Dynamic configuration settings

Limit the number of IOs the background checkpoint process will consume per second. This setting is advisory, is ignored in Neo4j Community Edition, and is followed to best effort in Enterprise Edition. An IO is in this case a 8 KiB (mostly sequential) write. Limiting the write IO in this way will leave more bandwidth in the IO subsystem to service random-read IOs, which is important for the response time of queries when the database cannot fit entirely in memory. The only drawback of this setting is that longer checkpoint times may lead to slightly longer recovery times in case of a database or system crash. A lower number means lower IO pressure, and consequently longer checkpoint times. Set this to -1 to disable the IOPS limit and remove the limitation entirely; this will let the checkpointer flush data as fast as the hardware will go. Removing the setting, or commenting it out, will set the default value of 600.

db.checkpoint.iops.limit, an integer

true

Database format. This is the format that will be used for new databases. Valid values are standard, aligned, or high_limit.The aligned format is essentially the standard format with some minimal padding at the end of pages such that a single record will never cross a page boundary. The high_limit format is available for Enterprise Edition only. It is required if you have a graph that is larger than 34 billion nodes, 34 billion relationships, or 68 billion properties.

db.format, a string

true

The maximum time interval within which lock should be acquired. Zero (default) means timeout is disabled.

db.lock.acquisition.timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

true

Log query text and parameters without obfuscating passwords. This allows queries to be logged earlier before parsing starts.

db.logs.query.early_raw_logging_enabled, a boolean

true

Log executed queries. Valid values are OFF, INFO, or VERBOSE.

Log entries are written to the query log.

This feature is available in the Neo4j Enterprise Edition.

db.logs.query.enabled, one of [OFF, INFO, VERBOSE]

true

Sets a maximum character length use for each parameter in the log. This only takes effect if db.logs.query.parameter_logging_enabled = true.

db.logs.query.max_parameter_length, an integer

true

Obfuscates all literals of the query before writing to the log. Note that node labels, relationship types and map property keys are still shown. Changing the setting will not affect queries that are cached. So, if you want the switch to have immediate effect, you must also call CALL db.clearQueryCaches().

db.logs.query.obfuscate_literals, a boolean

true

Log parameters for the executed queries being logged.

db.logs.query.parameter_logging_enabled, a boolean

true

Log query plan description table, useful for debugging purposes.

db.logs.query.plan_description_enabled, a boolean

true

If the execution of query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO. Defaults to 0 seconds, that is all queries are logged.

db.logs.query.threshold, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

true

Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'. OFF: no logging. INFO: log start and end of transactions that take longer than the configured threshold, db.logs.query.transaction.threshold. VERBOSE: log start and end of all transactions. Log entries are written to the query log. This feature is available in the Neo4j Enterprise Edition.

db.logs.query.transaction.enabled, one of [OFF, INFO, VERBOSE]

true

If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to INFO. Defaults to 0 seconds (all transactions are logged).

db.logs.query.transaction.threshold, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

true

Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'largest possible value'.

db.memory.transaction.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 1.00MiB or is 0B

true

Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'.

db.memory.transaction.total.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 10.00MiB or is 0B

true

Enables or disables tracking of how much time a query spends actively executing on the CPU. Calling SHOW TRANSACTIONS will display the time. This can also be logged in the query log by using db.logs.query.time_logging_enabled.

db.track_query_cpu_time, a boolean

true

The maximum amount of time to wait for the database state represented by the bookmark.

db.transaction.bookmark_ready_timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) which is minimum 1s

true

The maximum number of concurrently running transactions. If set to 0, limit is disabled.

db.transaction.concurrent.maximum, an integer

true

Transaction sampling percentage.

db.transaction.sampling.percentage, an integer which is in the range 1 to 100

true

The maximum time interval of a transaction within which it should be completed.

db.transaction.timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

true

Transaction creation tracing level.

db.transaction.tracing.level, one of [DISABLED, SAMPLE, ALL]

true

Specify if Neo4j should try to preallocate logical log file in advance.

db.tx_log.preallocate, a boolean

true

Tell Neo4j how long logical transaction logs should be kept to backup the database.For example, "10 days" will prune logical logs that only contain transactions older than 10 days.Alternatively, "100k txs" will keep the 100k latest transactions from each database and prune any older transactions.

