Dynamic configuration settings

This page provides a complete reference to the Neo4j dynamic configuration settings, which can be changed at runtime, without restarting the service. This complete reference is a sub-list of all the Neo4j configuration settings.

Changes to the configuration at runtime are not persisted. To avoid losing changes when restarting Neo4j, make sure you update neo4j.conf as well.

In a clustered environment, CALL dbms.setConfigValue affects only the server it is run against, and it is not propagated to other members. If you want to change the configuration settings on all cluster members, you have to run the procedure against each of them and update their neo4j.conf file.

For more information on how to update dynamic configuration settings, see Update dynamic settings.

Table 1. Dynamic settings reference
Name Description

db.checkpoint.iops.limit

Limit the number of IOs the background checkpoint process will consume per second.

db.format

Database format.

db.lock.acquisition.timeout

The maximum time interval within which lock should be acquired.

db.logs.query.early_raw_logging_enabled

Log query text and parameters without obfuscating passwords.

db.logs.query.enabled

Log executed queries.

db.logs.query.max_parameter_length

Sets a maximum character length use for each parameter in the log.

db.logs.query.obfuscate_literals

Obfuscates all literals of the query before writing to the log.

db.logs.query.parameter_logging_enabled

Log parameters for the executed queries being logged.

db.logs.query.plan_description_enabled

Log query plan description table, useful for debugging purposes.

db.logs.query.threshold

If the execution of query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO.

db.logs.query.transaction.enabled

Log the start and end of a transaction.

db.logs.query.transaction.threshold

If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to INFO.

db.memory.transaction.max

Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g').

db.memory.transaction.total.max

Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g').

db.track_query_cpu_time

Enables or disables tracking of how much time a query spends actively executing on the CPU.

db.transaction.bookmark_ready_timeout

The maximum amount of time to wait for the database state represented by the bookmark.

db.transaction.concurrent.maximum

The maximum number of concurrently running transactions.

db.transaction.sampling.percentage

Transaction sampling percentage.

db.transaction.timeout

The maximum time interval of a transaction within which it should be completed.

db.transaction.tracing.level

Transaction creation tracing level.

db.tx_log.preallocate

Specify if Neo4j should try to preallocate logical log file in advance.

db.tx_log.rotation.retention_policy

Tell Neo4j how long logical transaction logs should be kept to backup the database.For example, "10 days" will prune logical logs that only contain transactions older than 10 days.Alternatively, "100k txs" will keep the 100k latest transactions from each database and prune any older transactions.

db.tx_log.rotation.size

Specifies at which file size the logical log will auto-rotate.

dbms.cypher.render_plan_description

If set to true a textual representation of the plan description will be rendered on the server for all queries running with EXPLAIN or PROFILE.

dbms.memory.transaction.total.max

Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g').

dbms.routing.client_side.enforce_for_domains

Always use client side routing (regardless of the default router) for neo4j:// protocol connections to these domains.

dbms.routing.reads_on_writers_enabled

Enterprise onlyConfigure if the dbms.routing.getRoutingTable() procedure should include the writer as read endpoint or return only non-writers (non writer primaries and secondaries) Note: writer is returned as read endpoint if no other member is present all.

dbms.security.key.name

Enterprise onlyName of the 256 length AES encryption key, which is used for the symmetric encryption.

dbms.security.keystore.password

Enterprise onlyPassword for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption.

dbms.security.keystore.path

Enterprise onlyLocation of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database.

dbms.security.ldap.authentication.attribute

Enterprise onlyThe attribute to use when looking up users. Using this setting requires dbms.security.ldap.authentication.search_for_attribute to be true and thus dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password to be configured.

dbms.security.ldap.authentication.user_dn_template

Enterprise onlyLDAP user DN template.

dbms.security.ldap.authorization.access_permitted_group

Enterprise onlyThe LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group.

dbms.security.ldap.authorization.group_membership_attributes

Enterprise onlyA list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled.

dbms.security.ldap.authorization.group_to_role_mapping

Enterprise onlyAn authorization mapping from LDAP group names to Neo4j role names.

dbms.security.ldap.authorization.nested_groups_enabled

Enterprise onlyThis setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups).

dbms.security.ldap.authorization.nested_groups_search_filter

Enterprise onlyThe search template which will be used to find the nested groups which the user is a member of.

dbms.security.ldap.authorization.user_search_base

Enterprise onlyThe name of the base object or named context to search for user objects when LDAP authorization is enabled.

