Securing the data accessed by Neo4j queries

StackOverflow https://stackoverflow.com/questions/22652127

Question

I wish to implement security on the data contained in a Neo4j database down to the level of individual nodes and/or relationships.

Most data will be available to all users but some data will be restricted by user role. I can add either properties or labels to the data that I wish to restrict.

I want to allow users to run custom cypher queries against the data but hide any data that the user isn't authorised to see.

If I have to do something from the outside then not only do I have to filter the results returned but I also have to parse and either restrict or modify all queries that are run against the data to prevent a user from writing a query which acted on data that they aren't allowed to view.

The ideal solution would be if there is a low-level hook that allows intercepting the reads of nodes and relationships BEFORE a cypher query acts on those records. The interceptor would perform the security checks and if they fail then it would behave as though the node or relationship didn't exist at all. i.e. the same cypher query would have different results depending on who ran it. And this would apply to all possible queries e.g. count(n) not just those that returned the nodes/relationships.

Can something like this be done? If it's not supported already, is there a suitable place in the code that I could add such a security filter or would it require many code changes?

Thanks, Damon

Was it helpful?

Solution

As Chris stated, it's certainly not trivial on database level, but if you're looking for a solution on application level, you might have a look at Structr, a framework on top of and tightly integrated with Neo4j.

It provides node-level security based on ACLs, with users, groups, and different access levels. The security in Structr is implemented on the lowest level possible, f.e. we only instantiate objects if the querying user has the approriate access rights.

All higher access levels like REST API and UI see only the records available in the user's context.

[1] http://structr.org, https://github.com/structr/structr

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top