Improve how the new commercial security module is configured.

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java

@@ -76,6 +76,7 @@ public class EnterpriseSecurityModule extends SecurityModule
     private static final String DEFAULT_ADMIN_STORE_FILENAME = SetDefaultAdminCommand.ADMIN_INI;
 
     private EnterpriseAuthAndUserManager authManager;
+    protected SecurityConfig securityConfig;
 
     public EnterpriseSecurityModule()
     {
@@ -160,22 +161,12 @@ private EnterpriseSecurityContext asEnterprise( SecurityContext securityContext
     public EnterpriseAuthAndUserManager newAuthManager( Config config, LogProvider logProvider, SecurityLog securityLog,
             FileSystemAbstraction fileSystem, JobScheduler jobScheduler )
     {
-        SecurityConfig securityConfig = new SecurityConfig( config );
-        securityConfig.validate();
+        securityConfig = getValidatedSecurityConfig( config );
 
         List<Realm> realms = new ArrayList<>( securityConfig.authProviders.size() + 1 );
         SecureHasher secureHasher = new SecureHasher();
 
-        EnterpriseUserManager internalRealm = null;
-        if ( securityConfig.hasNativeProvider )
-        {
-            internalRealm = createInternalRealm( config, logProvider, fileSystem, jobScheduler );
-            realms.add( (Realm) internalRealm );
-        }
-        else if ( config.get( SecuritySettings.native_graph_enabled ) )
-        {
-            throw illegalConfiguration("Native graph enabled but native auth provider is not configured."  );
-        }
+        EnterpriseUserManager internalRealm = createInternalRealm( config, logProvider, fileSystem, jobScheduler, realms );
 
         if ( securityConfig.hasLdapProvider )
         {
@@ -200,6 +191,13 @@ else if ( config.get( SecuritySettings.native_graph_enabled ) )
                 securityConfig.propertyAuthorization, securityConfig.propertyBlacklist );
     }
 
+    protected SecurityConfig getValidatedSecurityConfig( Config config )
+    {
+        SecurityConfig securityConfig = new SecurityConfig( config );
+        securityConfig.validate();
+        return securityConfig;
+    }
+
     private static List<Realm> selectOrderedActiveRealms( List<String> configuredRealms, List<Realm> availableRealms )
     {
         List<Realm> orderedActiveRealms = new ArrayList<>( configuredRealms.size() );
@@ -218,9 +216,15 @@ private static List<Realm> selectOrderedActiveRealms( List<String> configuredRea
     }
 
     protected EnterpriseUserManager createInternalRealm( Config config, LogProvider logProvider,
-            FileSystemAbstraction fileSystem, JobScheduler jobScheduler )
+            FileSystemAbstraction fileSystem, JobScheduler jobScheduler, List<Realm> realms )
     {
-        return createInternalFlatFileRealm( config, logProvider, fileSystem, jobScheduler );
+        EnterpriseUserManager internalRealm = null;
+        if ( securityConfig.hasNativeProvider )
+        {
+            internalRealm = createInternalFlatFileRealm( config, logProvider, fileSystem, jobScheduler );
+            realms.add( (Realm) internalRealm );
+        }
+        return internalRealm;
     }
 
     protected static InternalFlatFileRealm createInternalFlatFileRealm( Config config, LogProvider logProvider,
@@ -360,19 +364,19 @@ private static File getDefaultAdminRepositoryFile( Config config )
                 DEFAULT_ADMIN_STORE_FILENAME );
     }
 
-    private static IllegalArgumentException illegalConfiguration( String message )
+    protected static IllegalArgumentException illegalConfiguration( String message )
     {
         return new IllegalArgumentException( "Illegal configuration: " + message );
     }
 
-    static class SecurityConfig
+    protected static class SecurityConfig
     {
-        final List<String> authProviders;
-        final boolean hasNativeProvider;
+        protected final List<String> authProviders;
+        public final boolean hasNativeProvider;
         final boolean hasLdapProvider;
         final List<String> pluginAuthProviders;
-        final boolean nativeAuthentication;
-        final boolean nativeAuthorization;
+        protected final boolean nativeAuthentication;
+        protected final boolean nativeAuthorization;
         final boolean ldapAuthentication;
         final boolean ldapAuthorization;
         final boolean pluginAuthentication;
@@ -381,7 +385,7 @@ static class SecurityConfig
         private final String propertyAuthMapping;
         final Map<String,List<String>> propertyBlacklist = new HashMap<>();
 
