Reputation: 378
Fine-grained authorization (based on business data) in Neo4J
I would like to implement a fine-grained authorization in a Neo4j Database accessed using the default Neo4J REST API.
The business data and the authorization rules will be persisted in the same Graph Database. Every node will have an incoming relationship "CAN_ACCESS" from other nodes representing the application users.
I would like to implement some kind of interceptor having the following behavior, on GET requests:
- Read the authorization header
- Perform the get normally
- Based on the nodes to be returned, check if the user in authorization header has a "CAN_ACCESS" relationship to the retrieved nodes. If the answer is no, then change the response code to 401.
Is there a class in Neo4j Server API I can extend to plug this algorithm into my server? I think I need a single place to handle the request, the response and the retrieved data.
Upvotes: 0
Views: 697
Answers (2)
Reputation: 41706
Perhaps you can look into overriding the RepresentationFormat for nodes and check in there.
You probably have to register a custom content type for this to work.
Another option is to add a filter to the Neo4j server and re-parse the responses and check there for your security rules.
Perhaps the filter used in the authentication extension can help you as an example:
https://github.com/neo4j-contrib/authentication-extension/tree/2.0
Upvotes: 1
Reputation: 39925
You can implement a SecurityRule for this. A SecurityRule is a filter that any request to the server needs to pass.
Upvotes: 0
Related Questions
- Neo4j simple authentication
- Neo4j granular data access control
- How to implement custom user access permissions in neo4j?
- What advanced security options exist for Neo4j?
- neo4j REST API Authentication and Authorization
- End User Authentication using Neo4j
- access permissions to users in neo4j
- Securing Neo4j nodes and relationships
- Securing the data accessed by Neo4j queries
- neo4j: authentication - only allow reading cypher queries