|
| 1 | +[[neo4j-conf-expand-commands]] |
| 2 | += Command expansion |
| 3 | +:description: Command expansion provides an additional capability to configure Neo4j by allowing you to specify scripts that set values sourced from external files. |
| 4 | +:page-aliases: configuration/neo4j-conf.adoc#neo4j-conf-expand-commands |
| 5 | + |
| 6 | +Command expansion provides an additional capability to configure Neo4j by allowing you to specify scripts that set values sourced from external files. |
| 7 | +This is especially useful for: |
| 8 | + |
| 9 | +* avoiding setting sensitive information, such as usernames, passwords, keys, etc., in the _neo4j.conf_ file in plain text. |
| 10 | +* handling the configuration settings of instances running in environments where the file system is not accessible. |
| 11 | + |
| 12 | +== How it works |
| 13 | + |
| 14 | +The scripts are specified in the _neo4j.conf_ file with a `$` prefix and the script to execute within brackets (), i.e., `dbms.setting=$(script_to_execute)`. + |
| 15 | +The configuration accepts any command that can be executed within a child process by the user who owns and executes the Neo4j server. |
| 16 | +This also means that, in the case of Neo4j set as a service, the commands are executed within the service. |
| 17 | + |
| 18 | +A generic example would be: |
| 19 | + |
| 20 | +[source, role=nocopy] |
| 21 | +---- |
| 22 | +neo4j.configuration.example=$(/bin/bash echo "expanded value") |
| 23 | +---- |
| 24 | + |
| 25 | +By providing such a configuration in the _neo4j.conf_ file upon server start with command expansion enabled, Neo4j evaluates the script and retrieves the value of the configuration settings prior to the instantiation of Neo4j. |
| 26 | +The values are then passed to the starting Neo4j instance and kept in memory, in the running instance. |
| 27 | + |
| 28 | +[NOTE] |
| 29 | +==== |
| 30 | +You can also use the `curl` (https://curl.se/docs/manpage.html) command to fetch a token or value for a configuration setting. |
| 31 | +For example, you can apply an extra level of security by replacing any sensitive information in your _neo4j.conf_ file with a secured reference to a provider of some sort. |
| 32 | +==== |
| 33 | + |
| 34 | +Scripts are run by the Neo4j process and are expected to exit with code `0` within a reasonable time. |
| 35 | +The script output should be of a valid type for the setting. |
| 36 | +Failure to do so prevents Neo4j from starting. |
| 37 | + |
| 38 | +[NOTE] |
| 39 | +==== |
| 40 | +Scripts and their syntax differ between operating systems. |
| 41 | +==== |
| 42 | + |
| 43 | +== Enabling |
| 44 | + |
| 45 | +The Neo4j startup script and the `neo4j` service can expand and execute the external commands by using the argument `--expand-commands`. |
| 46 | + |
| 47 | +[source, shell] |
| 48 | +---- |
| 49 | +bin/neo4j start --expand-commands |
| 50 | +---- |
| 51 | + |
| 52 | +If the startup script does not receive the `--expand-commands` argument, commands in the configuration file are treated as invalid settings. |
| 53 | + |
| 54 | +Neo4j performs the following basic security checks on the _neo4j.conf_ file. |
| 55 | +If they fail, Neo4j does not evaluate the script commands in _neo4j.conf_, and the Neo4j process does not start. |
| 56 | + |
| 57 | +On Unix (both Linux and Mac OS):: |
| 58 | + |
| 59 | +* The _neo4j.conf_ file must, at least, be readable by its owner or by the user-group to which the owner belongs. |
| 60 | +* The Neo4j process must run as a user who is either the owner of the _neo4j.conf_ file or in the user-group which owns the _neo4j.conf_ file. |
| 61 | + |
| 62 | +[NOTE] |
| 63 | +==== |
| 64 | +The Linux permissions bitmask for the least restrictive permissions is `640`. |
| 65 | +More restrictive Linux permissions are also allowed. |
| 66 | +For example, the _neo4j.conf_ file can have no group permissions and only be readable by its owner (`400` bitmask). |
| 67 | +==== |
| 68 | + |
| 69 | +On Windows:: |
| 70 | + |
| 71 | +* The _neo4j.conf_ file must, at least, be readable by the user that the Neo4j process runs as. |
| 72 | + |
| 73 | +== Logging |
| 74 | + |
| 75 | +The execution of scripts is logged in _neo4j.log_. |
| 76 | +For each setting that requires the execution of an external command, Neo4j adds an entry into the log file that contains information, for example: |
| 77 | + |
| 78 | +[source, role=noheader] |
| 79 | +---- |
| 80 | +… Executing the external script to retrieve the value of <setting>... |
| 81 | +---- |
| 82 | + |
| 83 | +== Error Handling |
| 84 | + |
| 85 | +The scripts' execution may generate two types of errors: |
| 86 | + |
| 87 | +* Errors during the execution -- These errors are reported in the _debug.log_, with a code returned from the external execution. |
| 88 | +In this case, the execution stops and the server does not start. |
| 89 | + |
| 90 | +* Errors for incorrect values -- The returned value is not the one expected for the setting. |
| 91 | +In this case, the server does not start. |
| 92 | + |
| 93 | +For more information, see xref:tools/neo4j-admin.adoc#neo4j-admin-exit-codes[Exit codes]. |
0 commit comments