Knowledge Base

Example of using the Command Expansion on Windows

The Command Expansion feature, introduced in Neo4j 4.2, is a security feature to avoid having configuration parameters being written in the neo4j.conf file in plain text.

The commands are executed within the child process by the user who owns and executes the Neo4j server. So, by definition, only the user running the Neo4j process/service would be able to use this feature.

The Command Expansion is very sensitive about the permissions assigned on the neo4j.conf file. If the permissions are not set appropriately, then Neo4j fails to start showing messages similar to:

Exception in thread "main" java.lang.IllegalArgumentException:
<NEO4J_HOME>/conf/neo4j.conf does not have the correct file permissions to evaluate commands.
        at org.neo4j.configuration.Config$Builder.validateFilePermissionForCommandExpansion(
        at org.neo4j.configuration.Config$
        at org.neo4j.server.NeoBootstrapper.start(
        at org.neo4j.server.NeoBootstrapper.start(
        at com.neo4j.server.enterprise.EnterpriseEntryPoint.main(
2021-03-03 16:56:23.880+0000 INFO  [c.n.s.e.EnterpriseBootstrapper] Neo4j Server shutdown initiated by request
2021-03-03 16:56:23.891+0000 INFO  [c.n.s.e.EnterpriseBootstrapper] Stopped.

That’s why the need for this article!

Moreover, the Neo4j documentation has provided examples for the Linux based installs, so here is a fun example (step-by-step) of using the Command Expansion on Windows:

  • Change the neo4j.conf file to have the following setting:

  • Create an environment variable:

  • Create a simple batch file my_setting.bat:

  • Change the permission on the neo4j.conf file to Read. Remove all user groups and user names except the user who owns and executes the Neo4j server. Refer to the picture below:


In the Linux world, this would be equivalent to r-- --- ---, which is done by:

$chmod 400 neo4j.conf
  • Start Neo4j using the following command -

C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\bin>neo4j console --expand-commands

During the start, the console would show the following INFO messages:

2021-03-04 03:17:40.575+0000 INFO  Command expansion is explicitly enabled for configuration
2021-03-04 03:17:40.577+0000 INFO  Executing external script to retrieve value of setting dbms.max_databases
2021-03-04 03:17:40.579+0000 INFO  Starting...
2021-03-04 03:17:43.311+0000 INFO  ======== Neo4j 4.2.3 ========
2021-03-04 03:17:45.825+0000 INFO  Sending metrics to CSV file at C:\neo4j-enterprise-4.2.3-windows\neo4j-enterprise-4.2.3\metrics
2021-03-04 03:17:45.860+0000 INFO  Bolt enabled on
2021-03-04 03:17:46.818+0000 INFO  Remote interface available at http://localhost:7414/
2021-03-04 03:17:46.819+0000 INFO  Started.
  • To confirm that the dbms.max_databases property has been set to 16, execute the following command in the Neo4j Browser:

CALL dbms.listConfig() YIELD name, value WHERE name = 'dbms.max_databases' RETURN value

The result would be 16.

Note that by default, the file permissions on the neo4j.conf would look as shown below.


All users such as Authenticated Users, SYSTEM, Administrators, Users, etc. will need to be removed.