db.tx_log.rotation.retention_policy, a string which matches the pattern ^(true|keep_all|false|keep_none|(\d+[KkMmGg]?( (files|size|txs|entries|hours|days))))$ (Must be true or keep_all, false or keep_none, or of format <number><optional unit> <type>. Valid units are K, M and G. Valid types are files, size, txs, entries, hours and days. For example, 100M size will limit logical log space on disk to 100MB per database,and 200K txs will limit the number of transactions kept to 200 000 per database.)

true

Specifies at which file size the logical log will auto-rotate. Minimum accepted value is 128 KiB.

db.tx_log.rotation.size, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 128.00KiB

true

If set to true a textual representation of the plan description will be rendered on the server for all queries running with EXPLAIN or PROFILE. This allows clients such as the neo4j browser and Cypher shell to show a more detailed plan description.

dbms.cypher.render_plan_description, a boolean

true

Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'.

dbms.memory.transaction.total.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 10.00MiB or is 0B

true

Always use client side routing (regardless of the default router) for neo4j:// protocol connections to these domains. A comma separated list of domains. Wildcards (*) are supported.

dbms.routing.client_side.enforce_for_domains, a ',' separated set with elements of type 'a string'.

true

Enterprise onlyConfigure if the dbms.routing.getRoutingTable() procedure should include the writer as read endpoint or return only non-writers (non writer primaries and secondaries) Note: writer is returned as read endpoint if no other member is present all.

dbms.routing.reads_on_writers_enabled, a boolean

true

Enterprise onlyName of the 256 length AES encryption key, which is used for the symmetric encryption.

dbms.security.key.name, a string

true

Enterprise onlyPassword for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption.

dbms.security.keystore.password, a secure string

true

Enterprise onlyLocation of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database.

dbms.security.keystore.path, a path

true

Enterprise onlyThe attribute to use when looking up users. Using this setting requires dbms.security.ldap.authentication.search_for_attribute to be true and thus dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password to be configured.

dbms.security.ldap.authentication.attribute, a string which matches the pattern [A-Za-z0-9-]* (has to be a valid LDAP attribute name, only containing letters [A-Za-z], digits [0-9] and hyphens [-].)

true

Enterprise onlyLDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that conforms with the LDAP directory’s schema from the user principal that is submitted with the authentication token when logging in. The special token {0} is a placeholder where the user principal will be substituted into the DN string.

dbms.security.ldap.authentication.user_dn_template, a string which Must be a string containing '{0}' to understand where to insert the runtime authentication principal.

true

Enterprise onlyThe LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via dbms.security.ldap.authorization.group_to_role_mapping.

dbms.security.ldap.authorization.access_permitted_group, a string

true

Enterprise onlyA list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled. This setting is ignored when dbms.ldap_authorization_nested_groups_enabled is true.

dbms.security.ldap.authorization.group_membership_attributes, a ',' separated list with elements of type 'a string'. which Can not be empty

true

Enterprise onlyAn authorization mapping from LDAP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the LDAP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

dbms.security.ldap.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty

true

Enterprise onlyThis setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to true then instead of using attributes on the user object to determine group membership (as specified by dbms.security.ldap.authorization.group_membership_attributes), the user object will only be used to determine the user’s Distinguished Name, which will subsequently be used with dbms.security.ldap.authorization.user_search_filter in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles.

dbms.security.ldap.authorization.nested_groups_enabled, a boolean

true

Enterprise onlyThe search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token {0} which will be substituted with the user’s Distinguished Name (which is found for the specified user principle using dbms.security.ldap.authorization.user_search_filter). The default value specifies Active Directory’s LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user.

dbms.security.ldap.authorization.nested_groups_search_filter, a string

true

Enterprise onlyThe name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of dbms.security.ldap.authentication.user_dn_template.

dbms.security.ldap.authorization.user_search_base, a string which Can not be empty

true

Enterprise onlyThe LDAP search filter to search for a user principal when LDAP authorization is enabled. The filter should contain the placeholder token {0} which will be substituted for the user principal.

dbms.security.ldap.authorization.user_search_filter, a string

true

Enterprise onlyExpected values of the Audience (aud) claim in the id token.

dbms.security.oidc.<provider>.audience, a ',' separated list with elements of type 'a string'. which Can not be empty

true

Enterprise onlyThe OIDC authorization endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

dbms.security.oidc.<provider>.auth_endpoint, a URI

true

Enterprise onlyThe OIDC flow to use. This is exposed to clients via the discovery endpoint. Supported values are pkce and implicit

dbms.security.oidc.<provider>.auth_flow, one of [PKCE, IMPLICIT]

true

Enterprise onlyOptional additional parameters that the auth endpoint requires. Please use params instead. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.

dbms.security.oidc.<provider>.auth_params, A simple key value map pattern k1=v1;k2=v2.

true

The dbms.security.oidc.<provider>.auth_params configuration setting has been deprecated.

