Post-installation settings

Propagation of users in a cluster

Neo4j provides a native auth provider that stores user and role information in the system database. To synchronize the user base, you will have to manually propagate users by creating the same accounts on each server in the cluster.

SECollab will not work if its Neo4j user "secollab" is not the same on each server in the cluster.

Changing the administrator account

By default, there is only one user on a Neo4j database. This one has the role "admin" and its identifiers are "neo4j" for the login and "neo4j" for the password. This account is not usable because it is mandatory to change the default password to use it. For that, we will use the command-line utility "neo4j-admin".

neo4j-admin set-initial-password aV3ryChall3ngingPassw0rd
Changed password for user 'neo4j'

Related documentation is available in section 4.4 of the pdf (or online).

Creating an application account for SECollab

To work SECollab needs an account with an "architect" role. To create a user, we will use the client cypher-shell to connect to the Neo4j database and pass user management queries (the cypher-shell tool is available in the NEO4J_HOME/bin of the Neo4j installation folder). To do this, follow these instructions:

Connect to Neo4j thanks to the cypher-shell client under Linux (on Windows you have to add the extension .bat, which gives "cypher-shell.bat"):
```
NEO4J_HOME/bin/cypher-shell  --database system --address bolt+s://localhost:7687 --username neo4j --password aV3ryChall3ngingPassw0rd --encryption true
```
Refer to official documentation to use the proper protocol

If the operation worked, you must now be connected to Neo4j and have a shell similar to this:

Connected to Neo4j using Bolt protocol version 4.4 at bolt://localhost:7687 as user neo4j.
Type :help for a list of available commands or :exit to exit the shell.
Note that Cypher queries must end with a semicolon.
neo4j@system>

To create a user:

neo4j@system> CREATE USER secollab SET password "an0therDifficultP4ssw0rd" CHANGE NOT REQUIRED;
0 rows
ready to start consuming query after 215 ms, results consumed after another 0 ms

All passwords are encrypted (hashed) when stored in the Neo4j system database

To give the new user the architect role:

neo4j@system> GRANT ROLE architect TO secollab;
0 rows
ready to start consuming query after 9 ms, results consumed after another 0 ms

You can check everything went well with the command :

neo4j@system> SHOW USERS;
+----------------------------------------------------------------------------------+
| user       | roles                   | passwordChangeRequired | suspended | home |
+----------------------------------------------------------------------------------+
| "neo4j"    | ["admin", "PUBLIC"]     | FALSE                  | FALSE     | NULL |
| "secollab" | ["architect", "PUBLIC"] | FALSE                  | FALSE     | NULL |
+----------------------------------------------------------------------------------+

2 rows
ready to start consuming query after 3 ms, results consumed after another 2 ms

With the same method, you can create a new user, give them a role "admin" and delete the user "neo4j" present by default to the installation of Neo4j.

For more information, see section 11 of the pdf documentation (or online).

For more information about the Cypher syntax and the user management, see section 25.2 of the The Neo4j Cypher Manual pdf documentation (or online).

Firewall settings

For authorization of network flows, see section 4.3 of the pdf documentation (or online).

Some details:

The SECollab application only requires access to the BOLT connector of each Neo4j server (port 7687/tcp by default).
In the case of a cluster, the ports 5000 / tcp, 6000 / tcp and 7000 / tcp (by default) must be allowed in and out on each Neo4j server for intra-cluster communication
On a machine with backup enabled, to be able to perform a remote backup you must open ports 6362-6372 / tcp (by default) for a single database or only port 6362 / tcp for a server cluster.