Last active
June 22, 2021 15:16
-
-
Save davidfauth/103f381cdc354445c8c0ccd6902a0546 to your computer and use it in GitHub Desktop.
Neo4j 4.3.0 Fabric with Aura
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #***************************************************************** | |
| # Neo4j configuration | |
| # | |
| # For more details and a complete list of settings, please see | |
| # https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/ | |
| #***************************************************************** | |
| # The name of the default database. | |
| #dbms.default_database=neo4j | |
| # Paths of directories in the installation. | |
| #dbms.directories.data=data | |
| #dbms.directories.plugins=plugins | |
| #dbms.directories.logs=logs | |
| #dbms.directories.lib=lib | |
| #dbms.directories.run=run | |
| #dbms.directories.licenses=licenses | |
| #dbms.directories.metrics=metrics | |
| #dbms.directories.transaction.logs.root=data/transactions | |
| #dbms.directories.dumps.root=data/dumps | |
| # This setting constrains all `LOAD CSV` import files to be under the `import` directory. Remove or comment it out to | |
| # allow files to be loaded from anywhere in the filesystem; this introduces possible security problems. See the | |
| # `LOAD CSV` section of the manual for details. | |
| dbms.directories.import=import | |
| # Whether requests to Neo4j are authenticated. | |
| # To disable authentication, uncomment this line | |
| #dbms.security.auth_enabled=false | |
| # Enable this to be able to upgrade a store from an older version. | |
| #dbms.allow_upgrade=true | |
| # Number of databases in Neo4j is limited. | |
| # To change this limit please uncomment and adapt following setting: | |
| # dbms.max_databases=100 | |
| # Enable online backups to be taken from this database. | |
| #dbms.backup.enabled=true | |
| # By default the backup service will only listen on localhost. | |
| # To enable remote backups you will have to bind to an external | |
| # network interface (e.g. 0.0.0.0 for all interfaces). | |
| # The protocol running varies depending on deployment. In a Causal Clustering environment this is the | |
| # same protocol that runs on causal_clustering.transaction_listen_address. | |
| #dbms.backup.listen_address=0.0.0.0:6362 | |
| #******************************************************************** | |
| # Memory Settings | |
| #******************************************************************** | |
| # | |
| # Memory settings are specified kilobytes with the 'k' suffix, megabytes with | |
| # 'm' and gigabytes with 'g'. | |
| # If Neo4j is running on a dedicated server, then it is generally recommended | |
| # to leave about 2-4 gigabytes for the operating system, give the JVM enough | |
| # heap to hold all your transaction state and query context, and then leave the | |
| # rest for the page cache. | |
| # Java Heap Size: by default the Java heap size is dynamically calculated based | |
| # on available system resources. Uncomment these lines to set specific initial | |
| # and maximum heap size. | |
| #dbms.memory.heap.initial_size=512m | |
| #dbms.memory.heap.max_size=512m | |
| # The amount of memory to use for mapping the store files. | |
| # The default page cache memory assumes the machine is dedicated to running | |
| # Neo4j, and is heuristically set to 50% of RAM minus the Java heap size. | |
| #dbms.memory.pagecache.size=10g | |
| # Limit the amount of memory that all of the running transaction can consume. | |
| # By default there is no limit. | |
| #dbms.memory.transaction.global_max_size=256m | |
| # Limit the amount of memory that a single transaction can consume. | |
| # By default there is no limit. | |
| #dbms.memory.transaction.max_size=16m | |
| # Transaction state location. It is recommended to use ON_HEAP. | |
| dbms.tx_state.memory_allocation=ON_HEAP | |
| #***************************************************************** | |
| # Network connector configuration | |
| #***************************************************************** | |
| # With default configuration Neo4j only accepts local connections. | |
| # To accept non-local connections, uncomment this line: | |
| dbms.default_listen_address=0.0.0.0 | |
| # You can also choose a specific network interface, and configure a non-default | |
| # port for each connector, by setting their individual listen_address. | |
| # The address at which this server can be reached by its clients. This may be the server's IP address or DNS name, or | |
| # it may be the address of a reverse proxy which sits in front of the server. This setting may be overridden for | |
| # individual connectors below. | |
| #dbms.default_advertised_address=localhost | |
| # You can also choose a specific advertised hostname or IP address, and | |
| # configure an advertised port for each connector, by setting their | |
| # individual advertised_address. | |
| # By default, encryption is turned off. | |
| # To turn on encryption, an ssl policy for the connector needs to be configured | |
| # Read more in SSL policy section in this file for how to define a SSL policy. | |
| # Bolt connector | |
| dbms.connector.bolt.enabled=true | |
| dbms.connector.bolt.tls_level=REQUIRED | |
| dbms.connector.bolt.listen_address=:15687 | |
| dbms.connector.bolt.advertised_address=:15687 | |
| # HTTP Connector. There can be zero or one HTTP connectors. | |