Enterprise onlyAn authorization mapping from IdP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the IdP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

dbms.security.oidc.<provider>.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty

true

Enterprise onlyThe claim to use as the list of groups in Neo4j. These could be Neo4J roles directly, or can be mapped using dbms.security.oidc.<provider>.authorization.group_to_role_mapping.

dbms.security.oidc.<provider>.claims.groups, a string

true

Enterprise onlyThe claim to use as the username in Neo4j. This would typically be sub, but in some situations it may be be desirable to use something else such as email.

dbms.security.oidc.<provider>.claims.username, a string

true

Enterprise onlyClient id needed if token contains multiple Audience (aud) claims.

dbms.security.oidc.<provider>.client_id, a string

true

Enterprise onlyThe accepted values (all optional) are:

dbms.security.oidc.<provider>.config, A simple key value map pattern k1=v1;k2=v2. Valid key options are: [principal, code_challenge_method, implicit_flow_requires_nonce, token_type_authentication, token_type_principal].

true

Enterprise onlyWhen turned on, Neo4j gets the groups from the provider user info endpoint.

dbms.security.oidc.<provider>.get_groups_from_user_info, a boolean

true

Enterprise onlyWhen turned on, Neo4j gets the username from the provider user info endpoint.

dbms.security.oidc.<provider>.get_username_from_user_info, a boolean

true

Enterprise onlyThe expected value of the iss claim in the id token. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

dbms.security.oidc.<provider>.issuer, a string

true

Enterprise onlyThe location of the JWK public key set for the identity provider. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

dbms.security.oidc.<provider>.jwks_uri, a URI

true

Enterprise onlyThe map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2. The user should at least provide:

For example: client_id=my-client-id;response_type=code;scope=openid profile email.

dbms.security.oidc.<provider>.params, A simple key value map pattern k1=v1;k2=v2. Required key options are: [scope, client_id, response_type].

true

Enterprise onlyThe OIDC token endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

dbms.security.oidc.<provider>.token_endpoint, a URI

true

Enterprise onlyOptional query parameters that the token endpoint requires. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.If the token endpoint requires a client_secret then this parameter should contain client_secret=super-secret

dbms.security.oidc.<provider>.token_params, A simple key value map pattern k1=v1;k2=v2.

true

Enterprise onlyThe identity providers user info uri.

dbms.security.oidc.<provider>.user_info_uri, a URI

true

Enterprise onlyThe 'well known' OpenID Connect Discovery endpoint used to fetch identity provider settings. If not provided, issuer, jwks_uri, auth_endpoint should be present. If the auth_flow is pkce, token_endpoint should also be provided.

dbms.security.oidc.<provider>.well_known_discovery_uri, a URI

true

Enterprise onlyComma separated list of groups to be used by the connect-randomly-to-server-group selection strategy. The connect-randomly-to-server-group strategy is used if the list of strategies (server.cluster.catchup.upstream_strategy) includes the value connect-randomly-to-server-group.

server.cluster.catchup.connect_randomly_to_server_group, a ',' separated list with elements of type 'a string identifying a Server Tag'.

true

Whether or not any database on this instance are read_only by default. If false, individual databases may be marked as read_only using server.database.read_only. If true, individual databases may be marked as writable using server.databases.writable.

server.databases.default_to_read_only, a boolean

true

List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of server.databases.default_to_read_only.

server.databases.read_only, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''. which Value 'system' can’t be included in read only databases collection!

true

List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless server.databases.default_to_read_only is set to true.

server.databases.writable, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''.

true

Enterprise onlyA list of tag names for the server used when configuring load balancing and replication policies.

server.groups, a ',' separated list with elements of type 'a string identifying a Server Tag'.

true

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted.

server.memory.pagecache.flush.buffer.enabled, a boolean

true

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. Use this setting to configure individual file flush buffer size in pages (8KiB). To be able to utilize this buffer during page cache flushing, buffered flush should be enabled.

server.memory.pagecache.flush.buffer.size_in_pages, an integer which is in the range 1 to 512

true