知识库

在 Windows 上使用命令扩展的示例

The 命令扩展 feature, introduced in Neo4j 4.2, is a security feature to avoid having configuration parameters being written in the neo4j.conf file in plain text.

The commands are executed within the child process by the user 拥有并执行 Neo4j 服务器的用户. So, by definition, only the user running the Neo4j process/service would be able to use this feature.

The Command Expansion is very sensitive about the permissions assigned on the neo4j.conf file. If the permissions are not set appropriately, then Neo4j fails to start showing messages similar to

Exception in thread "main" java.lang.IllegalArgumentException:
<NEO4J_HOME>/conf/neo4j.conf does not have the correct file permissions to evaluate commands.
Has [OWNER_READ, OWNER_WRITE, OTHERS_READ, GROUP_READ], requires at most [OWNER_READ, OWNER_WRITE].
        at org.neo4j.configuration.Config$Builder.validateFilePermissionForCommandExpansion(Config.java:314)
        at org.neo4j.configuration.Config$Builder.build(Config.java:287)
        at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:110)
        at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:90)
        at com.neo4j.server.enterprise.EnterpriseEntryPoint.main(EnterpriseEntryPoint.java:25)
2021-03-03 16:56:23.880+0000 INFO  [c.n.s.e.EnterpriseBootstrapper] Neo4j Server shutdown initiated by request
2021-03-03 16:56:23.891+0000 INFO  [c.n.s.e.EnterpriseBootstrapper] Stopped.

这就是需要撰写本文的原因!

Moreover, the Neo4j documentation has provided examples for the Linux based installs, so here is a fun example (step-by-step) of using the Command Expansion on Windows

  • neo4j.conf 文件修改为以下设置

dbms.max_databases=$(my_setting.bat)

  • 创建环境变量

MAX_DATABASES=16

  • 创建一个简单的批处理文件 my_setting.bat

@ECHO OFF
ECHO %MAX_DATABASES%

  • Change the permission on the neo4j.conf file to Read. Remove all user groups and user names except the user 拥有并执行 Neo4j 服务器的用户. Refer to the picture below

CorrectFilePermissions

在 Linux 环境下,这等同于 r-- --- ---, which is done by

$chmod 400 neo4j.conf

  • 使用以下命令启动 Neo4j -

C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\bin>neo4j console --expand-commands

During the start, the console would show the following INFO messages

2021-03-04 03:17:40.575+0000 INFO  Command expansion is explicitly enabled for configuration
2021-03-04 03:17:40.577+0000 INFO  Executing external script to retrieve value of setting dbms.max_databases
2021-03-04 03:17:40.579+0000 INFO  Starting...
2021-03-04 03:17:43.311+0000 INFO  ======== Neo4j 4.2.3 ========
2021-03-04 03:17:45.825+0000 INFO  Sending metrics to CSV file at C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\metrics
2021-03-04 03:17:45.860+0000 INFO  Bolt enabled on 0.0.0.0:7617.
2021-03-04 03:17:46.818+0000 INFO  Remote interface available at https://:7414/
2021-03-04 03:17:46.819+0000 INFO  Started.

  • To confirm that the dbms.max_databases property has been set to 16, execute the following command in the Neo4j Browser

CALL dbms.listConfig() YIELD name, value WHERE name = 'dbms.max_databases' RETURN value

The result would be 16.

注意 that by default, the file permissions on the neo4j.conf would look as shown below.

IncorrectFilePermissions

All users such as Authenticated Users, SYSTEM, Administrators, Users, etc. will need to be removed.

© . This site is unofficial and not affiliated with Neo4j, Inc.