| dbms.connector.http.enabled=true | |
| #dbms.connector.http.listen_address=:7474 | |
| #dbms.connector.http.advertised_address=:7474 | |
| # HTTPS Connector. There can be zero or one HTTPS connectors. | |
| dbms.connector.https.enabled=true | |
| dbms.connector.https.listen_address=:15473 | |
| dbms.connector.https.advertised_address=:15473 | |
| # Cluster Routing Connector. Enables the opening of an additional port to allow | |
| # for internal communication using the same security configuration as CLUSTER | |
| #dbms.routing.enabled=false | |
| # Customize the listen address and advertised address used for the routing connector. | |
| dbms.routing.listen_address=0.0.0.0:7688 | |
| dbms.routing.advertised_address=:7688 | |
| # Number of Neo4j worker threads. | |
| #dbms.threads.worker_count= | |
| #***************************************************************** | |
| # SSL policy configuration | |
| #***************************************************************** | |
| # Each policy is configured under a separate namespace, e.g. | |
| # dbms.ssl.policy.<scope>.* | |
| # <scope> can be any of 'bolt', 'https', 'cluster' or 'backup' | |
| # | |
| # The scope is the name of the component where the policy will be used | |
| # Each component where the use of an ssl policy is desired needs to declare at least one setting of the policy. | |
| # Allowable values are 'bolt', 'https', 'cluster' or 'backup'. | |
| # E.g if bolt and https connectors should use the same policy, the following could be declared | |
| # dbms.ssl.policy.bolt.base_directory=certificates/default | |
| # dbms.ssl.policy.https.base_directory=certificates/default | |
| # However, it's strongly encouraged to not use the same key pair for multiple scopes. | |
| # | |
| # N.B: Note that a connector must be configured to support/require | |
| # SSL/TLS for the policy to actually be utilized. | |
| # | |
| # see: dbms.connector.*.tls_level | |
| # SSL settings (dbms.ssl.policy.<scope>.*) | |
| # .base_directory Base directory for SSL policies paths. All relative paths within the | |
| # SSL configuration will be resolved from the base dir. | |
| # | |
| # .private_key A path to the key file relative to the '.base_directory'. | |
| # | |
| # .private_key_password The password for the private key. | |
| # | |
| # .public_certificate A path to the public certificate file relative to the '.base_directory'. | |
| # | |
| # .trusted_dir A path to a directory containing trusted certificates. | |
| # | |
| # .revoked_dir Path to the directory with Certificate Revocation Lists (CRLs). | |
| # | |
| # .verify_hostname If true, the server will verify the hostname that the client uses to connect with. In order | |
| # for this to work, the server public certificate must have a valid CN and/or matching | |
| # Subject Alternative Names. | |
| # | |
| # .client_auth How the client should be authorized. Possible values are: 'none', 'optional', 'require'. | |
| # | |
| # .tls_versions A comma-separated list of allowed TLS versions. By default only TLSv1.2 is allowed. | |
| # | |
| # .trust_all Setting this to 'true' will ignore the trust truststore, trusting all clients and servers. | |
| # Use of this mode is discouraged. It would offer encryption but no security. | |
| # | |
| # .ciphers A comma-separated list of allowed ciphers. The default ciphers are the defaults of | |
| # the JVM platform. | |
| # Bolt SSL configuration | |
| #dbms.ssl.policy.bolt.enabled=true | |
| #dbms.ssl.policy.bolt.base_directory=certificates/bolt | |
| #dbms.ssl.policy.bolt.private_key=private.key | |
| #dbms.ssl.policy.bolt.public_certificate=public.crt | |
| #dbms.ssl.policy.bolt.client_auth=NONE | |
| # Https SSL configuration | |
| #dbms.ssl.policy.https.enabled=true | |
| #dbms.ssl.policy.https.base_directory=certificates/https | |
| #dbms.ssl.policy.https.private_key=private.key | |
| #dbms.ssl.policy.https.public_certificate=public.crt | |
| #dbms.ssl.policy.https.client_auth=NONE | |
| # Cluster SSL configuration | |
| #dbms.ssl.policy.cluster.enabled=true | |
| #dbms.ssl.policy.cluster.base_directory=certificates/cluster | |
| #dbms.ssl.policy.cluster.private_key=private.key | |
| #dbms.ssl.policy.cluster.public_certificate=public.crt | |
| # Backup SSL configuration | |
| #dbms.ssl.policy.backup.enabled=true | |
| #dbms.ssl.policy.backup.base_directory=certificates/backup | |
| #dbms.ssl.policy.backup.private_key=private.key | |
| #dbms.ssl.policy.backup.public_certificate=public.crt | |
| #***************************************************************** | |
| # Logging configuration | |
| #***************************************************************** | |
| # To enable HTTP logging, uncomment this line | |
| #dbms.logs.http.enabled=true | |
| # Number of HTTP logs to keep. | |
| #dbms.logs.http.rotation.keep_number=5 | |
| # Size of each HTTP log that is kept. | |
| #dbms.logs.http.rotation.size=20m | |
| # To enable GC Logging, uncomment this line | |
| #dbms.logs.gc.enabled=true | |
| # GC Logging Options | |
| # see https://docs.oracle.com/en/java/javase/11/tools/java.html#GUID-BE93ABDC-999C-4CB5-A88B-1994AAAC74D5 | |
| #dbms.logs.gc.options=-Xlog:gc*,safepoint,age*=trace | |
| # Number of GC logs to keep. | |
| #dbms.logs.gc.rotation.keep_number=5 | |
| # Size of each GC log that is kept. | |
| #dbms.logs.gc.rotation.size=20m | |
