This page provides a complete reference to the Neo4j configuration settings, which can be set in
neo4j.conf
.
Refer to
The neo4j.conf file
for details on how to use configuration settings.
Some of the settings are labeled
Dynamic
, which means that they can be changed at runtime, without restarting the service.
For more information on how to update dynamic configuration settings, see
Update dynamic settings
.
Changes to the configuration at runtime are not persisted.
To avoid losing changes when restarting Neo4j, make sure you update
neo4j.conf
as well.
In a clustered environment,
CALL dbms.setConfigValue
affects only the server it is run against, and it is not propagated to other members.
If you want to change the configuration settings on all cluster members, you have to run the procedure against each of them and update their
neo4j.conf
file.
Checkpointing is the process of flushing all pending page updates from the page cache to the store files.
This is done periodically and is used to recover the database in case of a crash.
The checkpoint settings control the frequency of checkpoints, and the amount of data that is written to disk in each checkpoint.
See also,
Transaction log settings
.
Table 1. db.checkpoint
Description
Configures the general policy for when checkpoints should occur. The default policy is the 'periodic' checkpoint policy, as specified by the
db.checkpoint.interval.tx
and
db.checkpoint.interval.time
settings. The Neo4j Enterprise Edition provides two alternative policies: The first is the 'continuous' checkpoint policy, which will ignore those settings and run the checkpoint process all the time. The second is the 'volumetric' checkpoint policy, which makes a best-effort at checkpointing often enough so that the database doesn’t get too far behind on deleting old transaction logs in accordance with the
db.tx_log.rotation.retention_policy
setting.
Valid values
one of [PERIODIC, CONTINUOUS, VOLUME, VOLUMETRIC]
Default value
PERIODIC
Description
Configures the time interval between checkpoints. The database will not checkpoint more often than this (unless checkpointing is triggered by a different event), but might checkpoint less often than this interval, if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs, which recovery would start from. Longer checkpoint intervals typically mean that recovery will take longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
Description
Configures the transaction interval between checkpoints. The database will not checkpoint more often than this (unless check pointing is triggered by a different event), but might checkpoint less often than this interval, if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs, which recovery would start from. Longer checkpoint intervals typically mean that recovery will take longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files. The default is '100000' for a checkpoint every 100000 transactions.
Valid values
an integer which is minimum
1
Default value
100000
Description
Configures the volume of transaction logs between checkpoints. The database will not checkpoint more often than this (unless check pointing is triggered by a different event), but might checkpoint less often than this interval, if performing a checkpoint takes longer time than the configured interval. A checkpoint is a point in the transaction logs, which recovery would start from. Longer checkpoint intervals typically mean that recovery will take longer to complete in case of a crash. On the other hand, a longer checkpoint interval can also reduce the I/O load that the database places on the system, as each checkpoint implies a flushing and forcing of all the store files.
Valid values
a byte size (valid multipliers are
B
,
KiB
,
KB
,
K
,
kB
,
kb
,
k
,
MiB
,
MB
,
M
,
mB
,
mb
,
m
,
GiB
,
GB
,
G
,
gB
,
gb
,
g
,
TiB
,
TB
,
PiB
,
PB
,
EiB
,
EB
) which is minimum
1.00KiB
Default value
250.00MiB
Description
Limit the number of IOs the background checkpoint process will consume per second. This setting is advisory, is ignored in Neo4j Community Edition, and is followed to best effort in Enterprise Edition. An IO is in this case a 8 KiB (mostly sequential) write. Limiting the write IO in this way will leave more bandwidth in the IO subsystem to service random-read IOs, which is important for the response time of queries when the database cannot fit entirely in memory. The only drawback of this setting is that longer checkpoint times may lead to slightly longer recovery times in case of a database or system crash. A lower number means lower IO pressure, and consequently longer checkpoint times. Set this to -1 to disable the IOPS limit and remove the limitation entirely; this will let the checkpointer flush data as fast as the hardware will go. Removing the setting, or commenting it out, will set the default value of 600.
Valid values
an integer
Default value
The cluster settings are used to configure the behavior of a Neo4j cluster.
For more information, see also
Clustering settings
.
Enterprise Edition
Table 6. db.cluster.catchup.pull_interval
Description
The name of a server_group whose members should be prioritized as leaders. This does not guarantee that members of this group will be leader at all times, but the cluster will attempt to transfer leadership to such a member when possible. If a database is specified using
db.cluster.raft.leader_transfer.priority_group
.<database> the specified priority group will apply to that database only. If no database is specified that group will be the default and apply to all databases which have no priority group explicitly set. Using this setting will disable leadership balancing.
