Merge 5.6 PRs to 5.x

antora.yml

@@ -7,5 +7,5 @@ nav:
 asciidoc:
   attributes:
     neo4j-version: '5'
-    neo4j-version-minor: '5.5'
-    neo4j-version-exact: '5.5.0'
+    neo4j-version-minor: '5.6'
+    neo4j-version-exact: '5.6.0'

modules/ROOT/content-nav.adoc

@@ -6,6 +6,7 @@
 ** xref:introduction/transactions.adoc[]
 ** xref:introduction/uniqueness.adoc[]
 ** xref:introduction/clause_composition.adoc[]
+** xref:introduction/aura.adoc[]
 
 * xref:syntax/index.adoc[]
 ** xref:syntax/values.adoc[]
@@ -46,6 +47,7 @@
 ** xref:clauses/load-csv.adoc[]
 ** xref:clauses/listing-functions.adoc[]
 ** xref:clauses/listing-procedures.adoc[]
+** xref:clauses/listing-settings.adoc[]
 ** xref:clauses/transaction-clauses.adoc#query-listing-transactions[SHOW TRANSACTIONS]
 ** xref:clauses/transaction-clauses.adoc#query-terminate-transactions[TERMINATE TRANSACTIONS]
 

modules/ROOT/pages/access-control/dbms-administration.adoc

@@ -55,6 +55,8 @@ CREATE ROLE globbing4 IF NOT EXISTS;
 CREATE ROLE globbing5 IF NOT EXISTS;
 CREATE ROLE globbing6 IF NOT EXISTS;
 CREATE ROLE dbmsManager IF NOT EXISTS;
+CREATE ROLE configurationViewer IF NOT EXISTS;
+CREATE ROLE deniedConfigurationViewer IF NOT EXISTS;
 ----
 ////
 
@@ -1953,82 +1955,88 @@ a|Rows: 2
 |===
 ======
 
-[[access-control-name-globbing]]
-=== Procedure and user-defined function name-globbing
 
-The name-globbing for procedure and user defined function names is a simplified version of globbing for filename expansions.
-It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single character matches.
-In this case, `+*+` means 0 or more characters and `?` matches exactly one character.
+[[access-control-dbms-administration-setting]]
+== The DBMS `SETTING` privileges
+
+The ability to show configuration settings can be granted via the `SHOW SETTING` privilege.
+A role with this privilege is allowed to query the configuration settings matched by the xref::access-control/dbms-administration.adoc#access-control-name-globbing[name-globbing].
+
 
 [NOTE]
 ====
-The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers],
-with the exception that it may include dots, stars, and question marks without the need for escaping using backticks.
-
-Each part of the name-globbing separated by dots may be individually escaped, for example, `++mine.`procedureWith%`++` but not `++mine.procedure`With%`++`.
-It is also good to keep in mind that wildcard characters behave as wildcards even when escaped.
-As an example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`.
+The syntax descriptions use xref:access-control/index.adoc#access-control-syntax[the style] from access control.
 ====
 
-The examples below only use procedures, but the same rules apply to user defined function names:
-
-* `mine.public.exampleProcedure`
-* `mine.public.exampleProcedure1`
-* `mine.public.exampleProcedure2`
-* `mine.public.with#Special§Characters`
-* `mine.private.exampleProcedure`
-* `mine.private.exampleProcedure1`
-* `mine.private.exampleProcedure2`
-* `mine.private.with#Special§Characters`
-* `your.exampleProcedure`
+.Setting privileges command syntax
+[options="header", width="100%", cols="3a,2"]
+|===
+| Command
+| Description
 
-[source, cypher, role=noplay]
-----
-GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1
-----
+| [source, syntax, role=noheader]
+GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...]
+  ON DBMS
+  TO role[, ...]
+| Enables the specified roles to query given configuration settings.
+|===
 
-Users with the role `globbing1` can thus run all the procedures.
+The following query shows an example of how to grant this privilege:
 
 [source, cypher, role=noplay]
 ----
-GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2
+GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer
 ----
 