dbms.security.ldap.authorization.user_search_filter

Enterprise onlyThe LDAP search filter to search for a user principal when LDAP authorization is enabled.

dbms.security.oidc.<provider>.audience

Enterprise onlyExpected values of the Audience (aud) claim in the id token.

dbms.security.oidc.<provider>.auth_endpoint

Enterprise onlyThe OIDC authorization endpoint.

dbms.security.oidc.<provider>.auth_flow

Enterprise onlyThe OIDC flow to use.

dbms.security.oidc.<provider>.auth_params

Enterprise onlyOptional additional parameters that the auth endpoint requires.

dbms.security.oidc.<provider>.authorization.group_to_role_mapping

Enterprise onlyAn authorization mapping from IdP group names to Neo4j role names.

dbms.security.oidc.<provider>.claims.groups

Enterprise onlyThe claim to use as the list of groups in Neo4j.

dbms.security.oidc.<provider>.claims.username

Enterprise onlyThe claim to use as the username in Neo4j.

dbms.security.oidc.<provider>.client_id

Enterprise onlyClient id needed if token contains multiple Audience (aud) claims.

dbms.security.oidc.<provider>.config

Enterprise onlyThe accepted values (all optional) are: ---- principal: in which JWT claim the user’s email address is specified, email is the default.

dbms.security.oidc.<provider>.get_groups_from_user_info

Enterprise onlyWhen turned on, Neo4j gets the groups from the provider user info endpoint.

dbms.security.oidc.<provider>.get_username_from_user_info

Enterprise onlyWhen turned on, Neo4j gets the username from the provider user info endpoint.

dbms.security.oidc.<provider>.issuer

Enterprise onlyThe expected value of the iss claim in the id token.

dbms.security.oidc.<provider>.jwks_uri

Enterprise onlyThe location of the JWK public key set for the identity provider.

dbms.security.oidc.<provider>.params

Enterprise onlyThe map is a semicolon separated list of key-value pairs.

dbms.security.oidc.<provider>.token_endpoint

Enterprise onlyThe OIDC token endpoint.

dbms.security.oidc.<provider>.token_params

Enterprise onlyOptional query parameters that the token endpoint requires.

dbms.security.oidc.<provider>.user_info_uri

Enterprise onlyThe identity providers user info uri.

dbms.security.oidc.<provider>.well_known_discovery_uri

Enterprise onlyThe 'well known' OpenID Connect Discovery endpoint used to fetch identity provider settings.

server.cluster.catchup.connect_randomly_to_server_group

Enterprise onlyComma separated list of groups to be used by the connect-randomly-to-server-group selection strategy.

server.databases.default_to_read_only

Whether or not any database on this instance are read_only by default.

server.databases.read_only

List of databases for which to prevent write queries.

server.databases.writable

List of databases for which to allow write queries.

server.groups

Enterprise onlyA list of tag names for the server used when configuring load balancing and replication policies.

server.memory.pagecache.flush.buffer.enabled

Page cache can be configured to use a temporal buffer for flushing purposes.

server.memory.pagecache.flush.buffer.size_in_pages

Page cache can be configured to use a temporal buffer for flushing purposes.

Table 2. db.checkpoint.iops.limit

Description

Limit the number of IOs the background checkpoint process will consume per second. This setting is advisory, is ignored in Neo4j Community Edition, and is followed to best effort in Enterprise Edition. An IO is in this case a 8 KiB (mostly sequential) write. Limiting the write IO in this way will leave more bandwidth in the IO subsystem to service random-read IOs, which is important for the response time of queries when the database cannot fit entirely in memory. The only drawback of this setting is that longer checkpoint times may lead to slightly longer recovery times in case of a database or system crash. A lower number means lower IO pressure, and consequently longer checkpoint times. Set this to -1 to disable the IOPS limit and remove the limitation entirely; this will let the checkpointer flush data as fast as the hardware will go. Removing the setting, or commenting it out, will set the default value of 600.

Valid values

db.checkpoint.iops.limit, an integer

Dynamic

true

Default value

600

Table 3. db.format

Description

Database format. This is the format that will be used for new databases. Valid values are standard, aligned, or high_limit.The aligned format is essentially the standard format with some minimal padding at the end of pages such that a single record will never cross a page boundary. The high_limit format is available for Enterprise Edition only. It is required if you have a graph that is larger than 34 billion nodes, 34 billion relationships, or 68 billion properties.

Valid values

db.format, a string

Dynamic

true

Default value

aligned

Table 4. db.lock.acquisition.timeout

Description

The maximum time interval within which lock should be acquired. Zero (default) means timeout is disabled.

Valid values

db.lock.acquisition.timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

Dynamic

true

Default value

0s

Table 5. db.logs.query.early_raw_logging_enabled

Description

Log query text and parameters without obfuscating passwords. This allows queries to be logged earlier before parsing starts.

Valid values

db.logs.query.early_raw_logging_enabled, a boolean

Dynamic

true

Default value

false

Table 6. db.logs.query.enabled

Description

Log executed queries. Valid values are OFF, INFO, or VERBOSE.

OFF

no logging.

INFO

log queries at the end of execution, that take longer than the configured threshold, db.logs.query.threshold.

VERBOSE

log queries at the start and end of execution, regardless of db.logs.query.threshold.

Log entries are written to the query log.

This feature is available in the Neo4j Enterprise Edition.

Valid values

db.logs.query.enabled, one of [OFF, INFO, VERBOSE]

Dynamic

true

Default value

VERBOSE

Table 7. db.logs.query.max_parameter_length

Description

Sets a maximum character length use for each parameter in the log. This only takes effect if db.logs.query.parameter_logging_enabled = true.

Valid values

db.logs.query.max_parameter_length, an integer

Dynamic

true

Default value

2147483647

Table 8. db.logs.query.obfuscate_literals

Description

Obfuscates all literals of the query before writing to the log. Note that node labels, relationship types and map property keys are still shown. Changing the setting will not affect queries that are cached. So, if you want the switch to have immediate effect, you must also call CALL db.clearQueryCaches().

Valid values

db.logs.query.obfuscate_literals, a boolean

Dynamic

true

Default value

false

Table 9. db.logs.query.parameter_logging_enabled

Description

Log parameters for the executed queries being logged.

Valid values

db.logs.query.parameter_logging_enabled, a boolean

Dynamic

true

Default value

true

Table 10. db.logs.query.plan_description_enabled

Description

Log query plan description table, useful for debugging purposes.

Valid values

db.logs.query.plan_description_enabled, a boolean

Dynamic

true

Default value

false

Table 11. db.logs.query.threshold

Description

If the execution of query takes more time than this threshold, the query is logged once completed - provided query logging is set to INFO. Defaults to 0 seconds, that is all queries are logged.

Valid values

db.logs.query.threshold, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

Dynamic

true

Default value

0s

Table 12. db.logs.query.transaction.enabled

Description

Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'. OFF: no logging. INFO: log start and end of transactions that take longer than the configured threshold, db.logs.query.transaction.threshold. VERBOSE: log start and end of all transactions. Log entries are written to the query log. This feature is available in the Neo4j Enterprise Edition.

Valid values

db.logs.query.transaction.enabled, one of [OFF, INFO, VERBOSE]

Dynamic

true

Default value

OFF

Table 13. db.logs.query.transaction.threshold

Description

If the transaction is open for more time than this threshold, the transaction is logged once completed - provided transaction logging (db.logs.query.transaction.enabled) is set to INFO. Defaults to 0 seconds (all transactions are logged).

Valid values

db.logs.query.transaction.threshold, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

Dynamic

true

Default value

0s

Table 14. db.memory.transaction.max

Description

Limit the amount of memory that a single transaction can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'largest possible value'.

Valid values

db.memory.transaction.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 1.00MiB or is 0B

Dynamic

true

Default value

0B

Table 15. db.memory.transaction.total.max

Description

Limit the amount of memory that all transactions in one database can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'.

Valid values

db.memory.transaction.total.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 10.00MiB or is 0B

Dynamic

true

Default value

0B

Table 16. db.track_query_cpu_time

Description

Enables or disables tracking of how much time a query spends actively executing on the CPU. Calling SHOW TRANSACTIONS will display the time. This can also be logged in the query log by using db.logs.query.time_logging_enabled.

Valid values

db.track_query_cpu_time, a boolean

Dynamic

true

Default value

false

Table 17. db.transaction.bookmark_ready_timeout

Description

The maximum amount of time to wait for the database state represented by the bookmark.

