Hi Jake, Thanks for your reply.
Sorry if my previous email was misleading, but I don't absolutely need key-based authentication; that just turned out to be the what I first thought of. I was trying to figure out what authentication methods were supported so that I can evaluate. HTTPS + basic auth with strong passwords do sound good to me at this moment. However, at this moment, instead of using authentication, I turned out configured security rules on my the neo4j server to only take connections from my app server so I temporarily don't have a problem in the near future. But it's good to know about the authentication extension. By the way, do you have any data about the performance impact of using the authentication extension to do basic auth + HTTPS compare to talking to neo4j without authentication (both through REST)? If you have such data, please let me know. That would be very helpful information. Thanks, Nuo On Tue, Sep 27, 2011 at 6:10 AM, Jacob Hansson < [email protected]> wrote: > As far as I know, the auth plugin currently only supports HTTP BASIC > authentication. But it would be interesting to expand it to allow other > authentication methods, for instance by allowing pluggable authentication > providers. > > So if I understand your question correctly, yes, it does support > authentication beyond just limiting access by IP, but it does not support > authentication using keys or certificates. > > Out of curiosity, what is the driver behind needing key-based > authentication? The combination of HTTP BASIC, strong passwords and HTTPS > seems like it would supply quite strong security, no? > > /Jake > > On Wed, Sep 21, 2011 at 9:16 PM, Nuo Yan <[email protected]> wrote: > > > Limiting access to certain URIs or IPs is great, but ideally at this > moment > > I also need something like a key-based authentication so I can send a > > private key in the headers from my restclient and neo4j would > authenticate > > and only take authenticated requests. Does the authentication extension > > support key-based authentication? If not, what forms of authentication > does > > it currently support (user/password, token-based, shared-secret)? > > > > Thanks, > > Nuo > > > > On Wed, Sep 21, 2011 at 11:24 AM, Peter Neubauer < > > [email protected]> wrote: > > > > > Nuo, > > > Thomas Baum has been working on an authentication extension for Neo4j > > > Server, see https://github.com/neo4j/authentication-extension. He > > > could help you set it up and test it - it's used in hosting scenarios > > > and should do what you want in terms of limiting access to certain > > > URIs if that is what you want? > > > > > > Cheers, > > > > > > /peter neubauer > > > > > > GTalk: neubauer.peter > > > Skype peter.neubauer > > > Phone +46 704 106975 > > > LinkedIn http://www.linkedin.com/in/neubauer > > > Twitter http://twitter.com/peterneubauer > > > > > > http://www.neo4j.org - Your high performance graph > > database. > > > http://startupbootcamp.org/ - Ă–resund - Innovation happens HERE. > > > http://www.thoughtmade.com - Scandinavia's coolest Bring-a-Thing > party. > > > > > > > > > > > > On Wed, Sep 21, 2011 at 6:14 PM, Nuo Yan <[email protected]> wrote: > > > > For my scenario, I currently only use the LB for request > > authentication, > > > so > > > > that not everyone on the network can access the neo4j server. In my > use > > > > case, I think making the base uri configurable (including the > protocol, > > > e.g. > > > > https://foobar.com/) is enough. > > > > > > > > There are a couple other approaches that may also solve my problem. > For > > > > example, having a configurable option to make the REST APIs return > only > > > > relative paths in the result. Or, if neo4j could have a built-in > > request > > > > authentication mechanism for the REST interface, I may be able to get > > rid > > > of > > > > the lb completely. > > > > > > > > > > > > On Wed, Sep 21, 2011 at 7:04 AM, Peter Neubauer < > > > > [email protected]> wrote: > > > > > > > >> Nuo, > > > >> right now the server is discovering