| # Log level for the debug log. One of DEBUG, INFO, WARN and ERROR. Be aware that logging at DEBUG level can be very verbose. | |
| #dbms.logs.debug.level=INFO | |
| # Size threshold for rotation of the debug log. If set to zero then no rotation will occur. Accepts a binary suffix "k", | |
| # "m" or "g". | |
| #dbms.logs.debug.rotation.size=20m | |
| # Maximum number of history files for the internal log. | |
| #dbms.logs.debug.rotation.keep_number=7 | |
| # Log executed queries. One of OFF, INFO and VERBOSE. INFO logs queries longer than a given threshold, VERBOSE logs start and end of all queries. | |
| #dbms.logs.query.enabled=VERBOSE | |
| # If the execution of query takes more time than this threshold, the query is logged. If set to zero then all queries | |
| # are logged. Only used if `dbms.logs.query.enabled` is set to INFO | |
| #dbms.logs.query.threshold=0 | |
| # The file size in bytes at which the query log will auto-rotate. If set to zero then no rotation will occur. Accepts a | |
| # binary suffix "k", "m" or "g". | |
| #dbms.logs.query.rotation.size=20m | |
| # Maximum number of history files for the query log. | |
| #dbms.logs.query.rotation.keep_number=7 | |
| # Include parameters for the executed queries being logged (this is enabled by default). | |
| #dbms.logs.query.parameter_logging_enabled=true | |
| # Uncomment this line to include detailed time information for the executed queries being logged: | |
| #dbms.logs.query.time_logging_enabled=true | |
| # Uncomment this line to include bytes allocated by the executed queries being logged: | |
| #dbms.logs.query.allocation_logging_enabled=true | |
| # Uncomment this line to include page hits and page faults information for the executed queries being logged: | |
| #dbms.logs.query.page_logging_enabled=true | |
| # The security log is always enabled when `dbms.security.auth_enabled=true`, and resides in `logs/security.log`. | |
| # Log level for the security log. One of DEBUG, INFO, WARN and ERROR. | |
| #dbms.logs.security.level=INFO | |
| # Threshold for rotation of the security log. | |
| #dbms.logs.security.rotation.size=20m | |
| # Minimum time interval after last rotation of the security log before it may be rotated again. | |
| #dbms.logs.security.rotation.delay=300s | |
| # Maximum number of history files for the security log. | |
| #dbms.logs.security.rotation.keep_number=7 | |
| #***************************************************************** | |
| # Causal Clustering Configuration | |
| #***************************************************************** | |
| # Uncomment and specify these lines for running Neo4j in Causal Clustering mode. | |
| # See the Causal Clustering documentation at https://neo4j.com/docs/ for details. | |
| # Database mode | |
| # Allowed values: | |
| # CORE - Core member of the cluster, part of the consensus quorum. | |
| # READ_REPLICA - Read replica in the cluster, an eventually-consistent read-only instance of the database. | |
| # To operate this Neo4j instance in Causal Clustering mode as a core member, uncomment this line: | |
| #dbms.mode=CORE | |
| # Expected number of Core servers in the cluster at formation | |
| #causal_clustering.minimum_core_cluster_size_at_formation=3 | |
| # Minimum expected number of Core servers in the cluster at runtime. | |
| #causal_clustering.minimum_core_cluster_size_at_runtime=3 | |
| # A comma-separated list of the address and port for which to reach all other members of the cluster. It must be in the | |
| # host:port format. For each machine in the cluster, the address will usually be the public ip address of that machine. | |
| # The port will be the value used in the setting "causal_clustering.discovery_listen_address". | |
| #causal_clustering.initial_discovery_members=localhost:5000,localhost:5001,localhost:5002 | |
| # Host and port to bind the cluster member discovery management communication. | |
| # This is the setting to add to the collection of address in causal_clustering.initial_core_cluster_members. | |
| # Use 0.0.0.0 to bind to any network interface on the machine. If you want to only use a specific interface | |
| # (such as a private ip address on AWS, for example) then use that ip address instead. | |
| # If you don't know what value to use here, use this machines ip address. | |
| causal_clustering.discovery_listen_address=:5000 | |
| # Network interface and port for the transaction shipping server to listen on. | |
| # Please note that it is also possible to run the backup client against this port so always limit access to it via the | |
| # firewall and configure an ssl policy. If you want to allow for messages to be read from | |
| # any network on this machine, us 0.0.0.0. If you want to constrain communication to a specific network address | |
| # (such as a private ip on AWS, for example) then use that ip address instead. | |
| # If you don't know what value to use here, use this machines ip address. | |
| causal_clustering.transaction_listen_address=:6000 | |
| # Network interface and port for the RAFT server to listen on. If you want to allow for messages to be read from | |
| # any network on this machine, us 0.0.0.0. If you want to constrain communication to a specific network address | |
| # (such as a private ip on AWS, for example) then use that ip address instead. | |
| # If you don't know what value to use here, use this machines ip address. | |
| causal_clustering.raft_listen_address=:7000 | |