-Users with the role `globbing2` can thus run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others.
+Users with the role `configurationViewer` can then query any setting in the `server.bolt` namespace.
+
+The updated role `configurationViewer` has privileges that only allow querying settings in the `server.bolt` namespace.
+List all privileges for the role `configurationViewer` as commands by using the following query:
 
 [source, cypher, role=noplay]
 ----
-GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3
+SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS
 ----
 
-Users with the role `globbing3` can thus run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1` and `mine.private.exampleProcedure2`, but none of the others.
+.Result
+[options="header,footer", width="100%", cols="m"]
+|===
+|command
+|"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`"
+a|Rows: 1
+|===
+
+To deny a specific setting from a role, first grant `SHOW SETTINGS *`, and then deny the unwanted setting.
+For example, the following queries allow the querying of all settings, except those starting with `dbms.security`:
 
 [source, cypher, role=noplay]
 ----
-GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4
+GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer
 ----
 
-Users with the role `globbing4` can thus run procedures `your.exampleProcedure`, `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but none of the others.
-
 [source, cypher, role=noplay]
 ----
-GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5
+DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer
 ----
 
-Users with the role `globbing5` can thus run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but none of the others.
+The resulting role has privileges that allow querying all settings except those starting with `dbms.security`.
+List all privileges for the role `deniedConfigurationViewer` as commands by using the following query:
 
 [source, cypher, role=noplay]
 ----
-GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6
+SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS
 ----
 
-Users with the role `globbing6` can thus run procedures `mine.public.with#Special§Characters` and `mine.private.with#Special§Characters`, but none of the others.
+.Result
+[options="header,footer", width="100%", cols="m"]
+|===
+|command
+|"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`"
+|"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`"
+a|Rows: 2
+|===
 
-[NOTE]
-====
-The name-globbing may be fully or partially escaped.
-Both `+*+` and `+?+` are interpreted as wildcards either way.
-====
+As the query result shows, access to any setting starting with `dbms.security` are blocked, but the rest can still be queried.
 
 
 [[access-control-dbms-administration-all]]
@@ -2043,6 +2051,7 @@ The right to perform the following privileges can be achieved with a single comm
 * Show, assign, and remove privileges.
 * Execute all procedures with elevated privileges.
 * Execute all user defined functions with elevated privileges.
+* Show all configuration settings.
 
 [NOTE]
 ====
@@ -2077,3 +2086,85 @@ SHOW ROLE dbmsManager PRIVILEGES AS COMMANDS
 |"GRANT ALL DBMS PRIVILEGES ON DBMS TO `dbmsManager`"
 a|Rows: 1
 |===
+
+[[access-control-name-globbing]]
+== Name-globbing for procedures, user-defined functions, and settings
+
+The name-globbing for procedure, user defined function, and setting names is a simplified version of globbing for filename expansions.
+It only allows two wildcard characters: `+*+` and `?`, which are used for multiple and single character matches.
+In this case, `+*+` means 0 or more characters and `?` matches exactly one character.
+
+[NOTE]
+====
+The name-globbing is subject to the xref::syntax/naming.adoc[standard Cypher restrictions on valid identifiers],
+with the exception that it may include dots, stars, and question marks without the need for escaping using backticks.
+
+Each part of the name-globbing separated by dots may be individually escaped.
+For example, `++mine.`procedureWith%`++` is allowed, but not `++mine.procedure`With%`++`.
+Also, note that wildcard characters behave as wildcards even when escaped.
+For example, using `++`*`++` is equivalent to using `+*+`, and thus allows executing all functions or procedures and not only the procedure or function named `+*+`.
+====
+
+Given the following list of procedures:
+
+* `mine.public.exampleProcedure`
+* `mine.public.exampleProcedure1`
+* `mine.public.exampleProcedure2`
+* `mine.public.with#Special§Characters`
+* `mine.private.exampleProcedure`
+* `mine.private.exampleProcedure1`
+* `mine.private.exampleProcedure2`
+* `mine.private.with#Special§Characters`
+* `your.exampleProcedure`
+
+The following examples demonstrate how name-globbing patterns can be used in controlling access to procedures.
+Note that the same rules apply to user-defined functions and settings.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE * ON DBMS TO globbing1
+----
+
+Users with the role `globbing1` can run all the procedures.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE mine.*.exampleProcedure ON DBMS TO globbing2
+----
+
+Users with the role `globbing2` can run procedures `mine.public.exampleProcedure` and `mine.private.exampleProcedure`, but no other procedures.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE mine.*.exampleProcedure? ON DBMS TO globbing3
+----
+
+Users with the role `globbing3` can run procedures `mine.public.exampleProcedure1`, `mine.private.exampleProcedure1`, and `mine.private.exampleProcedure2`, but no other procedures.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE *.exampleProcedure ON DBMS TO globbing4
+----
+
+Users with the role `globbing4` can run procedures `your.exampleProcedure`, `mine.public.exampleProcedure`, and `mine.private.exampleProcedure`, but no other procedures.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE mine.public.exampleProcedure* ON DBMS TO globbing5
+----
+
+Users with the role `globbing5` can run procedures `mine.public.exampleProcedure`, `mine.public.exampleProcedure1` and `mine.public.exampleProcedure42`, but no other procedures.
+
+[source, cypher, role=noplay]
+----
+GRANT EXECUTE PROCEDURE `mine.public.with#*§Characters`, mine.private.`with#Spec???§Characters` ON DBMS TO globbing6
+----
+
+Users with the role `globbing6` can run procedures `mine.public.with#Special§Characters`, and `mine.private.with#Special§Characters`, but no other procedures.
+
+[NOTE]
+====
+The name-globbing may be fully or partially escaped.
+Both `+*+` and `+?+` are interpreted as wildcards in both cases.
+====
+

