Example of using the Command Expansion on Windows
The Command Expansion feature, introduced in Neo4j 4.2, is a security feature to avoid having configuration parameters being written in the neo4j.conf file in plain text.
The commands are executed within the child process by the user who owns and executes the Neo4j server. So, by definition, only the user running the Neo4j process/service would be able to use this feature.
The Command Expansion is very sensitive about the permissions assigned on the neo4j.conf file. If the permissions are not set appropriately, then Neo4j fails to start showing messages similar to:
Exception in thread "main" java.lang.IllegalArgumentException:
<NEO4J_HOME>/conf/neo4j.conf does not have the correct file permissions to evaluate commands.
Has [OWNER_READ, OWNER_WRITE, OTHERS_READ, GROUP_READ], requires at most [OWNER_READ, OWNER_WRITE].
at org.neo4j.configuration.Config$Builder.validateFilePermissionForCommandExpansion(Config.java:314)
at org.neo4j.configuration.Config$Builder.build(Config.java:287)
at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:110)
at org.neo4j.server.NeoBootstrapper.start(NeoBootstrapper.java:90)
at com.neo4j.server.enterprise.EnterpriseEntryPoint.main(EnterpriseEntryPoint.java:25)
2021-03-03 16:56:23.880+0000 INFO [c.n.s.e.EnterpriseBootstrapper] Neo4j Server shutdown initiated by request
2021-03-03 16:56:23.891+0000 INFO [c.n.s.e.EnterpriseBootstrapper] Stopped.That’s why the need for this article!
Moreover, the Neo4j documentation has provided examples for the Linux based installs, so here is a fun example (step-by-step) of using the Command Expansion on Windows:
-
Change the
neo4j.conffile to have the following setting:
dbms.max_databases=$(my_setting.bat)-
Create an environment variable:
MAX_DATABASES=16-
Create a simple batch file
my_setting.bat:
@ECHO OFF
ECHO %MAX_DATABASES%-
Change the permission on the
neo4j.conffile toRead. Remove all user groups and user names except the user who owns and executes the Neo4j server. Refer to the picture below:
In the Linux world, this would be equivalent to r-- --- ---, which is done by:
$chmod 400 neo4j.conf-
Start Neo4j using the following command -
C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\bin>neo4j console --expand-commandsDuring the start, the console would show the following INFO messages:
2021-03-04 03:17:40.575+0000 INFO Command expansion is explicitly enabled for configuration
2021-03-04 03:17:40.577+0000 INFO Executing external script to retrieve value of setting dbms.max_databases
2021-03-04 03:17:40.579+0000 INFO Starting...
2021-03-04 03:17:43.311+0000 INFO ======== Neo4j 4.2.3 ========
2021-03-04 03:17:45.825+0000 INFO Sending metrics to CSV file at C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\metrics
2021-03-04 03:17:45.860+0000 INFO Bolt enabled on 0.0.0.0:7617.
2021-03-04 03:17:46.818+0000 INFO Remote interface available at http://localhost:7414/
2021-03-04 03:17:46.819+0000 INFO Started.-
To confirm that the
dbms.max_databasesproperty has been set to16, execute the following command in the Neo4j Browser:
CALL dbms.listConfig() YIELD name, value WHERE name = 'dbms.max_databases' RETURN valueThe result would be 16.
Note that by default, the file permissions on the neo4j.conf would look as shown below.
All users such as Authenticated Users, SYSTEM, Administrators, Users, etc. will need to be removed.
Is this page helpful?