For higher security, GrapheneDB uses a custom authentication system to manage database connections. Much like Neo4j's built-in system, authentication is handled using a username/password combination.
With GrapheneDB, a Database User consists of a:
- Label to identify it among others
- Username, that is automatically generated based on the assigned label.
- Password, also automatically generated and only visible once upon creation.
This system allows you to:
All database users have read and write permissions.
After creating a new database, it will not accept any incoming connections, except for Neo4j Browser sessions launched from the database management interface, for which temporary users are created. Create a database user and store its username and password to connect your application, or CLI.
Add new users using the Create user button in the Database users section in the Connection tab.
A new window will be displayed:
Enter a label to identify the user and optionally set an expiration time. If the Expiration field is set to “Doesn’t expire”, a permanent user will be created. You can read more on temporary users here.
After submitting the form using the Create user button, the user will be created and its username and password displayed.
The password is only visible once in this step, so it should be copied and safely stored at this time. If the password can no longer be retrieved or is lost, the user should be deleted and a new one created.
Upon confirmation, the window will be closed and the new user will be visible in the Database users section.
Although you won’t be able to see the password again, you will find some useful information here:
- Created by: the GrapheneDB user that created the user, useful if you are using our team collaboration feature.
- Created: The date the user was created
- Last access: The last date the credentials were used to connect to the database
- Expires: Expiration date in case of a temporary user
When creating a database user, its username and password are automatically generated. For better security, passwords are stored encrypted and only visible once upon creation. Use View to retrieve the username for a database user
Because password are stored encrypted, it is not possible to retrieve the password at a moment other than upon creating the user. If a password is lost the user should be deleted and a new one created.
If credentials have been accidentally leaked, the user no longer necessary or someone with access to it left your team, it is a good idea to delete the database user.
You can do so by following the Drop next to the database user you want to remove in the Database users section in the Connection tab.
If the user is in use and you want to delete it, it is a good idea to create a new user first, update the credentials in your app and verify that the new connection is working correctly before proceeding.
There are cases where a connection is only needed temporarily, for instance:
- using the Neo4j Browser or CLI to run queries
- running short-lived scripts for reporting, migrating data or schema
In such cases temporary database users can be used. They expire automatically after a certain time, without the need to manually drop the user.
You can create a new temporary user by selecting an expiration time in the Create new user form.
After creation, the temporary user will appear in the database user list with its expiration date and a special icon for easy recognition.
When opening the Neo4j Browser from the database management interface, a new temporary user will be created. Read more.
Launching the Neo4j Browser through the link in Overview automatically creates a new temporary set of credentials that expires 1 hour after. A user is created every time the Neo4j Browser is accessed, even if a previously generated user has not yet expired.
After the temporary user expires, Neo4j Browser might display an authentication-related error. Should you want to continue using it, you will need to launch the Neo4j Browser again from Overview.
Temporary users are visible until they expire, can be audited from the Database users section and can be optionally dropped before they have automatically expired.
The new GrapheneDB database user authentication system will be rolled out in February 2017. All databases created after its release support only this new system. Please read more on how to manage database users here.
However, previously created databases will continue supporting legacy users indefinitely. Legacy users will be also displayed in the Database users section:
The legacy user will continue working, but for security reasons the password will not be displayed. If you have lost your password, please follow the steps below.
To improve the security of your database, we recommend that you to transition to the new database users system by following these steps:
- Create a new user
- Update your application to use the new username and password
- Verify that the application is connecting without issues using the new credentials
- Finally delete the Legacy user using the Drop link