Configure Neo4J with Puppet

Configure Neo4J with Puppet

By starting a new project our team assembled a lightweight architecture application with the usage focused on Neo4J, a graph-based database. This is the first time we using a graph-based database and it was the first time to build up an automatic deployment process to install and configure the database.

Neo4J allows a lot of customization on its configuration, as well as on the JVM, on which the Neo4J service is running. For information purpose, Neo4J allows access by a Rest API or a Shell API, which is interactive. My task was to automate the authentication settings with Puppet, so the access to the database is not possible by public. Additionally I wanted to define a user with a password as credentials to restrict the access.

Neo4J stores this user information in the file *data/dbms/auth*. In this file, the user name is stored in plain text, the password as an SHA256 hash, and there are some additional values. To avoid inconsistency with Neo4J, I want to use Neo4J itself to make changes on the user credentials.

The default user created by the service is *neo4j* with the password *neo4j*. To change the password you can use the Rest API of Neo4J.

curl -X POST http://neo4j:neo4j@localhost:7474/user/neo4j/password
    -d 'password=new_password'


To change the user, in our case to change the username of the *neo4j* user, run the *sed* command on the *data/dbms/auth* file:

sed -i 's/neo4j/${params::dbuser}/g' data/dbms/auth


The Puppet Code looks like the following, checking first if the user name as already altered:

    
# Set neo4j user authentication
exec { 'update-neo4j-password':
    command => "curl -X POST http://neo4j:neo4j@localhost:7474/user/neo4j/
        password -d 'password=${params::dbpass}'; 
        sed -i 's/neo4j/${params::dbuser}/g' data/dbms/auth",
    onlyif => ["test `head -c 5 data/dbms/auth` = 'neo4j'"],
    before => [Exec['start-neo4j-service']],
    require => [Exec['install-neo4j-service']]
}


Of course, changing the user credentials only makes sense if the authentication is activated. So set the *dbms.security.auth_enabled* value in the *conf/neo4j-server.properties* file:

dbms.security.auth_enabled=true


In our case, we additionally closed all ports (except for 80 and 443), so only localhost connection are allowed to Neo4J. For the last you can set the following configuration in the *conf/neo4j-server.properties*:

org.neo4j.server.webserver.address=localhost


At last, restart the Neo4J service to enable the changed settings.


Eintrag von Florian Horn am 29.09.2015

Tags: Puppet, Neo4J

Diese Webseite verwendet Cookies, um die Bedienfreundlichkeit zu erhöhen. Mit der Nutzung unserer Webseite wird das Einverständnis erklärt, dass wir Cookies verwenden. Weitere Informationen.