Valid values
a string identifying a Server Tag
Default value
Description
The name of a server tag whose members should be prioritized as leaders. This does not guarantee that members with this group will be leader at all times, but the cluster will attempt to transfer leadership to such a member when possible. If a database is specified using
db.cluster.raft.leader_transfer.priority_tag
.<database> the specified priority tag will apply to that database only. If no database is specified that tag will be the default and apply to all databases which have no priority tag explicitly set. Using this setting will disable leadership balancing.
Valid values
a string identifying a server tag
Default value
Description
RAFT log pruning strategy that determines which logs are to be pruned. Neo4j only prunes log entries up to the last applied index, which guarantees that logs are only marked for pruning once the transactions within are safely copied over to the local transaction logs and safely committed by a majority of cluster members. Possible values are a byte size or a number of transactions (e.g., 200K txs).
Valid values
a string
Default value
1g size
Description
A comma-separated list of endpoints which a server should contact in order to discover other cluster members.
Typically, all members of the cluster, including the current server, should be specified in this list.
Valid values
a ',' separated list with elements of type 'a socket address in the format 'hostname:port', 'hostname' or ':port''.
Default value
Description
Minimum number of machines initially required to form a clustered DBMS. The cluster is considered formed when at least this many members have discovered each other, bound together and bootstrapped a highly available system database. As a result, at least this many of the cluster’s initial machines must have
server.cluster.system_database_mode
set to 'PRIMARY'.NOTE: If
dbms.cluster.discovery.resolver_type
is set to 'LIST' and
dbms.cluster.discovery.endpoints
is empty then the user is assumed to be deploying a standalone DBMS, and the value of this setting is ignored.
Valid values
an integer which is minimum
2
Default value
Description
Network compression algorithms that this instance will allow in negotiation as a comma-separated list. Listed in descending order of preference for incoming connections. An empty list implies no compression. For outgoing connections this merely specifies the allowed set of algorithms and the preference of the remote peer will be used for making the decision. Allowable values: [Gzip, Snappy, Snappy_validating, LZ4, LZ4_high_compression, LZ_validating, LZ4_high_compression_validating]
Valid values
a ',' separated list with elements of type 'a string'.
Default value
Description
Which strategy to use when transferring database leaderships around a cluster. This can be one of
equal_balancing
or
no_balancing
.
equal_balancing
automatically ensures that each Core server holds the leader role for an equal number of databases.
no_balancing
prevents any automatic balancing of the leader role. Note that if a
leadership_priority_group
is specified for a given database, the value of this setting will be ignored for that database.
Valid values
one of [NO_BALANCING, EQUAL_BALANCING]
Default value
EQUAL_BALANCING
Connection settings control the communication between servers and between a server and a client.
Neo4j provides support for Bolt, HTTP, and HTTPS protocols via connectors.
For more information about the connectors, see
Configure connectors
.
When configuring the HTTPS or
Bolt
, see also
Security settings
and
SSL framework
for details on how to work with SSL certificates.
Table 54. server.bolt.advertised_address
Routing strategy for neo4j:// protocol connections.
Default is
CLIENT
, using client-side routing, with server-side routing as a fallback (if enabled).
When set to
SERVER
, client-side routing is short-circuited, and requests will rely on server-side routing (which must be enabled for proper operation, i.e.
dbms.routing.enabled
=true
).
Can be overridden by
dbms.routing.client_side.enforce_for_domains
.
Valid values
one of [SERVER, CLIENT]
Default value
CLIENT
Socket connection timeout.
A timeout of zero is treated as an infinite timeout and will be bound by the timeout configured on the
operating system level.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
Description
Pooled connections older than this threshold will be closed and removed from the pool.
Setting this option to a low value will cause a high connection churn and might result in a performance hit.
It is recommended to set maximum lifetime to a slightly smaller value than the one configured in network
equipment (load balancer, proxy, firewall, etc. can also limit maximum connection lifetime).
Zero and negative values result in lifetime not being checked.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
Description
Maximum amount of time spent attempting to acquire a connection from the connection pool.
This timeout only kicks in when all existing connections are being used and no new connections can be created because maximum connection pool size has been reached.
Error is raised when connection can’t be acquired within configured time.
Negative values are allowed and result in unlimited acquisition timeout. Value of 0 is allowed and results in no timeout and immediate failure when connection is unavailable.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
Description
Pooled connections that have been idle in the pool for longer than this timeout will be tested before they are used again, to ensure they are still alive.
