Memgraph does not have default username/password

[Xmaxer]

I setup memgraph using docker-compose like so:

version: '3.8'
services:
  batbard_memgraph:
    image: memgraph/memgraph-platform:2.11.1-memgraph2.11.0-lab2.8.3
    restart: always
    ports:
      - "7687:7687"
      - "4000:3000"
      - "7444:7444"
    volumes:
      - memgraph_lib:/var/lib/memgraph
      - memgraph_etc:/etc/memgraph
    env_file:
      - ./memgraph/.env
    entrypoint: [ "/usr/bin/supervisord" ]

and I have an environment file, correctly created at memgraph/.env relative to the docker-compose:

MEMGRAPH="--log-level=TRACE"
MGCONSOLE="--username=admin --password=XXXXXXX"

And the instance launches fine. But the username/password is not set and when I attempt to open the console, it does not ask me for a password at all. Anyone can just connect.

What's the issue here?

I also do think just allowing remote (non localhost) connections freely when authentication was not setup correctly, is a serious risk. For example with Redis, if you don't configure an admin password it will reject connections automatically from anything outside. Memgraph just allows anyone regardless.

Here are the logs from the startup:

2023-10-30T16:16:22.014+00:00 | /usr/lib/python3/dist-packages/supervisor/options.py:474: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
-- | --
  | 2023-10-30T16:16:22.015+00:00 | self.warnings.warn(
  | 2023-10-30T16:16:22.017+00:00 | 2023-10-30 16:16:22,017 INFO Included extra file "/etc/supervisor/programs/lab.conf" during parsing
  | 2023-10-30T16:16:22.029+00:00 | 2023-10-30 16:16:22,028 INFO Included extra file "/etc/supervisor/programs/memgraph.conf" during parsing
  | 2023-10-30T16:16:22.029+00:00 | 2023-10-30 16:16:22,029 INFO Set uid to user 0 succeeded
  | 2023-10-30T16:16:22.030+00:00 | 2023-10-30 16:16:22,030 INFO supervisord started with pid 1
  | 2023-10-30T16:16:23.038+00:00 | 2023-10-30 16:16:23,033 INFO spawned: 'memgraph' with pid 6
  | 2023-10-30T16:16:23.038+00:00 | 2023-10-30 16:16:23,034 INFO spawned: 'lab' with pid 7
  | 2023-10-30T16:16:23.073+00:00 | You are running Memgraph v2.11.0
  | 2023-10-30T16:16:23.073+00:00 | To get started with Memgraph, visit https://memgr.ph/start
  | 2023-10-30T16:16:23.575+00:00 | [2023-10-30 16:16:23.513] INFO: [lab] Lab is running at http://localhost:3000 in platform mode
  | 2023-10-30T16:16:24.576+00:00 | 2023-10-30 16:16:24,576 INFO success: memgraph entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
  | 2023-10-30T16:16:24.577+00:00 | 2023-10-30 16:16:24,576 INFO success: lab entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

[antejavor]

Hi @Xmaxer, this has been causing some confusion for a while now. We will look into this tomorrow and get back with some concrete information.

Sorry for the bit of delay here.

[antejavor]

Hi @Xmaxer, thanks for bringing this up, I have two questions for you that would clarify this issue a bit further:

• Did you create any users in Memgraph?
• Have you tried connecting mgconsole to Memgraph, and how did you plan on using mgconsole?

To provide a bit of clarity on the security issue, by default, we do not have a default user and password set. Which means your observation is correct. Everyone is able to connect to memgraph if proper endpoint and ports are provided.

This is not ideal from a security perspective, but it is probably a thing we will change in the future. After the user is created, you need to provide the auth data.

This brings me to providing the actual auth data to Memgraph Memgraph currently supports the following ENV variables.

This won't work for mgconsole since it takes just args.

In order to provide the ENV from docker-compose context you would need to do something like this:

.env

MEMGRAPH="--log-level=TRACE"
MEMGRAPH_USER="test"
MEMGRAPH_PASSWORD="testpass"

./mgconsole --username=$MEMGRAPH_USER --password=$MEMGRAPH_PASSWORD

Thanks for asking this, we will probably update the docs a bit more regrading passing the variables.

[antejavor]

For added clarity, from version 2.10.1, we changed how the platform is being run, so this piece of docs neededs to be updated. We will update it as soon as possible.

[Xmaxer]

Did you create any users in Memgraph?

Nope, It most likely would have worked though so I don't believe it'll be an issue once a user is created. Sorry I didn't get that far!

Have you tried connecting mgconsole to Memgraph, and how did you plan on using mgconsole?

I haven not, and unless a requirement comes up, I probably won't use the mgconsole CLI. I think that's my fault for not clarifying: I was connecting via Memgraph Lab UI that comes with that particular docker image.

For added clarity, from version 2.10.1, we changed how the platform is being run, so this piece of docs neededs to be updated. We will update it as soon as possible.

Thanks a lot for showing the latest docs, I will give it a go now! Indeed those are the docs I read, and not the other one. I am in the middle of exploring this instead of Neo4J, hence why I didn't try much after my default password setup didn't work.

[Xmaxer]

This is not ideal from a security perspective, but it is probably a thing we will change in the future. After the user is created, you need to provide the auth data.

Also now that I know how to (hopefully successfully) create a default user/password, I guess this might be a nice to have more than anything. There's two usual ways I see this working: Either automatically create a default username/password (I think Sonatype Nexus does this) or restrict connections only from local connections until a user is created (Similar to Redis)

[katarinasupe]

Hi @Xmaxer, how is your project going? You mentioned being in the middle of exploring Memgraph instead of Neo4j so I was wondering if you made any progress? If you need help, we can always hop on a call.

[Xmaxer]

Hi @katarinasupe. I got around to it this weekend, and can confirm authentication works as expected with the initial username/password which is great. Thanks again for all the clarifications and assistance from the Memgraph team.

Only thing now is exporting/importing data from neo4j to memgraph. I tried following these docs: https://memgraph.com/docs/data-migration/migrate-from-neo4j

But I noticed all the node/relationships imported via CSV have to be manually constructed. Which seems extremely error prone, given the CSV contains all the information needed to automate it surely?

I did also attempt to export a 'plain' format cypher file from Neo4j, and attempted to import it using the Memgraph lab import tool, but that just gives errors unfortunately.

Is there a way to seamlessly import data between the two without manual construction of labels/relationships?

This topic is definitely unrelated to this issue, so happy to raise it elsewhere! Let me know. Thanks.

[katarinasupe]

Hi @Xmaxer, we have a bash script to convert Neo4j cypherl to Memgraph's, but it is probably still imperfect. You can check it out if you'd like. Other than that, Memgraph Lab (>=2.11) provides CSV import configuration tool that might ease the import process. One blog post on that topic is in progress and I can share it with you once it's done. To talk more about this, please join our Discord server and ask the same in one of our channels or schedule an office hours call with the developer experience team 😄

[katarinasupe]

Hi @Xmaxer, just wanted to let you know that we updated our docs with the best practices for import that might help you in the migration process. Recently, there have been some improvements in query parameters as well. How is your project going?

[katarinasupe]

Hi @Xmaxer, I wanted to notify you that you can create a user with init file flag and in that way limit access to the database on start. Recently, we also implemented SSO in the Enterprise version of Memgraph.

Is your project with Memgraph progressing well? Do you have any blockers? I would love to catch up with you. If you're up for it, please schedule an office hours call to talk.