A Gotcha With Running Neo4j 3.2 With APOC in Docker
With the release of Neo4j 3.2, a little gotcha was introduced if you're running APOC with Neo4j in Docker. See what exactly that gotcha is and how you can deal with it.
Join the DZone community and get the full member experience.Join For Free
Neo4j 3.2.0 was released last week at GraphConnect Europe. Among lots of cool new features, unfortunately, it has one new “feature” making the lives of APOC users little bit harder, especially if you run Neo4j from Docker.
Since 3.0, you've been able to enrich Cypher with your own stored procedures. Those are written in Java (or any other JVM language) and get deployed to the
/plugins folder. In 3.1, user-defined functions were added, followed by aggregate functions in 3.2.
All of them use annotations like
@Context GraphDatabaseService db to retrieve a reference to the database itself. For getting deeper into Neo4j’s machinery room, one could have
@Context GraphDatabaseAPI api to allow you full access. This full access can be abused to break out of the permissions system added in 3.1.
Therefore, in 3.2, all procedures and functions run in a sandboxed environment disallowing potentially harmful dependencies like
GraphDatabaseAPI from being injected. Using a config option
dbms.security.procedures.unrestricted=<procedure names> , you can deactivate the sandboxing for a given list of procedures. This config option also allows wildcards like
A couple of procedure/functions in APOC depend on using internal components and therefore need to be added as unrestricted procedures. This can be achieved by using
apoc.* as a value for this config option.
In a regular (AKA non-Docker) deployment, you would just adopt
conf/neo4j.conf with that setting.
When starting a Neo4j docker container, you can dynamically amend config settings using
-e. Everything starting with
-e NEO4J_<configKey>=<convifgValue> will be amended to the config file. Be aware that dots need be rewritten with an underscore.
There's a gotcha! Trying to use
-e NEO4J_dbms_security_procedures_unrestricted=apoc.* does not work since the shell expands the wildcard
* with all file in current directory. Even
apoc.\* doesn’t help. I suspect docker internally tries another expansion. What I found finally working is using three backslashes:
My typical Docker command for firing up a throw-away database to be used for demos and trainings typically looks like this:
docker run --rm -e NEO4J_AUTH=none \ -e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* \ -v $PWD/plugins:/plugins \ -p 7474:7474 -p 7687:7687 neo4j:3.2.0-enterprise
Of course, the APOC JAR file needs to reside in
plugins folder of the directory where the command is fired from.
Published at DZone with permission of Stefan Armbruster, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.