If this option is set too low, an additional network call will be incurred when acquiring a connection, which causes a performance hit.
If this is set high, no longer live connections might be used which might lead to errors.
Hence, this parameter tunes a balance between the likelihood of experiencing connection problems and performance
Normally, this parameter should not need tuning.
Value 0 means connections will always be tested for validity.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
No connection liveliness check is done by default.
Description
Configure if the
dbms.routing.getRoutingTable()
procedure should include non-writer primaries as read endpoints or return only secondaries. Note: if there are no secondaries for the given database primaries are returned as read end points regardless the value of this setting. Defaults to true so that non-writer primaries are available for read-only queries in a typical heterogeneous setup.
Valid values
a boolean
Default value
The Cypher settings affect the behavior of Cypher queries.
They can be used to tune the performance of Cypher queries or to restrict the kinds of queries that can be executed.
For more information, see
Statistics and execution plans
.
Table 92. dbms.cypher.forbid_exhaustive_shortestpath
Description
This setting is associated with performance optimization. Set this to
true
in situations where it is preferable to have any queries using the 'shortestPath' function terminate as soon as possible with no answer, rather than potentially running for a long time attempting to find an answer (even if there is no path to be found). For most queries, the 'shortestPath' algorithm will return the correct answer very quickly. However there are some cases where it is possible that the fast bidirectional breadth-first search algorithm will find no results even if they exist. This can happen when the predicates in the
WHERE
clause applied to 'shortestPath' cannot be applied to each step of the traversal, and can only be applied to the entire path. When the query planner detects these special cases, it will plan to perform an exhaustive depth-first search if the fast algorithm finds no paths. However, the exhaustive search may be orders of magnitude slower than the fast algorithm. If it is critical that queries terminate as soon as possible, it is recommended that this option be set to
true
, which means that Neo4j will never consider using the exhaustive search for shortestPath queries. However, please note that if no paths are found, an error will be thrown at run time, which will need to be handled by the application.
Valid values
a boolean
Default value
false
Description
This setting is associated with performance optimization. The shortest path algorithm does not work when the start and end nodes are the same. With this setting set to
false
no path will be returned when that happens. The default value of
true
will instead throw an exception. This can happen if you perform a shortestPath search after a cartesian product that might have the same start and end nodes for some of the rows passed to shortestPath. If it is preferable to not experience this exception, and acceptable for results to be missing for those rows, then set this to
false
. If you cannot accept missing results, and really want the shortestPath between two common nodes, then re-write the query using a standard Cypher variable length pattern expression followed by ordering by path length and limiting to one result.
Valid values
a boolean
Default value
Description
The minimum time between possible Cypher query replanning events. After this time, the graph statistics will be evaluated, and if they have changed by more than the value set by
dbms.cypher.statistics_divergence_threshold
, the query will be replanned. If the statistics have not changed sufficiently, the same interval will need to pass before the statistics will be evaluated again. Each time they are evaluated, the divergence threshold will be reduced slightly until it reaches 10% after 7h, so that even moderately changing databases will see query replanning after a sufficiently long time interval.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
If any of the underlying statistics used to create the plan have changed more than this value, the plan will be considered stale and will be replanned. Change is calculated as
abs(a-b)/max(a,b)
.
This means that a value of
0.75
requires the database to quadruple in size before query replanning. A value of
0
means that the query will be replanned as soon as there is any change in statistics and the replan interval has elapsed.
This interval is defined by
dbms.cypher.min_replan_interval
and defaults to 10s. After this interval, the divergence threshold will slowly start to decline, reaching 10% after about 7h. This will ensure that long running databases will still get query replanning on even modest changes, while not replanning frequently unless the changes are very large.
Valid values
a double which is in the range
0.0
to
1.0
Default value
Database settings affect the behavior of a Neo4j database, for example, the file watcher service, the database format, the database store files, and the database timezone.
They can be varied between each database but must be consistent across all configuration files in a cluster/DBMS.
Table 100. db.filewatcher.enabled
Description
Database format. This is the format that will be used for new databases. Valid values are
standard
,
aligned
, or
high_limit
.The
aligned
format is essentially the
standard
format with some minimal padding at the end of pages such that a single record will never cross a page boundary. The
high_limit
format is available for Enterprise Edition only. It is required if you have a graph that is larger than 34 billion nodes, 34 billion relationships, or 68 billion properties.
