-
Notifications
You must be signed in to change notification settings - Fork 36
Add 22ND1 and 22ND2 #412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
renetapopova
merged 11 commits into
neo4j:dev
from
l-heemann:cops-301-update-to-notification-cannot-deny-with-auth-rule
Dec 8, 2025
Merged
Add 22ND1 and 22ND2 #412
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
3581563
Add 22ND1 and 22ND2
l-heemann a626385
Fix copy-paste error
l-heemann fa34db7
Remove changelog updates
l-heemann 6c5dcd7
Update sub-condition as it must be unique
l-heemann 4ced97f
Remove version labels
l-heemann dee4c01
regenerate the index file
renetapopova ea47ece
Apply suggestions from code review
l-heemann 855cbc3
Refer to existing examples instead of repeating them
l-heemann b0474e6
fix the anchors and regenerate the index file
renetapopova 72a0cbb
fix the formatting
renetapopova ac74a52
regenerate the index
renetapopova File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| = 22ND1 | ||
|
|
||
| == Status description | ||
| error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <<query>> }'` is not allowed for roles that are granted to an `AUTH RULE`. | ||
|
|
||
| == Explanation | ||
|
|
||
| If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. | ||
|
|
||
| When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. | ||
| To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. | ||
|
|
||
| This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule. | ||
|
|
||
| [[example-scenario-22nd1]] | ||
| == Example scenario | ||
|
|
||
| Given that a role is used by an auth rule: | ||
| [source, cypher] | ||
| ---- | ||
| CYPHER 25 GRANT ROLE role TO AUTH RULE authrule | ||
| ---- | ||
|
|
||
| When attempting to deny privileges from the role: | ||
| [source, cypher] | ||
| ---- | ||
| DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role | ||
| ---- | ||
|
|
||
| The following error will be thrown: | ||
| [source] | ||
| ---- | ||
| error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. | ||
| ---- | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| The error message contains a subset of the original query that caused the issue. | ||
| Since `otherrole` is not granted to an auth rule, it is not included. | ||
| ==== | ||
|
|
||
| == Possible solutions | ||
|
|
||
| Consider if it is possible to implement the security model without using denied privileges. | ||
renetapopova marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| For example, you can replace the generic grant from the <<example-scenario-22nd1, Example scenario>> with the following more fine-grained alternative: | ||
| [source, cypher] | ||
| ---- | ||
| GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole | ||
| ---- | ||
|
|
||
|
|
||
| If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. | ||
|
|
||
| ifndef::backend-pdf[] | ||
| [discrete.glossary] | ||
| == Glossary | ||
|
|
||
| include::partial$glossary.adoc[] | ||
| endif::[] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| = 22ND2 | ||
|
|
||
| == Status description | ||
| error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <<query>> }'` is not allowed for roles with `DENY` privileges. | ||
|
|
||
| == Explanation | ||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. | ||
|
|
||
|
|
||
| When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. | ||
| To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. | ||
|
|
||
| This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. | ||
|
|
||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| [[example-scenario-22nd2]] | ||
| == Example scenario | ||
|
|
||
| Given that a role has denied privileges: | ||
l-heemann marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| [source, cypher] | ||
| ---- | ||
| DENY MATCH {*} ON GRAPH secret-db NODES * TO role | ||
| ---- | ||
|
|
||
| When attempting to assign the role to an auth rule: | ||
| [source, cypher] | ||
| ---- | ||
| CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule | ||
| ---- | ||
|
|
||
| The following error will be thrown: | ||
| [source] | ||
| ---- | ||
| error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with `DENY` privileges. | ||
| ---- | ||
|
|
||
| [NOTE] | ||
| ==== | ||
| The error message contains a subset of the original query that caused the issue. | ||
| Since `otherrole` does not have denied privileges, it is not included. | ||
| ==== | ||
|
|
||
| == Possible solutions | ||
|
|
||
| Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. | ||
|
|
||
| For example, you can replace the generic grant from the <<example-scenario-22nd2, Example scenario>> with the following more fine-grained alternative: | ||
| [source, cypher] | ||
| ---- | ||
| GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole | ||
| ---- | ||
|
|
||
| If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. | ||
|
|
||
| ifndef::backend-pdf[] | ||
| [discrete.glossary] | ||
| == Glossary | ||
|
|
||
| include::partial$glossary.adoc[] | ||
| endif::[] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.