| # List a set of names for groups to which this server should belong. This | |
| # is a comma-separated list and names should only use alphanumericals | |
| # and underscore. This can be used to identify groups of servers in the | |
| # configuration for load balancing and replication policies. | |
| # | |
| # The main intention for this is to group servers, but it is possible to specify | |
| # a unique identifier here as well which might be useful for troubleshooting | |
| # or other special purposes. | |
| #causal_clustering.server_groups= | |
| #***************************************************************** | |
| # Causal Clustering Load Balancing | |
| #***************************************************************** | |
| # N.B: Read the online documentation for a thorough explanation! | |
| # Selects the load balancing plugin that shall be enabled. | |
| #causal_clustering.load_balancing.plugin=server_policies | |
| ####### Examples for "server_policies" plugin ####### | |
| # Will select all available servers as the default policy, which is the | |
| # policy used when the client does not specify a policy preference. The | |
| # default configuration for the default policy is all(). | |
| #causal_clustering.load_balancing.config.server_policies.default=all() | |
| # Will select servers in groups 'group1' or 'group2' under the default policy. | |
| #causal_clustering.load_balancing.config.server_policies.default=groups(group1,group2) | |
| # Slightly more advanced example: | |
| # Will select servers in 'group1', 'group2' or 'group3', but only if there are at least 2. | |
| # This policy will be exposed under the name of 'mypolicy'. | |
| #causal_clustering.load_balancing.config.server_policies.mypolicy=groups(group1,group2,group3) -> min(2) | |
| # Below will create an even more advanced policy named 'regionA' consisting of several rules | |
| # yielding the following behaviour: | |
| # | |
| # select servers in regionA, if at least 2 are available | |
| # otherwise: select servers in regionA and regionB, if at least 2 are available | |
| # otherwise: select all servers | |
| # | |
| # The intention is to create a policy for a particular region which prefers | |
| # a certain set of local servers, but which will fallback to other regions | |
| # or all available servers as required. | |
| # | |
| # N.B: The following configuration uses the line-continuation character \ | |
| # which allows you to construct an easily readable rule set spanning | |
| # several lines. | |
| # | |
| #causal_clustering.load_balancing.config.server_policies.policyA=\ | |
| #groups(regionA) -> min(2);\ | |
| #groups(regionA,regionB) -> min(2); | |
| # Note that implicitly the last fallback is to always consider all() servers, | |
| # but this can be prevented by specifying a halt() as the last rule. | |
| # | |
| #causal_clustering.load_balancing.config.server_policies.regionA_only=\ | |
| #groups(regionA);\ | |
| #halt(); | |
| #***************************************************************** | |
| # Causal Clustering Additional Configuration Options | |
| #***************************************************************** | |
| # The following settings are used less frequently. | |
| # If you don't know what these are, you don't need to change these from their default values. | |
| # Address and port that this machine advertises that it's RAFT server is listening at. Should be a | |
| # specific network address. If you are unsure about what value to use here, use this machine's ip address. | |
| #causal_clustering.raft_advertised_address=:7000 | |
| # Address and port that this machine advertises that it's transaction shipping server is listening at. Should be a | |
| # specific network address. If you are unsure about what value to use here, use this machine's ip address. | |
| #causal_clustering.transaction_advertised_address=:6000 | |
| # The time window within which the loss of the leader is detected and the first re-election attempt is held. | |
| # The window should be significantly larger than typical communication delays to make conflicts unlikely. | |
| #causal_clustering.leader_failure_detection_window=20s-23s | |
| # The rate at which leader elections happen. Note that due to election conflicts it might take several attempts to | |
| # find a leader. The window should be significantly larger than typical communication delays to make conflicts unlikely. | |
| #causal_clustering.election_failure_detection_window=3s-6s | |
| # The time limit allowed for a new member to attempt to update its data to match the rest of the cluster. | |
| #causal_clustering.join_catch_up_timeout=10m | |
| # Maximum amount of lag accepted for a new follower to join the Raft group. | |
| #causal_clustering.join_catch_up_max_lag=10s | |
| # The size of the batch for streaming entries to other machines while trying to catch up another machine. | |
| #causal_clustering.catchup_batch_size=64 | |
| # When to pause sending entries to other machines and allow them to catch up. | |
| #causal_clustering.log_shipping_max_lag=256 | |
| # Retry time for log shipping to followers after a stall. | |
| #causal_clustering.log_shipping_retry_timeout=5s | |
| # Raft log pruning frequncy. | |
| #causal_clustering.raft_log_pruning_frequency=10m | |
| # The size to allow the raft log to grow before rotating. | |
| #causal_clustering.raft_log_rotation_size=250M | |
