Created
January 29, 2020 19:35
-
-
Save rvanbruggen/10eeef1c770747cf5e68a8f7b61ee304 to your computer and use it in GitHub Desktop.
Securing the beergraph with Neo4j 4.0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//create database | |
create database beergraph; | |
create index on :BeerBrand(name); | |
create index on :BeerType(name); | |
create index on :Brewery(name); | |
create index on :AlcoholPercentage(value); | |
//Automated import in one query | |
load csv with headers from | |
"https://docs.google.com/spreadsheets/d/1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI/export?format=csv&id=1FwWxlgnOhOtrUELIzLupDFW7euqXfeh8x3BeiEY_sbI&gid=0" as csv | |
with csv | |
where csv.BeerType is not null | |
merge (b:BeerType {name: csv.BeerType}) | |
with csv | |
where csv.BeerBrand is not null | |
merge (b:BeerBrand {name: csv.BeerBrand}) | |
with csv | |
where csv.Brewery is not null | |
merge (b:Brewery {name: csv.Brewery}) | |
with csv | |
where csv.AlcoholPercentage is not null | |
merge (b:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))}) | |
with csv | |
match (ap:AlcoholPercentage {value: tofloat(replace(replace(csv.AlcoholPercentage,'%',''),',','.'))}), | |
(br:Brewery {name: csv.Brewery}), | |
(bb:BeerBrand {name: csv.BeerBrand}), | |
(bt:BeerType {name: csv.BeerType}) | |
merge (bb)-[:HAS_ALCOHOLPERCENTAGE]->(ap) | |
merge (bb)-[:IS_A]->(bt) | |
merge (bb)<-[:BREWS]-(br); | |
//create the in-graph index | |
MATCH (ap:AlcoholPercentage) | |
WITH ap | |
ORDER BY ap.value ASC | |
WITH collect(ap) as sorted_ap | |
FOREACH(i in RANGE(0, size(sorted_ap)-2) | | |
FOREACH(sorted_ap1 in [sorted_ap[i]] | | |
FOREACH(sorted_ap2 in [sorted_ap[i+1]] | | |
MERGE (sorted_ap1)-[:PRECEDES]->(sorted_ap2)))); | |
//create the childreader user | |
CREATE USER childreader SET PASSWORD "changeme" CHANGE NOT REQUIRED; | |
//create the childreaderrole based on the reader role | |
CREATE ROLE childreaderrole AS COPY OF reader; | |
//show the roles | |
SHOW ROLES; | |
//put the childreader user into the childreaderrole | |
GRANT ROLE childreaderrole TO childreader; | |
//Add read restriction on alcohol percentages for children | |
DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage TO childreaderrole; | |
//run pathfinding query between two beers | |
MATCH (o:BeerBrand {name:"Orval"}), (d:BeerBrand {name:"Duvel"}), | |
path = allshortestpaths ((o)-[*]-(d)) | |
RETURN path; | |
//Additional restriction on security: traversal | |
DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE to childreaderrole; | |
//in case you want to remove the restrictions and start over | |
REVOKE DENY READ {value} ON GRAPH `beergraph` NODES AlcoholPercentage from childreaderrole; | |
REVOKE DENY TRAVERSE ON GRAPH `beergraph` RELATIONSHIPS HAS_ALCOHOLPERCENTAGE from childreaderrole; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment