This section describes how to use allow listing to ensure the security of custom-written additions in Neo4j.
Neo4j can be extended by writing custom code which can be invoked directly from Cypher, as described in Java Reference → Procedures and functions. This section describes how to ensure the security of these additions.
Allow listing can be used to allow the loading of only a few extensions from a larger library.
The configuration setting
dbms.security.procedures.allowlist is used to name certain procedures that should be available from a library.
It defines a comma-separated list of procedures that are to be loaded.
The list may contain both fully qualified procedure names, and partial names with the wildcard
In this example we wish to allow the use of the method
apoc.load.json as well as all the methods under
We do not want to make available any additional extensions from the
apoc library, other than the ones matching these criteria.
# Example allow listing dbms.security.procedures.allowlist=apoc.coll.*,apoc.load.*
There are a few things that should be noted about
If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
The default of the setting is
*. This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.
Was this page helpful?