| # The name of a server_group whose members should be prioritized as leaders for the given database. | |
| # This does not guarantee that members of this group will be leader at all times, but the cluster | |
| # will attempt to transfer leadership to such a member when possible. | |
| # N.B. the final portion of this config key is dynamic and refers to the name of the database being configured. | |
| # You may specify multiple `causal_clustering.leadership_priority_group.<database-name>=<server-group>` pairs: | |
| #causal_clustering.leadership_priority_group.foo= | |
| #causal_clustering.leadership_priority_group.neo4j= | |
| # Which strategy to use when transferring database leaderships around a cluster. | |
| # This can be one of `equal_balancing` or `no_balancing`. | |
| # `equal_balancing` automatically ensures that each Core server holds the leader role for an equal number of databases. | |
| # `no_balancing` prevents any automatic balancing of the leader role. | |
| # Note that if a `leadership_priority_group` is specified for a given database, | |
| # the value of this setting will be ignored for that database. | |
| #causal_clustering.leadership_balancing=equal_balancing | |
| ### The following setting is relevant for Read Replica servers only. | |
| # The interval of pulling updates from Core servers. | |
| #causal_clustering.pull_interval=1s | |
| #******************************************************************** | |
| # Security Configuration | |
| #******************************************************************** | |
| # The authentication and authorization providers that contains both users and roles. | |
| # This can be one of the built-in `native` or `ldap` auth providers, | |
| # or it can be an externally provided plugin, with a custom name prefixed by `plugin`, | |
| # i.e. `plugin-<AUTH_PROVIDER_NAME>`. | |
| #dbms.security.authentication_providers=native | |
| #dbms.security.authorization_providers=native | |
| # The time to live (TTL) for cached authentication and authorization info when using | |
| # external auth providers (LDAP or plugin). Setting the TTL to 0 will | |
| # disable auth caching. | |
| #dbms.security.auth_cache_ttl=10m | |
| # The maximum capacity for authentication and authorization caches (respectively). | |
| #dbms.security.auth_cache_max_capacity=10000 | |
| # Set to log successful authentication events to the security log. | |
| # If this is set to `false` only failed authentication events will be logged, which | |
| # could be useful if you find that the successful events spam the logs too much, | |
| # and you do not require full auditing capability. | |
| #dbms.security.log_successful_authentication=true | |
| #================================================ | |
| # LDAP Auth Provider Configuration | |
| #================================================ | |
| # URL of LDAP server to use for authentication and authorization. | |
| # The format of the setting is `<protocol>://<hostname>:<port>`, where hostname is the only required field. | |
| # The supported values for protocol are `ldap` (default) and `ldaps`. | |
| # The default port for `ldap` is 389 and for `ldaps` 636. | |
| # For example: `ldaps://ldap.example.com:10389`. | |
| # | |
| # NOTE: You may want to consider using STARTTLS (`dbms.security.ldap.use_starttls`) instead of LDAPS | |
| # for secure connections, in which case the correct protocol is `ldap`. | |
| #dbms.security.ldap.host=localhost | |
| # Use secure communication with the LDAP server using opportunistic TLS. | |
| # First an initial insecure connection will be made with the LDAP server, and then a STARTTLS command | |
| # will be issued to negotiate an upgrade of the connection to TLS before initiating authentication. | |
| #dbms.security.ldap.use_starttls=false | |
| # The LDAP referral behavior when creating a connection. This is one of `follow`, `ignore` or `throw`. | |
| # `follow` automatically follows any referrals | |
| # `ignore` ignores any referrals | |
| # `throw` throws an exception, which will lead to authentication failure | |
| #dbms.security.ldap.referral=follow | |
| # The timeout for establishing an LDAP connection. If a connection with the LDAP server cannot be | |
| # established within the given time the attempt is aborted. | |
| # A value of 0 means to use the network protocol's (i.e., TCP's) timeout value. | |
| #dbms.security.ldap.connection_timeout=30s | |
| # The timeout for an LDAP read request (i.e. search). If the LDAP server does not respond within | |
| # the given time the request will be aborted. A value of 0 means wait for a response indefinitely. | |
| #dbms.security.ldap.read_timeout=30s | |
| #---------------------------------- | |
| # LDAP Authentication Configuration | |
| #---------------------------------- | |
| # LDAP authentication mechanism. This is one of `simple` or a SASL mechanism supported by JNDI, | |
| # for example `DIGEST-MD5`. `simple` is basic username | |
| # and password authentication and SASL is used for more advanced mechanisms. See RFC 2251 LDAPv3 | |
| # documentation for more details. | |
| #dbms.security.ldap.authentication.mechanism=simple | |
| # LDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is | |
| # an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that | |
| # conforms with the LDAP directory's schema from the user principal that is submitted with the | |
