Command expansion
Command expansion provides an additional capability to configure Neo4j by allowing you to specify scripts that set values sourced from external files. This is especially useful for:
- 
avoiding setting sensitive information, such as usernames, passwords, keys, etc., in the neo4j.conf file in plain text. 
- 
handling the configuration settings of instances running in environments where the file system is not accessible. 
How it works
The scripts are specified in the neo4j.conf file with a $ prefix and the script to execute within brackets (), i.e., dbms.setting=$(script_to_execute).
The configuration accepts any command that can be executed within a child process by the user who owns and executes the Neo4j server.
This also means that, in the case of Neo4j set as a service, the commands are executed within the service.
A generic example would be:
neo4j.configuration.example=$(/bin/bash echo "expanded value")By providing such a configuration in the neo4j.conf file upon server start with command expansion enabled, Neo4j evaluates the script and retrieves the value of the configuration settings prior to the instantiation of Neo4j. The values are then passed to the starting Neo4j instance and kept in memory, in the running instance.
| You can also use the  | 
Scripts are run by the Neo4j process and are expected to exit with code 0 within a reasonable time.
The script output should be of a valid type for the setting.
Failure to do so prevents Neo4j from starting.
| Scripts and their syntax differ between operating systems. | 
Enabling
To enable command expansion, you must add the --expand-commands argument to the Neo4j startup script or neo4j.service file.
Starting Neo4j with command expansion
To start Neo4j with command expansion enabled, you can use the following command:
bin/neo4j start --expand-commandsEnabling command expansion in Neo4j as a service
If you are using Neo4j as a service, you can enable command expansion by adding the --expand-commands argument to the /etc/systemd/system/neo4j.service  file.
Otherwise, the commands in the configuration file are treated as invalid settings.
You must also add Type=forking under the [Service] section of /etc/systemd/system/neo4j.service to allow for the command expansion.
[Service]
Type=forkingSecurity checks
Neo4j performs the following basic security checks on the neo4j.conf file. If they fail, Neo4j does not evaluate the script commands in neo4j.conf, and the Neo4j process does not start.
- On Unix (both Linux and Mac OS)
- 
- 
The neo4j.conf and neo4j-admin.conf files must, at most, be readable or writable by their owner and readable by the user-group to which the owner belongs. The neo4j-admin.conf file is a configuration file located in the same directory as the neo4j.conf file. You can use the neo4j-admin.conf file to provide administration-task-specific settings. 
- 
The Neo4j process must run as a user who is either the owner of the neo4j.conf file or in the user-group which owns the neo4j.conf file. 
 
- 
| The Linux permissions bitmask for the least restrictive permissions is  | 
- On Windows
- 
- 
The neo4j.conf and neo4j-admin.conf files must, at most, be readable/modifiable but not executable by the owner only. 
 
- 
| The owner may have the following permissions from the Access Control List (ACL): 
 | 
Logging
The execution of scripts is logged in neo4j.log. For each setting that requires the execution of an external command, Neo4j adds an entry into the log file that contains information, for example:
… Executing the external script to retrieve the value of <setting>...Error Handling
The scripts' execution may generate two types of errors:
- 
Errors during the execution — These errors are reported in the debug.log, with a code returned from the external execution. In this case, the execution stops and the server does not start. 
- 
Errors for incorrect values — The returned value is not the one expected for the setting. In this case, the server does not start. 
For more information, see Exit codes.