modules/ROOT/pages/access-control/manage-servers.adoc

@@ -319,6 +319,10 @@ This may not be specified in combination with `deniedDatabases`.
 | list of database names
 | Only databases **not** matching the specified names may be hosted on the server.
 This may not be specified in combination with `allowedDatabases`.
+
+| tags
+| list of server tags
+| List of server tags used during database allocation and for load balancing and routing policies. 
 |===
 
 [NOTE]
@@ -327,6 +331,11 @@ Composite databases are ignored by both `allowedDatabases` and `deniedDatabases`
 The composite databases are available everywhere and hold no data on their own.
 ====
 
+[NOTE]
+====
+When a server is enabled, if `tags` are not provided in `OPTIONS`, the default server tags are taken from the setting `initial.server.tags`.
+====
+
 [role=not-on-aura]
 [[server-management-alter-server]]
 == Modifying servers
@@ -356,6 +365,10 @@ This may not be specified in combination with `deniedDatabases`.
 | list of database names
 | Only databases **not** matching the specified names may be hosted on the server.
 This may not be specified in combination with `allowedDatabases`.
+
+| tags
+| list of server tags
+| List of server tags used during database allocation and for load balancing and routing policies. 
 |===
 
 [NOTE]
@@ -364,6 +377,12 @@ Composite databases are ignored by both `allowedDatabases` and `deniedDatabases`
 The composite databases are available everywhere and hold no data on their own.
 ====
 
+[NOTE]
+====
+Input provided to `SET OPTIONS {...}` replaces **all** existing options, rather than being combined with them.
+For instance, if `SET OPTIONS {modeConstraint:'SECONDARY'}` is run followed by `SET OPTIONS {allowedDatabases:['foo']}`, the second `ALTER` removes the mode constraint.
+====
+
 [[server-management-rename-server]]
 == Renaming servers
 

modules/ROOT/pages/clauses/index.adoc

@@ -32,6 +32,17 @@ m| xref::constraints/syntax.adoc[CREATE \| DROP CONSTRAINT]
 
 |===
 
+[[configuration-commands]]
+== Configuration Commands
+
+[options="header"]
+|===
+| Clause | Description
+
+m| xref:clauses/listing-settings.adoc[SHOW SETTINGS]
+| List configuration settings.
+
+|===
 
 [[importing-clauses]]
 == Importing data
@@ -247,7 +258,6 @@ m| xref:clauses/transaction-clauses.adoc#query-terminate-transactions[TERMINATE
 
 |===
 
-
 [[writing-clauses]]
 == Writing clauses