| # authentication token when logging in. | |
| # The special token {0} is a placeholder where the user principal will be substituted into the DN string. | |
| #dbms.security.ldap.authentication.user_dn_template=uid={0},ou=users,dc=example,dc=com | |
| # Determines if the result of authentication via the LDAP server should be cached or not. | |
| # Caching is used to limit the number of LDAP requests that have to be made over the network | |
| # for users that have already been authenticated successfully. A user can be authenticated against | |
| # an existing cache entry (instead of via an LDAP server) as long as it is alive | |
| # (see `dbms.security.auth_cache_ttl`). | |
| # An important consequence of setting this to `true` is that | |
| # Neo4j then needs to cache a hashed version of the credentials in order to perform credentials | |
| # matching. This hashing is done using a cryptographic hash function together with a random salt. | |
| # Preferably a conscious decision should be made if this method is considered acceptable by | |
| # the security standards of the organization in which this Neo4j instance is deployed. | |
| #dbms.security.ldap.authentication.cache_enabled=true | |
| #---------------------------------- | |
| # LDAP Authorization Configuration | |
| #---------------------------------- | |
| # Authorization is performed by searching the directory for the groups that | |
| # the user is a member of, and then map those groups to Neo4j roles. | |
| # Perform LDAP search for authorization info using a system account instead of the user's own account. | |
| # | |
| # If this is set to `false` (default), the search for group membership will be performed | |
| # directly after authentication using the LDAP context bound with the user's own account. | |
| # The mapped roles will be cached for the duration of `dbms.security.auth_cache_ttl`, | |
| # and then expire, requiring re-authentication. To avoid frequently having to re-authenticate | |
| # sessions you may want to set a relatively long auth cache expiration time together with this option. | |
| # NOTE: This option will only work if the users are permitted to search for their | |
| # own group membership attributes in the directory. | |
| # | |
| # If this is set to `true`, the search will be performed using a special system account user | |
| # with read access to all the users in the directory. | |
| # You need to specify the username and password using the settings | |
| # `dbms.security.ldap.authorization.system_username` and | |
| # `dbms.security.ldap.authorization.system_password` with this option. | |
| # Note that this account only needs read access to the relevant parts of the LDAP directory | |
| # and does not need to have access rights to Neo4j, or any other systems. | |
| #dbms.security.ldap.authorization.use_system_account=false | |
| # An LDAP system account username to use for authorization searches when | |
| # `dbms.security.ldap.authorization.use_system_account` is `true`. | |
| # Note that the `dbms.security.ldap.authentication.user_dn_template` will not be applied to this username, | |
| # so you may have to specify a full DN. | |
| #dbms.security.ldap.authorization.system_username= | |
| # An LDAP system account password to use for authorization searches when | |
| # `dbms.security.ldap.authorization.use_system_account` is `true`. | |
| #dbms.security.ldap.authorization.system_password= | |
| # The name of the base object or named context to search for user objects when LDAP authorization is enabled. | |
| # A common case is that this matches the last part of `dbms.security.ldap.authentication.user_dn_template`. | |
| #dbms.security.ldap.authorization.user_search_base=ou=users,dc=example,dc=com | |
| # The LDAP search filter to search for a user principal when LDAP authorization is | |
| # enabled. The filter should contain the placeholder token {0} which will be substituted for the | |
| # user principal. | |
| #dbms.security.ldap.authorization.user_search_filter=(&(objectClass=*)(uid={0})) | |
| # A list of attribute names on a user object that contains groups to be used for mapping to roles | |
| # when LDAP authorization is enabled. | |
| #dbms.security.ldap.authorization.group_membership_attributes=memberOf | |
| # An authorization mapping from LDAP group names to Neo4j role names. | |
| # The map should be formatted as a semicolon separated list of key-value pairs, where the | |
| # key is the LDAP group name and the value is a comma separated list of corresponding role names. | |
| # For example: group1=role1;group2=role2;group3=role3,role4,role5 | |
| # | |
| # You could also use whitespaces and quotes around group names to make this mapping more readable, | |
| # for example: dbms.security.ldap.authorization.group_to_role_mapping=\ | |
| # "cn=Neo4j Read Only,cn=users,dc=example,dc=com" = reader; \ | |
| # "cn=Neo4j Read-Write,cn=users,dc=example,dc=com" = publisher; \ | |
| # "cn=Neo4j Schema Manager,cn=users,dc=example,dc=com" = architect; \ | |
| # "cn=Neo4j Administrator,cn=users,dc=example,dc=com" = admin | |
| #dbms.security.ldap.authorization.group_to_role_mapping= | |
| #***************************************************************** | |
| # Miscellaneous configuration | |
| #***************************************************************** | |
| # Compresses the metric archive files. | |
| metrics.csv.rotation.compression=zip | |