Valid values

db.transaction.bookmark_ready_timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s) which is minimum 1s

Dynamic

true

Default value

30s

Table 18. db.transaction.concurrent.maximum

Description

The maximum number of concurrently running transactions. If set to 0, limit is disabled.

Valid values

db.transaction.concurrent.maximum, an integer

Dynamic

true

Default value

1000

Table 19. db.transaction.sampling.percentage

Description

Transaction sampling percentage.

Valid values

db.transaction.sampling.percentage, an integer which is in the range 1 to 100

Dynamic

true

Default value

5

Table 20. db.transaction.timeout

Description

The maximum time interval of a transaction within which it should be completed.

Valid values

db.transaction.timeout, a duration (Valid units are: ns, μs, ms, s, m, h and d; default unit is s)

Dynamic

true

Default value

0s

Table 21. db.transaction.tracing.level

Description

Transaction creation tracing level.

Valid values

db.transaction.tracing.level, one of [DISABLED, SAMPLE, ALL]

Dynamic

true

Default value

DISABLED

Table 22. db.tx_log.preallocate

Description

Specify if Neo4j should try to preallocate logical log file in advance.

Valid values

db.tx_log.preallocate, a boolean

Dynamic

true

Default value

true

Table 23. db.tx_log.rotation.retention_policy

Description

Tell Neo4j how long logical transaction logs should be kept to backup the database.For example, "10 days" will prune logical logs that only contain transactions older than 10 days.Alternatively, "100k txs" will keep the 100k latest transactions from each database and prune any older transactions.

Valid values

db.tx_log.rotation.retention_policy, a string which matches the pattern ^(true|keep_all|false|keep_none|(\d+[KkMmGg]?( (files|size|txs|entries|hours|days))))$ (Must be true or keep_all, false or keep_none, or of format <number><optional unit> <type>. Valid units are K, M and G. Valid types are files, size, txs, entries, hours and days. For example, 100M size will limit logical log space on disk to 100MB per database,and 200K txs will limit the number of transactions kept to 200 000 per database.)

Dynamic

true

Default value

2 days

Table 24. db.tx_log.rotation.size

Description

Specifies at which file size the logical log will auto-rotate. Minimum accepted value is 128 KiB.

Valid values

db.tx_log.rotation.size, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 128.00KiB

Dynamic

true

Default value

256.00MiB

Table 25. dbms.cypher.render_plan_description

Description

If set to true a textual representation of the plan description will be rendered on the server for all queries running with EXPLAIN or PROFILE. This allows clients such as the neo4j browser and Cypher shell to show a more detailed plan description.

Valid values

dbms.cypher.render_plan_description, a boolean

Dynamic

true

Default value

false

Table 26. dbms.memory.transaction.total.max

Description

Limit the amount of memory that all of the running transactions can consume, in bytes (or kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g'). Zero means 'unlimited'.

Valid values

dbms.memory.transaction.total.max, a byte size (valid multipliers are B, KiB, KB, K, kB, kb, k, MiB, MB, M, mB, mb, m, GiB, GB, G, gB, gb, g, TiB, TB, PiB, PB, EiB, EB) which is minimum 10.00MiB or is 0B

Dynamic

true

Default value

0B

Table 27. dbms.routing.client_side.enforce_for_domains

Description

Always use client side routing (regardless of the default router) for neo4j:// protocol connections to these domains. A comma separated list of domains. Wildcards (*) are supported.

Valid values

dbms.routing.client_side.enforce_for_domains, a ',' separated set with elements of type 'a string'.

Dynamic

true

Default value

Table 28. dbms.routing.reads_on_writers_enabled

Description

Enterprise onlyConfigure if the dbms.routing.getRoutingTable() procedure should include the writer as read endpoint or return only non-writers (non writer primaries and secondaries) Note: writer is returned as read endpoint if no other member is present all.

Valid values

dbms.routing.reads_on_writers_enabled, a boolean

Dynamic

true

Default value

false

Table 29. dbms.security.key.name

Description

Enterprise onlyName of the 256 length AES encryption key, which is used for the symmetric encryption.

Valid values

dbms.security.key.name, a string

Dynamic

true

Default value

aesKey

Table 30. dbms.security.keystore.password

Description

Enterprise onlyPassword for accessing the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption.

Valid values

dbms.security.keystore.password, a secure string

Dynamic

true

Table 31. dbms.security.keystore.path

Description

Enterprise onlyLocation of the keystore holding a 256 length AES encryption key, which is used for the symmetric encryption of secrets held in system database.

