Example of using the Command Expansion on Windows
The Command Expansion feature, introduced in Neo4j 4.2, is a security feature to avoid having configuration parameters being written in the
neo4j.conf file in plain text.
The commands are executed within the child process by the user who owns and executes the Neo4j server. So, by definition, only the user running the Neo4j process/service would be able to use this feature.
The Command Expansion is very sensitive about the permissions assigned on the
neo4j.conf file. If the permissions are not set appropriately, then Neo4j fails to start showing messages similar to:
Exception in thread "main" java.lang.IllegalArgumentException: <NEO4J_HOME>/conf/neo4j.conf does not have the correct file permissions to evaluate commands. Has [OWNER_READ, OWNER_WRITE, OTHERS_READ, GROUP_READ], requires at most [OWNER_READ, OWNER_WRITE]. at org.neo4j.configuration.Config$Builder.validateFilePermissionForCommandExpansion(Config.java:314) at org.neo4j.configuration.Config$Builder.build(Config.java:287) at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:110) at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:90) at com.neo4j.server.enterprise.EnterpriseEntryPoint.main(EnterpriseEntryPoint.java:25) 2021-03-03 16:56:23.880+0000 INFO [c.n.s.e.EnterpriseBootstrapper] Neo4j Server shutdown initiated by request 2021-03-03 16:56:23.891+0000 INFO [c.n.s.e.EnterpriseBootstrapper] Stopped.
That’s why the need for this article!
Moreover, the Neo4j documentation has provided examples for the Linux based installs, so here is a fun example (step-by-step) of using the Command Expansion on Windows:
neo4j.conffile to have the following setting:
Create an environment variable:
Create a simple batch file
@ECHO OFF ECHO %MAX_DATABASES%
Change the permission on the
Read. Remove all user groups and user names except the user who owns and executes the Neo4j server. Refer to the picture below:
In the Linux world, this would be equivalent to
r-- --- ---, which is done by:
$chmod 400 neo4j.conf
Start Neo4j using the following command -
C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\bin>neo4j console --expand-commands
During the start, the console would show the following INFO messages:
2021-03-04 03:17:40.575+0000 INFO Command expansion is explicitly enabled for configuration 2021-03-04 03:17:40.577+0000 INFO Executing external script to retrieve value of setting dbms.max_databases 2021-03-04 03:17:40.579+0000 INFO Starting... 2021-03-04 03:17:43.311+0000 INFO ======== Neo4j 4.2.3 ======== 2021-03-04 03:17:45.825+0000 INFO Sending metrics to CSV file at C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\metrics 2021-03-04 03:17:45.860+0000 INFO Bolt enabled on 0.0.0.0:7617. 2021-03-04 03:17:46.818+0000 INFO Remote interface available at http://localhost:7414/ 2021-03-04 03:17:46.819+0000 INFO Started.
To confirm that the
dbms.max_databasesproperty has been set to
16, execute the following command in the Neo4j Browser:
CALL dbms.listConfig() YIELD name, value WHERE name = 'dbms.max_databases' RETURN value
The result would be
Note that by default, the file permissions on the
neo4j.conf would look as shown below.
All users such as
Users, etc. will need to be removed.
Was this page helpful?