Valid values
a string
Default value
aligned
Description
Enables or disables tracking of how much time a query spends actively executing on the CPU. Calling
SHOW TRANSACTIONS
will display the time, but not in the
query.log
.
If you want the CPU time to be logged in the
query.log
, set
db.track_query_cpu_time=true
.
Valid values
a boolean
Default value
false
The DBMS settings affect the Neo4j DBMS as a whole.
You can use them to set the default database, the DBMS timezone, a list of seed providers, and the maximum number of databases.
The DBMS settings must be consistent across all configuration files in a cluster/DBMS.
Table 106. initial.dbms.default_database
This setting is not the same as
dbms.default_database
, which was used to set the default database in Neo4j 4.x and earlier versions.
The
initial.dbms.default_database
setting is meant to set the default database
before
the creation of the DBMS.
Once it is created, the setting is not valid anymore.
To set the default database, use the
dbms.setDefaultDatabase()
procedure instead.
Description
Databases may be created from an existing 'seed' (a database backup or dump) stored at some source URI. Different types of seed source are supported by different implementations of
com.neo4j.dbms.seeding.SeedProvider
. For example, seeds stored at
s3://
and
https://
URIs are supported by the builtin
S3SeedProvider
and
URLConnectionSeedProvider
respectively. This list specifies enabled seed providers. If a seed source (URI scheme) is supported by multiple providers in the list, the first matching provider will be used. If the list is set to empty, the seed from uri functionality is effectively disabled.
Valid values
a
,
separated list with elements of type
a string
.
Default value
S3SeedProvider
The import settings control the size of the internal buffer used by
LOAD CSV
and the escaping of quotes in CSV files.
Table 110. db.import.csv.buffer_size
Description
Selects whether to conform to the standard
https://tools.ietf.org/html/rfc4180
for interpreting escaped quotation characters in CSV files loaded using
LOAD CSV
. Setting this to
false
will use the standard, interpreting repeated quotes '""' as a single in-lined quote, while
true
will use the legacy convention originally supported in Neo4j 3.0 and 3.1, allowing a backslash to include quotes in-lined in fields.
Valid values
a boolean
Default value
The index settings control the fulltext index and the background index sampling (chunk size limit and sample size).
For more information, see
Index configuration
.
Table 112. db.index.fulltext.default_analyzer
Description
The
eventually consistent
mode of the full-text indexes works by queueing up index updates to be applied later in a background thread. This newBuilder sets an upper bound on how many index updates are allowed to be in this queue at any one point in time. When it is reached, the commit process will slow down and wait for the index update applier thread to make some more room in the queue.
Valid values
an integer which is in the range
1
to
50000000
Default value
10000
Neo4j has two different configuration files for logging, one for the
neo4j.log
, which contains general information about Neo4j, and one configuration file for all other types of logging via Log4j 2 (except
gc.log
which is handled by the Java Virtual Machine(JVM).
For more information, see
Logging
.
Dynamic
Table 118. db.logs.query.annotation_data_as_json_enabled
Description
Log the annotation data as JSON strings instead of a Cypher map. This configuration has an effect only when the query log is in JSON format.
If
true
, it collapses the nested JSON objects in the query logger.
Valid values
a boolean
Default value
false
log queries at the end of execution, that take longer than the configured threshold,
db.logs.query.threshold
.
VERBOSE
log queries at the start and end of execution, regardless of
db.logs.query.threshold
.
Description
Obfuscates all literals of the query before writing to the log. Note that node labels, relationship types and map property keys are still shown. Changing the setting will not affect queries that are cached. So, if you want the switch to have an immediate effect, you must also call
CALL db.clearQueryCaches()
.
Valid values
a boolean
Default value
false
Description
Log the start and end of a transaction. Valid values are 'OFF', 'INFO', or 'VERBOSE'.
OFF: no logging.
INFO: log the start and end of transactions that take longer than the configured threshold,
db.logs.query.transaction.threshold
.
VERBOSE: log the start and end of all transactions.
Log entries are written to the query log.
Valid values
one of [OFF, INFO, VERBOSE]
Default value
Memory settings control how much memory is allocated to Neo4j and how it is used.
It is recommended to perform a certain amount of testing and tuning of these settings to figure out the optimal division of the available memory.
For more information on how to tune these settings, see
Memory configuration
,
Disks, RAM and other tips
, and
Tuning of the garbage collector
.
Table 136. db.memory.pagecache.warmup.enable
Description
Page cache can be configured to perform usage sampling of loaded pages that can be used to construct active load profile. According to that profile pages can be reloaded on the restart, replication, etc. This setting allows disabling that behavior.