Valid values

dbms.security.keystore.path, a path

Dynamic

true

Table 32. dbms.security.ldap.authentication.attribute

Description

Enterprise onlyThe attribute to use when looking up users. Using this setting requires dbms.security.ldap.authentication.search_for_attribute to be true and thus dbms.security.ldap.authorization.system_username and dbms.security.ldap.authorization.system_password to be configured.

Valid values

dbms.security.ldap.authentication.attribute, a string which matches the pattern [A-Za-z0-9-]* (has to be a valid LDAP attribute name, only containing letters [A-Za-z], digits [0-9] and hyphens [-].)

Dynamic

true

Default value

samaccountname

Table 33. dbms.security.ldap.authentication.user_dn_template

Description

Enterprise onlyLDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that conforms with the LDAP directory’s schema from the user principal that is submitted with the authentication token when logging in. The special token {0} is a placeholder where the user principal will be substituted into the DN string.

Valid values

dbms.security.ldap.authentication.user_dn_template, a string which Must be a string containing '{0}' to understand where to insert the runtime authentication principal.

Dynamic

true

Default value

uid={0},ou=users,dc=example,dc=com

Table 34. dbms.security.ldap.authorization.access_permitted_group

Description

Enterprise onlyThe LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via dbms.security.ldap.authorization.group_to_role_mapping.

Valid values

dbms.security.ldap.authorization.access_permitted_group, a string

Dynamic

true

Default value

Table 35. dbms.security.ldap.authorization.group_membership_attributes

Description

Enterprise onlyA list of attribute names on a user object that contains groups to be used for mapping to roles when LDAP authorization is enabled. This setting is ignored when dbms.ldap_authorization_nested_groups_enabled is true.

Valid values

dbms.security.ldap.authorization.group_membership_attributes, a ',' separated list with elements of type 'a string'. which Can not be empty

Dynamic

true

Default value

memberOf

Table 36. dbms.security.ldap.authorization.group_to_role_mapping

Description

Enterprise onlyAn authorization mapping from LDAP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the LDAP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

`dbms.security.ldap.authorization.group_to_role_mapping`=\
         "cn=Neo4j Read Only,cn=users,dc=example,dc=com"      = reader;    \
         "cn=Neo4j Read-Write,cn=users,dc=example,dc=com"     = publisher; \
         "cn=Neo4j Schema Manager,cn=users,dc=example,dc=com" = architect; \
         "cn=Neo4j Administrator,cn=users,dc=example,dc=com"  = admin

Valid values

dbms.security.ldap.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty

Dynamic

true

Default value

Table 37. dbms.security.ldap.authorization.nested_groups_enabled

Description

Enterprise onlyThis setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to true then instead of using attributes on the user object to determine group membership (as specified by dbms.security.ldap.authorization.group_membership_attributes), the user object will only be used to determine the user’s Distinguished Name, which will subsequently be used with dbms.security.ldap.authorization.user_search_filter in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles.

Valid values

dbms.security.ldap.authorization.nested_groups_enabled, a boolean

Dynamic

true

Default value

false

Table 38. dbms.security.ldap.authorization.nested_groups_search_filter

Description

Enterprise onlyThe search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token {0} which will be substituted with the user’s Distinguished Name (which is found for the specified user principle using dbms.security.ldap.authorization.user_search_filter). The default value specifies Active Directory’s LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user.

Valid values

dbms.security.ldap.authorization.nested_groups_search_filter, a string

Dynamic

true

Default value

(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))

Table 39. dbms.security.ldap.authorization.user_search_base

Description

Enterprise onlyThe name of the base object or named context to search for user objects when LDAP authorization is enabled. A common case is that this matches the last part of dbms.security.ldap.authentication.user_dn_template.

Valid values

dbms.security.ldap.authorization.user_search_base, a string which Can not be empty

Dynamic

true

Default value

ou=users,dc=example,dc=com

Table 40. dbms.security.ldap.authorization.user_search_filter

Description

Enterprise onlyThe LDAP search filter to search for a user principal when LDAP authorization is enabled. The filter should contain the placeholder token {0} which will be substituted for the user principal.

Valid values

dbms.security.ldap.authorization.user_search_filter, a string

Dynamic

true

Default value

(&(objectClass=*)(uid={0}))

Table 41. dbms.security.oidc.<provider>.audience

Description

Enterprise onlyExpected values of the Audience (aud) claim in the id token.

