I am currently working on a project that uses Spring Data Neo4j, and I am working on migrating from version 5 to the latest version 6.
In the previous version, we used a particular approach with spring data where each tenant had a credential set unique to them. Apparently, it is important for security concerns that this behaviour is conserved with the migration to Spring Data Neo4j 6, and I am wondering if this is possible in any way, or if this is planned to be supported.
I saw that there is the DatabaseSelectionProvider that exists, but I think I can only specify a database name and not a credential set.
The authentication is on a per-driver basis whereas in contrast the database selection can be done for every call. So we cannot easily provide other credentials without creating a whole new driver bean.
There is an alternative but not Neo4j DBMS driver solution for your problem, if this is what fits your need already. My colleague Michael wrote about this here Reactive multi-tenancy with Neo4j 4.0 and SDN/RX | by Michael Simons | Neo4j Developer Blog | Medium
Due to the lack of anchors in Medium, I suggest to search for Configuration time to see if this is what you want and then read the rest of the post to get the setup the application is running with.
The reason I am asking this is because my company is in the process of getting the SOC2 certification, and with this certification, we need the database access to be as small as possible per DB user, in a way that we have every tenant's environment isolated as much as possible.
We require something bigger than a DatabaseSelector: We need a DataSourceSelector, so that we can change what user performs the request to the database, or even completely target another Neo4j instance for that tenant if we want.
This is something available out of the box with our PostgreSQL database with Hibernate, but always seemed to lack with the Neo4j implementation, and I sincerly hoped this would be part of the Spring Data Neo4j 6.0.
Anyway, if this is not planned to be supported, do you know a way we could overwrite some components of the library to make this possible?
Hi! I am unsure if this is about the same application but it definitly sounds so.
So here's an example on how to do different connections and different databases:
Thank you for this answer. The issue you sent me is not for my project, but it's indeed a similar issue.
I'm not really sure how to manage the multiple driver implementation when using spring, because in your example, you call different repositories, while I want to call the exact same repository with a different tenant context, and the spring repository should select the right driver in the background for that tenant.
I think this is a not so bad start anyway, so i'll look into the code to see how I could inject a different driver instance per tenant.