This feature is available in Neo4j Enterprise Edition.
Valid values
a boolean
Default value
Description
The number of cached Cypher query execution plans per database. The max number of query plans that can be kept in cache is the
number of databases
*
server.db.query_cache_size
. With 10 databases and
server.db.query_cache_size
=1000, the caches can keep 10000 plans in total on the instance, assuming that each DB receives queries that fill up its cache.
Valid values
an integer which is minimum
0
Default value
Replaced by
server.memory.query_cache.per_db_cache_num_entries
Description
Defines the size of the off-heap memory blocks cache. The cache will contain this number of blocks for each block size that is power of two. Thus, maximum amount of memory used by blocks cache can be calculated as 2 *
server.memory.off_heap.max_cacheable_block_size
*
server.memory.off_heap.block_cache_size
Valid values
an integer which is minimum
16
Default value
Description
Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted.
Valid values
a boolean
Default value
false
Description
Page cache can be configured to use a temporal buffer for flushing purposes. It is used to combine, if possible, sequence of several cache pages into one bigger buffer to minimize the number of individual IOPS performed and better utilization of available I/O resources, especially when those are restricted. Use this setting to configure individual file flush the buffer size in pages (8KiB). To be able to utilize this buffer during page cache flushing, buffered flush should be enabled.
Valid values
an integer which is in the range
1
to
512
Default value
Description
The amount of memory to use for mapping the store files. If Neo4j is running on a dedicated server, then it is generally recommended to leave about 2-4 gigabytes for the operating system, give the JVM enough heap to hold all your transaction state and query context, and then leave the rest for the page cache. If no page cache memory is configured, then a heuristic setting is computed based on available system resources.
Valid values
a byte size (valid multipliers are
B
,
KiB
,
KB
,
K
,
kB
,
kb
,
k
,
MiB
,
MB
,
M
,
mB
,
mb
,
m
,
GiB
,
GB
,
G
,
gB
,
gb
,
g
,
TiB
,
TB
,
PiB
,
PB
,
EiB
,
EB
)
Default value
By default the size of page cache will be 50% och available RAM minus the max heap size.The size of the page cache will also not be larger than 70x the max heap size (due to some overhead of the page cache in the heap.
Enable sharing cache space between different databases.
With this option turned on, databases will share cache space, but not cache entries.
This means that a database may store and retrieve entries from the shared cache, but it may not retrieve entries produced by another database.
The database may, however, evict entries from other databases as necessary, according to the constrained cache size and cache eviction policy.
In essence, databases may compete for cache space, but may not observe each other’s entries.
When this option is turned on, the cache space available to all databases is configured with
server.memory.query_cache.shared_cache_num_entries
.
With this option turned off, the cache space available to each individual database is configured with
server.memory.query_cache.per_db_cache_num_entries
.
Valid values
a boolean
Default value
false
The number of cached queries for all databases.
The maximum number of queries that can be kept in a cache is exactly
server.memory.query_cache.shared_cache_num_entries
.
This setting is only deciding cache size when
server.memory.query_cache.sharing_enabled
is set to
true
.
Valid values
a integer
Default value
The number of cached queries per database.
The maximum number of queries that can be kept in a cache is
number of databases
*
server.memory.query_cache.per_db_cache_num_entries
.
With 10 databases and
server.memory.query_cache.per_db_cache_num_entries
=1000, the cache can keep 10000 plans in total.
This setting is only deciding cache size when
server.memory.query_cache.sharing_enabled
is set to
false
.
Valid values
a integer
Default value
The metrics settings control whether Neo4j will log metrics, what metrics to log, how to log them, and how to expose them.
For better understanding of the metrics settings and how to configure them, see
Metrics
.
Enterprise Edition
Table 159. server.metrics.csv.enabled
Default value
*bolt.connections*,*bolt.messages_received*,*bolt.messages_started*,*dbms.pool.bolt.free,*dbms.pool.bolt.total_size,*dbms.pool.bolt.total_used,*dbms.pool.bolt.used_heap,*cluster.core.is_leader,*cluster.core.last_leader_message,*cluster.core.replication_attempt,*cluster.core.replication_fail,*cluster.core.last_applied,*cluster.core.last_appended,*check_point.duration,*check_point.total_time,*cypher.replan_events,*ids_in_use*,*pool.transaction.*.total_used,*pool.transaction.*.used_heap,*pool.transaction.*.used_native,*store.size*,*transaction.active_read,*transaction.active_write,*transaction.committed*,*transaction.last_committed_tx_id,*transaction.peak_concurrent,*transaction.rollbacks*,*page_cache.hit*,*page_cache.page_faults,*page_cache.usage_ratio,*vm.file.descriptors.count,*vm.gc.time.*,*vm.heap.used,*vm.memory.buffer.direct.used,*vm.memory.pool.g1_eden_space,*vm.memory.pool.g1_old_gen,*vm.pause_time,*vm.thread*,*db.query.execution*
The Kubernetes settings are used to configure a cluster running on
Kubernetes
, where each server is running as a Kubernetes service.