Valid values

dbms.security.oidc.<provider>.audience, a ',' separated list with elements of type 'a string'. which Can not be empty

Dynamic

true

Table 42. dbms.security.oidc.<provider>.auth_endpoint

Description

Enterprise onlyThe OIDC authorization endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

dbms.security.oidc.<provider>.auth_endpoint, a URI

Dynamic

true

Table 43. dbms.security.oidc.<provider>.auth_flow

Description

Enterprise onlyThe OIDC flow to use. This is exposed to clients via the discovery endpoint. Supported values are pkce and implicit

Valid values

dbms.security.oidc.<provider>.auth_flow, one of [PKCE, IMPLICIT]

Dynamic

true

Default value

PKCE

Table 44. dbms.security.oidc.<provider>.auth_params

Description

Enterprise onlyOptional additional parameters that the auth endpoint requires. Please use params instead. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.

Valid values

dbms.security.oidc.<provider>.auth_params, A simple key value map pattern k1=v1;k2=v2.

Dynamic

true

Default value

{}

Deprecated

The dbms.security.oidc.<provider>.auth_params configuration setting has been deprecated.

Table 45. dbms.security.oidc.<provider>.authorization.group_to_role_mapping

Description

Enterprise onlyAn authorization mapping from IdP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the IdP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5 You could also use whitespaces and quotes around group names to make this mapping more readable, for example:

dbms.security.oidc.<provider>.authorization.group_to_role_mapping=\
         "Neo4j Read Only"      = reader;    \
         "Neo4j Read-Write"     = publisher; \
         "Neo4j Schema Manager" = architect; \
         "Neo4j Administrator"  = admin

Valid values

dbms.security.oidc.<provider>.authorization.group_to_role_mapping, a string which must be semicolon separated list of key-value pairs or empty

Dynamic

true

Table 46. dbms.security.oidc.<provider>.claims.groups

Description

Enterprise onlyThe claim to use as the list of groups in Neo4j. These could be Neo4J roles directly, or can be mapped using dbms.security.oidc.<provider>.authorization.group_to_role_mapping.

Valid values

dbms.security.oidc.<provider>.claims.groups, a string

Dynamic

true

Table 47. dbms.security.oidc.<provider>.claims.username

Description

Enterprise onlyThe claim to use as the username in Neo4j. This would typically be sub, but in some situations it may be be desirable to use something else such as email.

Valid values

dbms.security.oidc.<provider>.claims.username, a string

Dynamic

true

Default value

sub

Table 48. dbms.security.oidc.<provider>.client_id

Description

Enterprise onlyClient id needed if token contains multiple Audience (aud) claims.

Valid values

dbms.security.oidc.<provider>.client_id, a string

Dynamic

true

Table 49. dbms.security.oidc.<provider>.config

Description

Enterprise onlyThe accepted values (all optional) are:

  principal: in which JWT claim the user's email address is specified,
             email is the default. This is the value that will be shown in browser.
  code_challenge_method: default is `S256` and it's the only supported method
                         at this moment. This setting applies only for pkce auth flow
  token_type_principal: the options are almost always either access_token,
                        which is the default, or id_token.
  token_type_authentication: the options are almost always either access_token,
                             which is the default, or id_token.
  implicit_flow_requires_nonce: true or false. Defaults to false.

Valid values

dbms.security.oidc.<provider>.config, A simple key value map pattern k1=v1;k2=v2. Valid key options are: [principal, code_challenge_method, implicit_flow_requires_nonce, token_type_authentication, token_type_principal].

Dynamic

true

Default value

{}

Table 50. dbms.security.oidc.<provider>.get_groups_from_user_info

Description

Enterprise onlyWhen turned on, Neo4j gets the groups from the provider user info endpoint.

Valid values

dbms.security.oidc.<provider>.get_groups_from_user_info, a boolean

Dynamic

true

Default value

false

Table 51. dbms.security.oidc.<provider>.get_username_from_user_info

Description

Enterprise onlyWhen turned on, Neo4j gets the username from the provider user info endpoint.