| # Enable this to specify a parser other than the default one. | |
| #cypher.default_language_version=3.5 | |
| # Determines if Cypher will allow using file URLs when loading data using | |
| # `LOAD CSV`. Setting this value to `false` will cause Neo4j to fail `LOAD CSV` | |
| # clauses that load data from the file system. | |
| #dbms.security.allow_csv_import_from_file_urls=true | |
| # Value of the Access-Control-Allow-Origin header sent over any HTTP or HTTPS | |
| # connector. This defaults to '*', which allows broadest compatibility. Note | |
| # that any URI provided here limits HTTP/HTTPS access to that URI only. | |
| #dbms.security.http_access_control_allow_origin=* | |
| # Value of the HTTP Strict-Transport-Security (HSTS) response header. This header | |
| # tells browsers that a webpage should only be accessed using HTTPS instead of HTTP. | |
| # It is attached to every HTTPS response. Setting is not set by default so | |
| # 'Strict-Transport-Security' header is not sent. Value is expected to contain | |
| # directives like 'max-age', 'includeSubDomains' and 'preload'. | |
| #dbms.security.http_strict_transport_security= | |
| # Retention policy for transaction logs needed to perform recovery and backups. | |
| #dbms.tx_log.rotation.retention_policy=7 days | |
| # Limit the number of IOs the background checkpoint process will consume per second. | |
| # This setting is advisory, is ignored in Neo4j Community Edition, and is followed to | |
| # best effort in Enterprise Edition. | |
| # An IO is in this case a 8 KiB (mostly sequential) write. Limiting the write IO in | |
| # this way will leave more bandwidth in the IO subsystem to service random-read IOs, | |
| # which is important for the response time of queries when the database cannot fit | |
| # entirely in memory. The only drawback of this setting is that longer checkpoint times | |
| # may lead to slightly longer recovery times in case of a database or system crash. | |
| # A lower number means lower IO pressure, and consequently longer checkpoint times. | |
| # The configuration can also be commented out to remove the limitation entirely, and | |
| # let the checkpointer flush data as fast as the hardware will go. | |
| # Set this to -1 to disable the IOPS limit. | |
| # dbms.checkpoint.iops.limit=600 | |
| # Only allow read operations from this Neo4j instance. This mode still requires | |
| # write access to the directory for lock purposes. | |
| #dbms.read_only=false | |
| # Comma separated list of JAX-RS packages containing JAX-RS resources, one | |
| # package name for each mountpoint. The listed package names will be loaded | |
| # under the mountpoints specified. Uncomment this line to mount the | |
| # org.neo4j.examples.server.unmanaged.HelloWorldResource.java from | |
| # neo4j-server-examples under /examples/unmanaged, resulting in a final URL of | |
| # http://localhost:7474/examples/unmanaged/helloworld/{nodeId} | |
| #dbms.unmanaged_extension_classes=org.neo4j.examples.server.unmanaged=/examples/unmanaged | |
| # A comma separated list of procedures and user defined functions that are allowed | |
| # full access to the database through unsupported/insecure internal APIs. | |
| #dbms.security.procedures.unrestricted=my.extensions.example,my.procedures.* | |
| # A comma separated list of procedures to be loaded by default. | |
| # Leaving this unconfigured will load all procedures found. | |
| #dbms.security.procedures.allowlist=apoc.coll.*,apoc.load.*,gds.* | |
| # For how long should drivers cache the discovery data from | |
| # the dbms.routing.getRoutingTable() procedure. Defaults to 300s. | |
| #dbms.routing_ttl=300s | |
| #******************************************************************** | |
| # JVM Parameters | |
| #******************************************************************** | |
| # G1GC generally strikes a good balance between throughput and tail | |
| # latency, without too much tuning. | |
| dbms.jvm.additional=-XX:+UseG1GC | |
| # Have common exceptions keep producing stack traces, so they can be | |
| # debugged regardless of how often logs are rotated. | |
| dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow | |
| # Make sure that `initmemory` is not only allocated, but committed to | |
| # the process, before starting the database. This reduces memory | |
| # fragmentation, increasing the effectiveness of transparent huge | |
| # pages. It also reduces the possibility of seeing performance drop | |
| # due to heap-growing GC events, where a decrease in available page | |
| # cache leads to an increase in mean IO response time. | |
| # Try reducing the heap memory, if this flag degrades performance. | |
| dbms.jvm.additional=-XX:+AlwaysPreTouch | |
| # Trust that non-static final fields are really final. | |
| # This allows more optimizations and improves overall performance. | |
| # NOTE: Disable this if you use embedded mode, or have extensions or dependencies that may use reflection or | |
| # serialization to change the value of final fields! | |
| dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions | |
| dbms.jvm.additional=-XX:+TrustFinalNonStaticFields | |
| # Disable explicit garbage collection, which is occasionally invoked by the JDK itself. | |
| dbms.jvm.additional=-XX:+DisableExplicitGC | |
| #Increase maximum number of nested calls that can be inlined from 9 (default) to 15 | |