The addresses of the other servers can be obtained using the List Service API, as described in the
Kubernetes API documentation
.
For more information, see
Discovery in Kubernetes
.
Kubernetes settings
Enterprise Edition
Table 180. dbms.kubernetes.address
The security settings are used to configure the security of your Neo4j deployment.
Refer to the
Security
section for thorough information on security in Neo4j.
Table 187. dbms.security.allow_csv_import_from_file_urls
Description
The time to live (TTL) for cached authentication and authorization info when using external auth providers (LDAP or plugin). Setting the TTL to 0 will disable auth caching. Disabling caching while using the LDAP auth provider requires the use of an LDAP system account for resolving authorization information.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
)
Default value
Description
The amount of time user account should be locked after a configured number of unsuccessful authentication attempts. The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to a low value is not recommended because it might make it easier for an attacker to brute force the password.
Valid values
a duration (Valid units are:
ns
,
μs
,
ms
,
s
,
m
,
h
and
d
; default unit is
s
) which is minimum
0s
Default value
Description
The maximum number of unsuccessful authentication attempts before imposing a user lock for the configured amount of time, as defined by
dbms.security.auth_lock_time
.The locked out user will not be able to log in until the lock period expires, even if correct credentials are provided. Setting this configuration option to values less than 3 is not recommended because it might make it easier for an attacker to brute force the password.
Valid values
an integer which is minimum
0
Default value
Description
A list of security authentication providers containing the users and roles. This can be any of the built-in
native
or
ldap
providers, or it can be an externally provided plugin, with a custom name prefixed by
plugin-
, i.e.
plugin-<AUTH_PROVIDER_NAME>
. They will be queried in the given order when login is attempted.
Valid values
a ',' separated list with elements of type 'a string'.
Default value
native
Description
A list of security authorization providers containing the users and roles. This can be any of the built-in
native
or
ldap
providers, or it can be an externally provided plugin, with a custom name prefixed by
plugin-
, i.e.
plugin-<AUTH_PROVIDER_NAME>
. They will be queried in the given order when login is attempted.
Valid values
a ',' separated list with elements of type 'a string'.
Default value
native
Description
Value of the HTTP Strict-Transport-Security (HSTS) response header. This header tells browsers that a webpage should only be accessed using HTTPS instead of HTTP. It is attached to every HTTPS response. Setting is not set by default so 'Strict-Transport-Security' header is not sent. Value is expected to contain directives like 'max-age', 'includeSubDomains' and 'preload'.
Valid values
a string
Default value
Description
Determines if the result of authentication via the LDAP server should be cached or not. Caching is used to limit the number of LDAP requests that have to be made over the network for users that have already been authenticated successfully. A user can be authenticated against an existing cache entry (instead of via an LDAP server) as long as it is alive (see
dbms.security.auth_cache_ttl
).
An important consequence of setting this to
true
is that Neo4j then needs to cache a hashed version of the credentials in order to perform credentials matching. This hashing is done using a cryptographic hash function together with a random salt. Preferably a conscious decision should be made if this method is considered acceptable by the security standards of the organization in which this Neo4j instance is deployed.
Valid values
a boolean
Default value
Description
LDAP user DN template. An LDAP object is referenced by its distinguished name (DN), and a user DN is an LDAP fully-qualified unique user identifier. This setting is used to generate an LDAP DN that conforms with the LDAP directory’s schema from the user principal that is submitted with the authentication token when logging in. The special token {0} is a placeholder where the user principal will be substituted into the DN string.
Valid values
a string which Must be a string containing '{0}' to understand where to insert the runtime authentication principal.
Default value
uid={0},ou=users,dc=example,dc=com
Description
The LDAP group to which a user must belong to get any access to the system.Set this to restrict access to a subset of LDAP users belonging to a particular group. If this is not set, any user to successfully authenticate via LDAP will have access to the PUBLIC role and any other roles assigned to them via
dbms.security.ldap.authorization.group_to_role_mapping
.
