusted services/namespaces.

Summary:

  • Always enable auth_enabled.

  • Use RBAC (built-in or custom roles).

  • Store secrets in K8s/OpenShift Secrets, not in config.

  • Use TLS for encrypted auth.

  • Apply least-privilege principle.

  • Enable security logs for audits.


Comments

Post a Comment