its own IP upon startup. > However, > > > >> it sounds reasonable to return configurable base URL. I am just > > > >> wondering if that really is enough to support a LB scenario? Do you > > > >> need more stuff there? > > > >> > > > >> Cheers, > > > >> > > > >> /peter neubauer > > > >> > > > >> GTalk: neubauer.peter > > > >> Skype peter.neubauer > > > >> Phone +46 704 106975 > > > >> LinkedIn http://www.linkedin.com/in/neubauer > > > >> Twitter http://twitter.com/peterneubauer > > > >> > > > >> http://www.neo4j.org - Your high performance graph > > > database. > > > >> http://startupbootcamp.org/ - Ă–resund - Innovation happens HERE. > > > >> http://www.thoughtmade.com - Scandinavia's coolest Bring-a-Thing > > party. > > > >> > > > >> > > > >> > > > >> On Tue, Sep 20, 2011 at 6:57 PM, Nuo Yan <[email protected]> wrote: > > > >> > I access my neo4j server through the REST API. For security > purpose, > > I > > > >> put > > > >> > the neo4j server behind a nginx lb. I'm wondering if there is > config > > > >> entry > > > >> > somewhere that I can set the neo4j server to return a customized > > base > > > uri > > > >> > that I can set to my LB's uri. > > > >> > > > > >> > For example, currently creating a node by POSTing to the lb (say > > > >> > https://10.0.0.1/db/data) returns > > > >> > > > > >> > { > > > >> > "outgoing_relationships" : " > > > >> > http://neo4j/db/data/node/160/relationships/out";, > > > >> > "data" : { > > > >> > }, > > > >> > "traverse" : " > http://neo4j/db/data/node/160/traverse/{returnType} > > ", > > > >> > "all_typed_relationships" : " > > > >> > http://neo4j/db/data/node/160/relationships/all/{-list|&|types}", > > > >> > "property" : "http://neo4j/db/data/node/160/properties/{key}";, > > > >> > "self" : "http://neo4j/db/data/node/160";, > > > >> > "properties" : "http://neo4j/db/data/node/160/properties";, > > > >> > "outgoing_typed_relationships" : " > > > >> > http://neo4j/db/data/node/160/relationships/out/{-list|&|types}", > > > >> > "incoming_relationships" : " > > > >> http://neo4j/db/data/node/160/relationships/in > > > >> > ", > > > >> > "extensions" : { > > > >> > }, > > > >> > "create_relationship" : " > > http://neo4j/db/data/node/160/relationships > > > ", > > > >> > "paged_traverse" : " > > > >> > > > > >> > > > > > > http://neo4j/db/data/node/160/paged/traverse/{returnType}{?pageSize,leaseTime} > > > >> > ", > > > >> > "all_relationships" : " > > > http://neo4j/db/data/node/160/relationships/all > > > >> ", > > > >> > "incoming_typed_relationships" : " > > > >> > http://neo4j/db/data/node/160/relationships/in/{-list|&|types}" > > > >> > > > > >> > > > > >> > Is there a config on the neo4j server that I can set to make it > > either > > > >> > return the lb URI "https://10.0.0.1"; as the base uri or return > > > relative > > > >> path > > > >> > in the result? > > > >> > _______________________________________________ > > > >> > Neo4j mailing list > > > >> > [email protected] > > > >> > https://lists.neo4j.org/mailman/listinfo/user > > > >> > > > > >> _______________________________________________ > > > >> Neo4j mailing list > > > >> [email protected] > > > >> https://lists.neo4j.org/mailman/listinfo/user > > > >> > > > > _______________________________________________ > > > > Neo4j mailing list > > > > [email protected] > > > > https://lists.neo4j.org/mailman/listinfo/user > > > > > > > _______________________________________________ > > > Neo4j mailing list > > > [email protected] > > > https://lists.neo4j.org/mailman/listinfo/user > > > > > _______________________________________________ > > Neo4j mailing list > > [email protected] > > https://lists.neo4j.org/mailman/listinfo/user > > > > > > -- > Jacob Hansson > Phone: +46 (0) 763503395 > Twitter: @jakewins > _______________________________________________ > Neo4j mailing list > [email protected] > https://lists.neo4j.org/mailman/listinfo/user > _______________________________________________ Neo4j mailing list [email protected] https://lists.neo4j.org/mailman/listinfo/user