Valid values

dbms.security.oidc.<provider>.get_username_from_user_info, a boolean

Dynamic

true

Default value

false

Table 52. dbms.security.oidc.<provider>.issuer

Description

Enterprise onlyThe expected value of the iss claim in the id token. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

dbms.security.oidc.<provider>.issuer, a string

Dynamic

true

Table 53. dbms.security.oidc.<provider>.jwks_uri

Description

Enterprise onlyThe location of the JWK public key set for the identity provider. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

dbms.security.oidc.<provider>.jwks_uri, a URI

Dynamic

true

Table 54. dbms.security.oidc.<provider>.params

Description

Enterprise onlyThe map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2. The user should at least provide:

  client_id: the SSO Idp client idenfifier.
  response_type: code if auth_flow is pkce or token for implicit auth_flow.
  scope: often containing a subset of 'email profile openid groups'.

For example: client_id=my-client-id;response_type=code;scope=openid profile email.

Valid values

dbms.security.oidc.<provider>.params, A simple key value map pattern k1=v1;k2=v2. Required key options are: [scope, client_id, response_type].

Dynamic

true

Default value

{}

Table 55. dbms.security.oidc.<provider>.token_endpoint

Description

Enterprise onlyThe OIDC token endpoint. If this is not supplied Neo4j will attempt to discover it from the well_known_discovery_uri.

Valid values

dbms.security.oidc.<provider>.token_endpoint, a URI

Dynamic

true

Table 56. dbms.security.oidc.<provider>.token_params

Description

Enterprise onlyOptional query parameters that the token endpoint requires. The map is a semicolon separated list of key-value pairs. For example: k1=v1;k2=v2.If the token endpoint requires a client_secret then this parameter should contain client_secret=super-secret

Valid values

dbms.security.oidc.<provider>.token_params, A simple key value map pattern k1=v1;k2=v2.

Dynamic

true

Default value

{}

Table 57. dbms.security.oidc.<provider>.user_info_uri

Description

Enterprise onlyThe identity providers user info uri.

Valid values

dbms.security.oidc.<provider>.user_info_uri, a URI

Dynamic

true

Table 58. dbms.security.oidc.<provider>.well_known_discovery_uri

Description

Enterprise onlyThe 'well known' OpenID Connect Discovery endpoint used to fetch identity provider settings. If not provided, issuer, jwks_uri, auth_endpoint should be present. If the auth_flow is pkce, token_endpoint should also be provided.

Valid values

dbms.security.oidc.<provider>.well_known_discovery_uri, a URI

Dynamic

true

Table 59. server.cluster.catchup.connect_randomly_to_server_group

Description

Enterprise onlyComma separated list of groups to be used by the connect-randomly-to-server-group selection strategy. The connect-randomly-to-server-group strategy is used if the list of strategies (server.cluster.catchup.upstream_strategy) includes the value connect-randomly-to-server-group.

Valid values

server.cluster.catchup.connect_randomly_to_server_group, a ',' separated list with elements of type 'a string identifying a Server Tag'.

Dynamic

true

Default value

Table 60. server.databases.default_to_read_only

Description

Whether or not any database on this instance are read_only by default. If false, individual databases may be marked as read_only using server.database.read_only. If true, individual databases may be marked as writable using server.databases.writable.

Valid values

server.databases.default_to_read_only, a boolean

Dynamic

true

Default value

false

Table 61. server.databases.read_only

Description

List of databases for which to prevent write queries. Databases not included in this list maybe read_only anyway depending upon the value of server.databases.default_to_read_only.

Valid values

server.databases.read_only, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''. which Value 'system' can’t be included in read only databases collection!

Dynamic

true

Default value

Table 62. server.databases.writable

Description

List of databases for which to allow write queries. Databases not included in this list will allow write queries anyway, unless server.databases.default_to_read_only is set to true.

Valid values

server.databases.writable, a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''.

Dynamic

true

Default value

Table 63. server.groups

Description

Enterprise onlyA list of tag names for the server used when configuring load balancing and replication policies.

Valid values

server.groups, a ',' separated list with elements of type 'a string identifying a Server Tag'.

Dynamic

true

Default value

Table 64. server.memory.pagecache.flush.buffer.enabled

Description

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted.

Valid values

server.memory.pagecache.flush.buffer.enabled, a boolean

Dynamic

true

Default value

false

Table 65. server.memory.pagecache.flush.buffer.size_in_pages

Description

Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. Use this setting to configure individual file flush buffer size in pages (8KiB). To be able to utilize this buffer during page cache flushing, buffered flush should be enabled.

Valid values

server.memory.pagecache.flush.buffer.size_in_pages, an integer which is in the range 1 to 512

Dynamic

true

Default value

128