Issue
Plugin loads and run fine in both the Desktop and the Server (other utilities still work fine in both environments).
Checks
// Function registered in dbms?
CALL dbms.functions() YIELD name, description
WHERE name CONTAINS "myplugin"
RETURN name, description
// Try to call the function
RETURN myplugin.test("Testify")
Deskop Result
- function is registered in dbms.functions
- function returns expected results
Server Result
- function is not registered in dbms.functions
Neo.ClientError.Statement.SyntaxError: Unknown function 'myplugin.test'
Details
Neo4j Desktop 1.2.1
- Browser 3.2.20
- Neo4j 3.5.8
Neo4j Ubuntu 18.04
- Browser 3.2.20 (loaded in Chrome via
http://[IP]:7474/browser
- Neo4j 3.5.8 Enterprise
Build IntelliJ IDEA and Maven 3
- Build plugin to jar
- put jar in
$NEO4J_HOME/plugins/
- restart neo4j database
Plugin "myplugin" 0.0.1 Dependencies
- org.neo4j 3.5.8
- javax.ws.rs 2.1
@UserFunction
@Description("myplugin.test('this is not a test')")
public String test( @Name("any") String any ) {
return any;
}
Please provide snippet of server's logs/debug.log
containing a startup sequence.
Thank you, found and fixed. I probably should have started in the debug log myself.
2019-08-16 18:01:21.405+0000 WARN [o.n.k.i.p.Procedures] The function 'myplugin.test' is not on the whitelist and won't be loaded.
Documenting for anyone else who comes across this.
My understanding from Neo4j Docs: Securing Extensions was that dbms.security.procedures.unrestricted
and dbms.security.procedures.whitelist
was only necessary if the function or procedure needed anything other than Log
, TerminationGuard
, or GraphDatabaseService
.
While this is true, whitelist
has additional behaviors only mentioned at the bottom of the Securing Extensions doc:
There are a few things that should be noted about dbms.security.procedures.whitelist
:
- If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
- The default of the setting is
*
. This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.
- If the extensions pointed out by this parameter are programmed to access internal APIs, they also have to be explicitly allowed, as described in Section 9.1.1, “Sandboxing”.
Cause
Neo4j Desktop neo4j.conf
dbms.security.procedures.unrestricted=apoc.*
Neo4j Server neo4j.conf
dbms.security.procedures.whitelist=apoc.*
Fix
Neo4j Server neo4j.conf
dbms.security.procedures.unrestricted=apoc.*
1 Like
Just to clarify:
-
dbms.security.procedures.unrestricted
allows plugins to access insecure Neo4j components (e.g.: anything other than Log, TerminationGuard or GraphDatabaseService)
-
dbms.security.procedures.whitelist
defaults to allow all functions from all plugins, but if specified only whitelisted functions will be loaded.
I was confusing the purpose of whitelist
.
Your explanation is good, but not 100% precisely correct. It's not about accessing insecure components. It's about accessing components that potentially allow you to break out of the current security context. E.g. if your database user has only read permission, calling a unrestricted procedure might result in a write operation. So handle with care.
1 Like