Custom Plugin UserFunction works desktop, not on server


Plugin loads and run fine in both the Desktop and the Server (other utilities still work fine in both environments).


// Function registered in dbms?
CALL dbms.functions() YIELD name, description
WHERE name CONTAINS "myplugin"
RETURN name, description

// Try to call the function
RETURN myplugin.test("Testify")

Deskop Result

  • function is registered in dbms.functions
  • function returns expected results

Server Result

  • function is not registered in dbms.functions
  • Neo.ClientError.Statement.SyntaxError: Unknown function 'myplugin.test'


Neo4j Desktop 1.2.1

  • Browser 3.2.20
  • Neo4j 3.5.8

Neo4j Ubuntu 18.04

  • Browser 3.2.20 (loaded in Chrome via http://[IP]:7474/browser
  • Neo4j 3.5.8 Enterprise

Build IntelliJ IDEA and Maven 3

  • Build plugin to jar
  • put jar in $NEO4J_HOME/plugins/
  • restart neo4j database

Plugin "myplugin" 0.0.1 Dependencies

  • org.neo4j 3.5.8
  • 2.1
    @Description("myplugin.test('this is not a test')")
    public String test( @Name("any") String any ) {
        return any;

Please provide snippet of server's logs/debug.log containing a startup sequence.

Thank you, found and fixed. I probably should have started in the debug log myself.

2019-08-16 18:01:21.405+0000 WARN [o.n.k.i.p.Procedures] The function 'myplugin.test' is not on the whitelist and won't be loaded.

Documenting for anyone else who comes across this.

My understanding from Neo4j Docs: Securing Extensions was that and was only necessary if the function or procedure needed anything other than Log, TerminationGuard, or GraphDatabaseService.

While this is true, whitelist has additional behaviors only mentioned at the bottom of the Securing Extensions doc:

There are a few things that should be noted about :

  • If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
  • The default of the setting is * . This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.
  • If the extensions pointed out by this parameter are programmed to access internal APIs, they also have to be explicitly allowed, as described in Section 9.1.1, “Sandboxing”.


Neo4j Desktop neo4j.conf*

Neo4j Server neo4j.conf*


Neo4j Server neo4j.conf*
1 Like

Just to clarify:

  • allows plugins to access insecure Neo4j components (e.g.: anything other than Log, TerminationGuard or GraphDatabaseService)
  • defaults to allow all functions from all plugins, but if specified only whitelisted functions will be loaded.

I was confusing the purpose of whitelist.

Your explanation is good, but not 100% precisely correct. It's not about accessing insecure components. It's about accessing components that potentially allow you to break out of the current security context. E.g. if your database user has only read permission, calling a unrestricted procedure might result in a write operation. So handle with care.

1 Like