cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! Site migration is underway. Phase 2: migrate recent content

Custom Plugin UserFunction works desktop, not on server

Issue

Plugin loads and run fine in both the Desktop and the Server (other utilities still work fine in both environments).

Checks

// Function registered in dbms?
CALL dbms.functions() YIELD name, description
WHERE name CONTAINS "myplugin"
RETURN name, description

// Try to call the function
RETURN myplugin.test("Testify")

Deskop Result

  • function is registered in dbms.functions
  • function returns expected results

Server Result

  • function is not registered in dbms.functions
  • Neo.ClientError.Statement.SyntaxError: Unknown function 'myplugin.test'

Details

Neo4j Desktop 1.2.1

  • Browser 3.2.20
  • Neo4j 3.5.8

Neo4j Ubuntu 18.04

  • Browser 3.2.20 (loaded in Chrome via http://[IP]:7474/browser
  • Neo4j 3.5.8 Enterprise

Build IntelliJ IDEA and Maven 3

  • Build plugin to jar
  • put jar in $NEO4J_HOME/plugins/
  • restart neo4j database

Plugin "myplugin" 0.0.1 Dependencies

  • org.neo4j 3.5.8
  • javax.ws.rs 2.1
    @UserFunction
    @Description("myplugin.test('this is not a test')")
    public String test( @Name("any") String any ) {
        return any;
    }
1 ACCEPTED SOLUTION

Please provide snippet of server's logs/debug.log containing a startup sequence.

View solution in original post

4 REPLIES 4

Please provide snippet of server's logs/debug.log containing a startup sequence.

Just to clarify:

  • dbms.security.procedures.unrestricted allows plugins to access insecure Neo4j components (e.g.: anything other than Log, TerminationGuard or GraphDatabaseService)
  • dbms.security.procedures.whitelist defaults to allow all functions from all plugins, but if specified only whitelisted functions will be loaded.

I was confusing the purpose of whitelist.

Your explanation is good, but not 100% precisely correct. It's not about accessing insecure components. It's about accessing components that potentially allow you to break out of the current security context. E.g. if your database user has only read permission, calling a unrestricted procedure might result in a write operation. So handle with care.

Thank you, found and fixed. I probably should have started in the debug log myself.

2019-08-16 18:01:21.405+0000 WARN [o.n.k.i.p.Procedures] The function 'myplugin.test' is not on the whitelist and won't be loaded.

Documenting for anyone else who comes across this.

My understanding from Neo4j Docs: Securing Extensions was that dbms.security.procedures.unrestricted and dbms.security.procedures.whitelist was only necessary if the function or procedure needed anything other than Log, TerminationGuard, or GraphDatabaseService.

While this is true, whitelist has additional behaviors only mentioned at the bottom of the Securing Extensions doc:

There are a few things that should be noted about dbms.security.procedures.whitelist :

  • If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
  • The default of the setting is * . This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.
  • If the extensions pointed out by this parameter are programmed to access internal APIs, they also have to be explicitly allowed, as described in Section 9.1.1, “Sandboxing”.

Cause

Neo4j Desktop neo4j.conf

dbms.security.procedures.unrestricted=apoc.*

Neo4j Server neo4j.conf

dbms.security.procedures.whitelist=apoc.*

Fix

Neo4j Server neo4j.conf

dbms.security.procedures.unrestricted=apoc.*