-        SecurityConfig( Config config )
+        protected SecurityConfig( Config config )
         {
             authProviders = config.get( SecuritySettings.auth_providers );
             hasNativeProvider = authProviders.contains( SecuritySettings.NATIVE_REALM_NAME );
@@ -400,7 +404,7 @@ static class SecurityConfig
             propertyAuthMapping = config.get( SecuritySettings.property_level_authorization_permissions );
         }
 
-        void validate()
+        protected void validate()
         {
             if ( !nativeAuthentication && !ldapAuthentication && !pluginAuthentication )
             {

enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java

@@ -59,6 +59,7 @@
 public class SecuritySettings implements LoadableConfig
 {
     public static final String NATIVE_REALM_NAME = "native";
+    public static final String NATIVE_GRAPH_REALM_NAME = "native-graph";
     public static final String LDAP_REALM_NAME = "ldap";
     public static final String PLUGIN_REALM_NAME_PREFIX = "plugin-";
 
@@ -67,7 +68,7 @@ public class SecuritySettings implements LoadableConfig
     //=========================================================================
 
     @Description( "The authentication and authorization provider that contains both the users and roles. " +
-                  "This can be one of the built-in `" + NATIVE_REALM_NAME + "` or `" + LDAP_REALM_NAME + "` providers, " +
+                  "This can be one of the built-in `" + NATIVE_REALM_NAME + "`, `" + NATIVE_GRAPH_REALM_NAME + "` or `" + LDAP_REALM_NAME + "` providers, " +
                   "or it can be an externally provided plugin, with a custom name prefixed by `" +
                   PLUGIN_REALM_NAME_PREFIX + "`, i.e. `" + PLUGIN_REALM_NAME_PREFIX + "<AUTH_PROVIDER_NAME>`." )
     public static final Setting<String> auth_provider =
@@ -83,13 +84,13 @@ public class SecuritySettings implements LoadableConfig
     @Internal
     public static final Setting<Boolean> native_authentication_enabled =
             derivedSetting( "dbms.security.native.authentication_enabled", auth_providers,
-                    providers -> providers.contains( NATIVE_REALM_NAME ), BOOLEAN );
+                    providers -> providers.contains( NATIVE_REALM_NAME ) || providers.contains( NATIVE_GRAPH_REALM_NAME ), BOOLEAN );
 
     @Description( "Enable authorization via native authorization provider." )
     @Internal
     public static final Setting<Boolean> native_authorization_enabled =
             derivedSetting( "dbms.security.native.authorization_enabled", auth_providers,
-                    providers -> providers.contains( NATIVE_REALM_NAME ), BOOLEAN );
+                    providers -> providers.contains( NATIVE_REALM_NAME ) || providers.contains( NATIVE_GRAPH_REALM_NAME ), BOOLEAN );
 
     @Description( "Enable authentication via settings configurable LDAP authentication provider." )
     @Internal
@@ -117,14 +118,6 @@ public class SecuritySettings implements LoadableConfig
                     providers -> providers.stream().anyMatch( r -> r.startsWith( PLUGIN_REALM_NAME_PREFIX ) ),
                     BOOLEAN );
 
-    //=========================================================================
-    // Native graph settings
-    //=========================================================================
-    @Description( "Use NativeGraphRealm for native security." )
-    @Internal
-    public static final Setting<Boolean> native_graph_enabled =
-            setting( "dbms.security.native.graph_enabled", BOOLEAN, "false" );
-
     //=========================================================================
     // LDAP settings
     //=========================================================================

enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java

@@ -225,7 +225,6 @@ public void setup()
         when( mockLogProvider.getLog( anyString() ) ).thenReturn( mockLog );
         when( mockLog.isDebugEnabled() ).thenReturn( true );
         when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( false );
-        when( config.get( SecuritySettings.native_graph_enabled ) ).thenReturn( false );
         when( config.get( SecuritySettings.auth_cache_ttl ) ).thenReturn( Duration.ZERO );
         when( config.get( SecuritySettings.auth_cache_max_capacity ) ).thenReturn( 10 );
         when( config.get( SecuritySettings.auth_cache_use_ttl ) ).thenReturn( true );