| dbms.jvm.additional=-XX:MaxInlineLevel=15 | |
| # Disable biased locking | |
| dbms.jvm.additional=-XX:-UseBiasedLocking | |
| # Allow Neo4j to use @Contended annotation | |
| #dbms.jvm.additional=-XX:-RestrictContended | |
| # Restrict size of cached JDK buffers to 256 KB | |
| dbms.jvm.additional=-Djdk.nio.maxCachedBufferSize=262144 | |
| # More efficient buffer allocation in Netty by allowing direct no cleaner buffers. | |
| dbms.jvm.additional=-Dio.netty.tryReflectionSetAccessible=true | |
| # Exits JVM on the first occurrence of an out-of-memory error. Its preferable to restart VM in case of out of memory errors. | |
| # dbms.jvm.additional=-XX:+ExitOnOutOfMemoryError | |
| # Expand Diffie Hellman (DH) key size from default 1024 to 2048 for DH-RSA cipher suites used in server TLS handshakes. | |
| # This is to protect the server from any potential passive eavesdropping. | |
| dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048 | |
| # This mitigates a DDoS vector. | |
| dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true | |
| # Enable remote debugging | |
| #dbms.jvm.additional=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 | |
| # This filter prevents deserialization of arbitrary objects via java object serialization, addressing potential vulnerabilities. | |
| # By default this filter whitelists all neo4j classes, as well as classes from the hazelcast library and the java standard library. | |
| # These defaults should only be modified by expert users! | |
| # For more details (including filter syntax) see: https://openjdk.java.net/jeps/290 | |
| #dbms.jvm.additional=-Djdk.serialFilter=java.**;org.neo4j.**;com.neo4j.**;com.hazelcast.**;net.sf.ehcache.Element;com.sun.proxy.*;org.openjdk.jmh.**;!* | |
| # Increase the default flight recorder stack sampling depth from 64 to 256, to avoid truncating frames when profiling. | |
| dbms.jvm.additional=-XX:FlightRecorderOptions=stackdepth=256 | |
| # Allow profilers to sample between safepoints. Without this, sampling profilers may produce less accurate results. | |
| dbms.jvm.additional=-XX:+UnlockDiagnosticVMOptions | |
| dbms.jvm.additional=-XX:+DebugNonSafepoints | |
| # Disable logging JMX endpoint. | |
| dbms.jvm.additional=-Dlog4j2.disable.jmx=true | |
| #******************************************************************** | |
| # Wrapper Windows NT/2000/XP Service Properties | |
| #******************************************************************** | |
| # WARNING - Do not modify any of these properties when an application | |
| # using this configuration file has been installed as a service. | |
| # Please uninstall the service before modifying this section. The | |
| # service can then be reinstalled. | |
| # Name of the service | |
| dbms.windows_service_name=neo4j | |
| #******************************************************************** | |
| # Other Neo4j system properties | |
| #******************************************************************** | |
| dbms.clustering.enable=false | |
| fabric.database.name=fabric | |
| fabric.empty_bookmarks=true | |
| dbms.recovery.fail_on_missing_files=false | |
| metrics.enabled=false | |
| fabric.driver.logging.level=DEBUG | |
| fabric.routing.servers=localhost:15687 | |
| fabric.graph.0.uri=neo4j+s://xxxxxxx.databases.neo4j.io:7687 | |
| fabric.graph.0.database=neo4j | |
| fabric.graph.0.name=neo4j | |
| fabric.graph.0.driver.ssl_enabled=true | |
| fabric.graph.1.uri=neo4j+ssc://localhost:15687 | |
| fabric.graph.1.database=movies1 | |
| fabric.graph.1.name=movies | |
| fabric.graph.1.driver.ssl_enabled=true | |
| dbms.security.procedures.unrestricted=bloom.*,apoc.* | |
| dbms.security.procedures.allowlist=apoc.*,bloom.* | |
| dbms.unmanaged_extension_classes=com.neo4j.bloom.server=/bloom | |
| dbms.security.http_auth_allowlist=/,/browser.*,/bloom.* | |
| neo4j.bloom.license_file=/Users/davidfauth/neo4j-enterprise-4.3.0_fabric/conf/mybloomkey.license | |
| # Https SSL configuration | |
| dbms.ssl.policy.https.enabled=true | |
| dbms.ssl.policy.https.base_directory=certificates/shared | |
| dbms.ssl.policy.https.private_key=private.key | |
| dbms.ssl.policy.https.public_certificate=public.crt | |
| dbms.ssl.policy.https.trusted_dir=trusted | |
| #dbms.ssl.policy.https.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA | |
| dbms.ssl.policy.https.client_auth=NONE | |
| dbms.ssl.policy.https.tls_versions=TLSv1.2 | |
| dbms.ssl.policy.https.trust_all=true | |
| # Bolt SSL configuration | |
| dbms.ssl.policy.bolt.enabled=true | |
| dbms.ssl.policy.bolt.base_directory=certificates/shared | |
| dbms.ssl.policy.bolt.private_key=private.key | |
| dbms.ssl.policy.bolt.public_certificate=public.crt | |
| dbms.ssl.policy.bolt.trusted_dir=trusted | |
| #dbms.ssl.policy.bolt.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA | |
| dbms.ssl.policy.bolt.client_auth=OPTIONAL | |
| #Fabric SSL Configuration | |
| dbms.ssl.policy.fabric.enabled=true | |
| dbms.ssl.policy.fabric.base_directory=certificates/shared | |
| dbms.ssl.policy.fabric.private_key=private.key | |
| dbms.ssl.policy.fabric.public_certificate=public.crt | |
| dbms.ssl.policy.fabric.trusted_dir=trusted | |
| #dbms.ssl.policy.fabric.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA | |
| dbms.ssl.policy.fabric.client_auth=OPTIONAL | |
| dbms.ssl.policy.fabric.trust_all=true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment