search

neo4j-contrib / neo4j-apoc-procedures

Awesome Procedures On Cypher for Neo4j - codenamed "apoc"                     If you like it, please ★ above ⇧            
https://neo4j.com/labs/apoc
Apache License 2.0
1.71k stars 493 forks source link

Security error with apoc executing cypher code (apoc.when) #3161

Closed wadael closed 1 year ago

wadael commented 2 years ago

Expected Behavior

Cypher code in apoc.when to be executed

Actual Behavior

Getting a Neo.ClientError.Security.Forbidden with this message Create node with labels 'Ville' on database 'neo4j' is not allowed for user 'foo' with roles [PUBLIC, architect] restricted to READ. (user has architect role, same behaviour with neo4j)

I looked into APocConfig for a setting I would have forgotten https://github.com/neo4j-contrib/neo4j-apoc-procedures/blob/071eb592a6afe26840219e3fe00e20fda56b36e1/core/src/main/java/apoc/ApocConfig.java

How to Reproduce the Problem

Here is the code LOAD CSV WITH HEADERS FROM 'file:///Faulty.csv' AS line CALL apoc.when(line.town IS NOT NULL, "MERGE (v:Ville {name: line.town, height: line.height})", "",{line: line} ) YIELD value RETURN value

Simple Dataset (where it's possibile)

name,town,country,height Galata Tower,,Turkey,67 Belem Tower,Lisbon,,30 CN Tower,,553 ,London,United Kingdom,96 Leaning tower,Pisa,Italia,56 Eiffel Tower,Paris,France,300

Steps (Mandatory)

  1. Set apoc config properties
  2. apoc.import.file.enabled=true
  3. apoc.import.file.use_neo4j_config=true
  4. apoc.export.file.enabled=true 5.drop file in import folder 1.run cypher sample

Specifications (Mandatory)

Seems there is other issues with making APOC write in the graph, see https://community.neo4j.com/t5/neo4j-graph-platform/permission-issue-when-writing-updating-with-apoc-periodic/m-p/56736

And the older https://stackoverflow.com/questions/49206988/neo4j-apoc-write-operations-are-not-allowed-for-user-neo4j-with-full-restricte

Tried to invert authent and author providers in reverse order in conf like this dbms.security.authorization_providers=plugin-com.neo4j.plugin.jwt.auth.JwtAuthPlugin,native without luck solving the issue

Currently used versions

Versions

vga91 commented 1 year ago

@wadael

The apoc.when doesn't allow you to execute MERGE ..., or any other query that writes in the database.

Can you try using apoc.do.when instead? That is:

LOAD CSV WITH HEADERS FROM 'file:///Faulty.csv' AS line
CALL apoc.do.when(line.town IS NOT NULL,
"MERGE (v:Ville {name: line.town, height: line.height})",
"",{line: line}
) YIELD value
RETURN value

This procedure is analogous to the other one, but allows you to also execute write queries. See here.

I'm closing the issue for the moment, but if you still have problems, feel free to reopen it.