Valid values
a string
Default value
Description
An authorization mapping from LDAP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the LDAP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5
You could also use whitespaces and quotes around group names to make this mapping more readable, for example:
`dbms.security.ldap.authorization.group_to_role_mapping`=\
"cn=Neo4j Read Only,cn=users,dc=example,dc=com" = reader; \
"cn=Neo4j Read-Write,cn=users,dc=example,dc=com" = publisher; \
"cn=Neo4j Schema Manager,cn=users,dc=example,dc=com" = architect; \
"cn=Neo4j Administrator,cn=users,dc=example,dc=com" = admin
Description
This setting determines whether multiple LDAP search results will be processed (as is required for the lookup of nested groups). If set to
true
then instead of using attributes on the user object to determine group membership (as specified by
dbms.security.ldap.authorization.group_membership_attributes
), the
user
object will only be used to determine the user’s Distinguished Name, which will subsequently be used with
dbms.security.ldap.authorization.user_search_filter
in order to perform a nested group search. The Distinguished Names of the resultant group search results will be used to determine roles.
Valid values
a boolean
Default value
false
Description
The search template which will be used to find the nested groups which the user is a member of. The filter should contain the placeholder token
{0}
which will be substituted with the user’s Distinguished Name (which is found for the specified user principle using
dbms.security.ldap.authorization.user_search_filter
). The default value specifies Active Directory’s LDAP_MATCHING_RULE_IN_CHAIN (aka 1.2.840.113556.1.4.1941) implementation which will walk the ancestry of group membership for the specified user.
Valid values
a string
Default value
(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))
Description
Perform LDAP search for authorization info using a system account instead of the user’s own account.
If this is set to
false
(default), the search for group membership will be performed directly after authentication using the LDAP context bound with the user’s own account. The mapped roles will be cached for the duration of
dbms.security.auth_cache_ttl
, and then expire, requiring re-authentication. To avoid frequently having to re-authenticate sessions you may want to set a relatively long auth cache expiration time together with this option. NOTE: This option will only work if the users are permitted to search for their own group membership attributes in the directory.
If this is set to
true
, the search will be performed using a special system account user with read access to all the users in the directory. You need to specify the username and password using the settings
dbms.security.ldap.authorization.system_username
and
dbms.security.ldap.authorization.system_password
with this option. Note that this account only needs read access to the relevant parts of the LDAP directory and does not need to have access rights to Neo4j, or any other systems.
Valid values
a boolean
Default value
false
Description
URL of LDAP server to use for authentication and authorization. The format of the setting is
<protocol>://<hostname>:<port>
, where hostname is the only required field. The supported values for protocol are
ldap
(default) and
ldaps
. The default port for
ldap
is 389 and for
ldaps
636. For example:
ldaps://ldap.example.com:10389
.
You may want to consider using STARTTLS (
dbms.security.ldap.use_starttls
) instead of LDAPS for secure connections, in which case the correct protocol is
ldap
.
Valid values
a string
Default value
localhost
Enterprise Edition
Dynamic
Table 230. dbms.security.oidc.<provider>.authorization.group_to_role_mapping
Description
An authorization mapping from IdP group names to Neo4j role names. The map should be formatted as a semicolon separated list of key-value pairs, where the key is the IdP group name and the value is a comma separated list of corresponding role names. For example: group1=role1;group2=role2;group3=role3,role4,role5
You could also use whitespaces and quotes around group names to make this mapping more readable, for example:
dbms.security.oidc.<provider>.authorization.group_to_role_mapping=\
"Neo4j Read Only" = reader; \
"Neo4j Read-Write" = publisher; \
"Neo4j Schema Manager" = architect; \
"Neo4j Administrator" = admin
principal
: in which JWT claim the user’s email address is specified, email is the default. This is the value that will be shown in browser.
code_challenge_method
: default is
S256
and it’s the only supported method at this moment. This setting applies only for pkce auth flow
token_type_principal
: the options are almost always either
access_token
, which is the default, or
id_token
.
token_type_authentication
: the options are almost always either
access_token
, which is the default, or
id_token
.
implicit_flow_requires_nonce
: true or false. Defaults to false.
Description
When set to
true
, it logs the claims from the JWT. This will only take effect when the security log level is set to
DEBUG
.
WARNING: It is strongly advised that this is set to
false
when running in a production environment in order to prevent logging of sensitive information. Also note that the contents of the JWT claims set can change over time because they are dependent entirely upon the ID provider.
