3

I'm using neo4j 1.9.4 and I would like to display some information about the graph on a (public) website using neo4jphp. In order to fetch some data I use cypher queries within neo4jphp. Those queries obviously only read data from the graph.

I have to make sure that visitors of the website are unable to modify any data in the graph. Therefore, I set up the authentication-extension plugin and created two users (one with read-only 'RO' and one with read-write 'RW' access rights) as documented there. However, the cypher queries within neo4jphp only work for the user with RW rights but not for the one with RO rights.

I know that http://docs.neo4j.org/chunked/stable/security-server.html#_security_in_depth pretty much explains how to secure neo4j, but I absolutely can't figure out how to do that. Especially the section "arbitrary_code_execution" seems to be interesting, but I don't know how to make use of it.

How can I achieve that reading cypher queries can be executed from the web server? BTW: The web server (to display some results) and neo4j are running on a different machine.

I would appreciate any help, thank you!

EDIT: My scenario is actually not that complicated, so I'm sure there must be a solution for that: From localhost any access (read write) is granted, whereas access from a remote web server is restricted to reading from the graph. How can I achieve that? If that is not possible: How could I restrict access from remote web server to some predefined (cypher) queries, where only some parameters can be supplied by the user?

user2752625
  • 83
  • 2
  • 9

2 Answers2

1

You should use apache proxy as explained in http://docs.neo4j.org/chunked/stable/security-server.html#_security_in_depth

The information you need is the URL to post a cypher query:

http://localhost:7474/db/data/cypher

neo4php is only a wrapper and will end up posting to that url. You can find more details here : http://docs.neo4j.org/chunked/milestone/rest-api-cypher.html

So basically this means that you only allow queries with the cypher url to have access to the neo4j server.

Regarding read only cypher queries :

I didn't check with neo4jphp, but if you use the REST API directly, you can set the database to read_only by adding to conf/neo4j.properties :

read_only=true

You can check in the webadmin that the server is indeed in read_only mode

enter image description here

Just tested it, the server will accept only read queries :

enter image description here

And will return the following response

{
"message": "Expected to be in a transaction at this point",
"exception": "InternalException",
"fullname": "org.neo4j.cypher.InternalException",
"stacktrace":
[...],
"fullname" : "org.neo4j.graphdb.NotInTransactionException"
}
bendaizer
  • 1,235
  • 9
  • 18
  • Thank you for your advice. However, this approach does not help me to limit the access to reading cypher queries, right? At least I can't see of a way how to differentiate between a reading and a writing cypher query. – user2752625 Oct 28 '13 at 09:11
  • You can see the answer to cypher read only in the edit. If neo4jphp doesn't let you do that, you will need to write your own wrapper to your cypher queries. It shouldn't be very hard. I suppose you can use curl with php. – bendaizer Oct 28 '13 at 09:48
  • Once again, thank you. I already had this approach in mind, but if I'm correct, *read_only* is a global setting which also restricts access to localhost - and this is where I want to allow write access from. So I think this does not really help me. – user2752625 Oct 28 '13 at 09:53
  • yes it's a global setting ! well in this case, the only thing left is to use tricks like having a set of forbidden words to check against for each query. Or you shouldn't let you users write custom cypher queries, but simply have access to a set of predefined ones. – bendaizer Oct 28 '13 at 09:59
  • 2
    Okay, that's what I am going to do: offering predefined queries. I just thought it would be easily possible and definitely more safe to restrict the access on the neo4j server instead of sanitizing the input on the website. Thank you! – user2752625 Oct 28 '13 at 11:10
  • oh thanks for accepting the answer :) even though it is not exactly what you were expecting ! – bendaizer Oct 28 '13 at 23:10
1

An alternative answer is to use the Cypher-RS plugin. There is a 1.9 branch.

This allows you to create endpoints that are in essense a single cypher query. (So the query must be predefined).

You could use the mod proxy to restrict to only these predefined queries. I'm not sure if mod proxy allows you to restrict to only GET requests, but if it does, you could allow access to GET requests for the plugin, because it won't allow modification queries to be GET requests.

https://github.com/jexp/cypher-rs

LameCoder
  • 1,287
  • 7
  • 22