Valid values
a boolean
Default value
false
Description
The map is a semicolon separated list of key-value pairs. For example:
k1=v1;k2=v2
.
The user should at least provide:
client_id: the SSO Idp client idenfifier.
response_type: code if auth_flow is pkce or token for implicit auth_flow.
scope: often containing a subset of 'email profile openid groups'.
For example:
client_id=my-client-id;response_type=code;scope=openid profile email
.
Valid values
A simple key-value map pattern
k1=v1;k2=v2
. Required key options are:
[scope, client_id, response_type]
.
Default value
The server directories settings can be used to change the default locations of your Neo4j files.
For more information, see
Default file locations
.
Enterprise Edition
Table 249. server.directories.cluster_state
Description
Sets the root directory for file URLs used with the Cypher
LOAD CSV
clause. This should be set to a directory relative to the Neo4j installation path, restricting access to only those files within that directory and its subdirectories. For example the value "import" will only enable access to files within the 'import' folder. Removing this setting will disable the security feature, allowing all files in the local system to be imported. Setting this to an empty field will allow access to all files within the Neo4j installation folder.
Valid values
a path. If relative it is resolved from server.directories.neo4j_home
Default value
Server settings apply only to the specific server and can be varied between configuration files across a cluster/DBMS.
Enterprise Edition
Table 262. server.backup.enabled
Valid values
a ',' separated set with elements of type 'A valid database name containing only alphabetic characters, numbers, dots and dashes with a length between 3 and 63 characters, starting with an alphabetic character but not with the name 'system''. which Value 'system' can’t be included in read-only databases collection!
Default value
Description
Number of Neo4j worker threads. This setting is only valid for REST and does not influence bolt-server. It sets the number of worker threads for the Jetty server used by neo4j-server. This option can be tuned when you plan to execute multiple, concurrent REST requests, to get more throughput from the database. Your OS might enforce a lower limit than the maximum value specified here.
Valid values
an integer, which is in the range
1
to
44738
Default value
Number of available processors, or 500 for machines that have more than 500 processors.
The transaction settings helps you manage the transactions in your database, for example, the transaction timeout, the lock acquisition timeout, the maximum number of concurrently running transactions, etc.
For more information, see
Manage transactions
and
Locks and deadlocks
.
Dynamic
Table 276. db.lock.acquisition.timeout
Transaction logs keep the list of transactions that have not yet been applied to the store files.
This is necessary for recovery.
The following settings configure the number of transaction logs left after a pruning operation and the size of the transaction log files.
See also
Checkpoint settings
.
Table 284. db.recovery.fail_on_missing_files
Default value
By default, the size of the byte buffer is based on the number of available CPU’s with a minimal buffer size of 512KB. Every other 4 CPU’s will add another 512KB into the buffer size. The maximal buffer size in this default scheme is 4MB taking into account that you can have one transaction log writer per database in multi-database env. For example, runtime with 4 CPUs will have the buffer size of 1MB; runtime with 8 CPUs will have the buffer size of 1MB 512KB; runtime with 12 CPUs will have the buffer size of 2MB.
Valid values
a string which matches the pattern,
^(true|keep_all|false|keep_none|(\\d+[KkMmGg]?( (files|size|txs|entries|hours( \\d+[KkMmGg]?)?|days( \\d+[KkMmGg]?)?))))$
Must be
true
or
keep_all
,
false
or
keep_none
, or of format
<number><optional unit> <type> <optional space restriction>
.
Valid units are
K
,
M
, and
G
.
Valid types are
files
,
size
,
txs
,
entries
,
hours
, and
days
.
Valid optional space restriction is a logical log space restriction like
100M
.
For example,
100M size
will limit logical log space on the disk to 100MB per database, and
200K txs
will limit the number of transactions kept to 200 000 per database.
An example of a valid logical log space limit that is period-based but also includes a maximum size restriction is
7days 100M
.
Default value
2 days
Join us for the biggest graph community conference dedicated to learning how to integrate graph technologies into ML and dev projects.
Save your spot
©
Neo4j, Inc.
Terms
|
Privacy
|
Sitemap
Neo4j
®
, Neo Technology
®
, Cypher
®
, Neo4j
®
Bloom
™
and
Neo4j
®
Aura
™
are registered trademarks
of Neo4j, Inc. All other marks are owned by their respective companies.
US: 1-855-636-4532
Sweden +46 171 480 113
UK: +44 20 3868 3223
France: +33 (0) 1 88 46 13 20