diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java index a90be564055fc..713c259f7e155 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModule.java @@ -76,6 +76,7 @@ public class EnterpriseSecurityModule extends SecurityModule private static final String DEFAULT_ADMIN_STORE_FILENAME = SetDefaultAdminCommand.ADMIN_INI; private EnterpriseAuthAndUserManager authManager; + protected SecurityConfig securityConfig; public EnterpriseSecurityModule() { @@ -160,22 +161,12 @@ private EnterpriseSecurityContext asEnterprise( SecurityContext securityContext public EnterpriseAuthAndUserManager newAuthManager( Config config, LogProvider logProvider, SecurityLog securityLog, FileSystemAbstraction fileSystem, JobScheduler jobScheduler ) { - SecurityConfig securityConfig = new SecurityConfig( config ); - securityConfig.validate(); + securityConfig = getValidatedSecurityConfig( config ); List realms = new ArrayList<>( securityConfig.authProviders.size() + 1 ); SecureHasher secureHasher = new SecureHasher(); - EnterpriseUserManager internalRealm = null; - if ( securityConfig.hasNativeProvider ) - { - internalRealm = createInternalRealm( config, logProvider, fileSystem, jobScheduler ); - realms.add( (Realm) internalRealm ); - } - else if ( config.get( SecuritySettings.native_graph_enabled ) ) - { - throw illegalConfiguration("Native graph enabled but native auth provider is not configured." ); - } + EnterpriseUserManager internalRealm = createInternalRealm( config, logProvider, fileSystem, jobScheduler, realms ); if ( securityConfig.hasLdapProvider ) { @@ -200,6 +191,13 @@ else if ( config.get( SecuritySettings.native_graph_enabled ) ) securityConfig.propertyAuthorization, securityConfig.propertyBlacklist ); } + protected SecurityConfig getValidatedSecurityConfig( Config config ) + { + SecurityConfig securityConfig = new SecurityConfig( config ); + securityConfig.validate(); + return securityConfig; + } + private static List selectOrderedActiveRealms( List configuredRealms, List availableRealms ) { List orderedActiveRealms = new ArrayList<>( configuredRealms.size() ); @@ -218,9 +216,15 @@ private static List selectOrderedActiveRealms( List configuredRea } protected EnterpriseUserManager createInternalRealm( Config config, LogProvider logProvider, - FileSystemAbstraction fileSystem, JobScheduler jobScheduler ) + FileSystemAbstraction fileSystem, JobScheduler jobScheduler, List realms ) { - return createInternalFlatFileRealm( config, logProvider, fileSystem, jobScheduler ); + EnterpriseUserManager internalRealm = null; + if ( securityConfig.hasNativeProvider ) + { + internalRealm = createInternalFlatFileRealm( config, logProvider, fileSystem, jobScheduler ); + realms.add( (Realm) internalRealm ); + } + return internalRealm; } protected static InternalFlatFileRealm createInternalFlatFileRealm( Config config, LogProvider logProvider, @@ -360,19 +364,19 @@ private static File getDefaultAdminRepositoryFile( Config config ) DEFAULT_ADMIN_STORE_FILENAME ); } - private static IllegalArgumentException illegalConfiguration( String message ) + protected static IllegalArgumentException illegalConfiguration( String message ) { return new IllegalArgumentException( "Illegal configuration: " + message ); } - static class SecurityConfig + protected static class SecurityConfig { - final List authProviders; - final boolean hasNativeProvider; + protected final List authProviders; + public final boolean hasNativeProvider; final boolean hasLdapProvider; final List pluginAuthProviders; - final boolean nativeAuthentication; - final boolean nativeAuthorization; + protected final boolean nativeAuthentication; + protected final boolean nativeAuthorization; final boolean ldapAuthentication; final boolean ldapAuthorization; final boolean pluginAuthentication; @@ -381,7 +385,7 @@ static class SecurityConfig private final String propertyAuthMapping; final Map> propertyBlacklist = new HashMap<>(); - SecurityConfig( Config config ) + protected SecurityConfig( Config config ) { authProviders = config.get( SecuritySettings.auth_providers ); hasNativeProvider = authProviders.contains( SecuritySettings.NATIVE_REALM_NAME ); @@ -400,7 +404,7 @@ static class SecurityConfig propertyAuthMapping = config.get( SecuritySettings.property_level_authorization_permissions ); } - void validate() + protected void validate() { if ( !nativeAuthentication && !ldapAuthentication && !pluginAuthentication ) { diff --git a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java index 554a857611f0c..327f8b0d2482d 100644 --- a/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java +++ b/enterprise/security/src/main/java/org/neo4j/server/security/enterprise/configuration/SecuritySettings.java @@ -59,6 +59,7 @@ public class SecuritySettings implements LoadableConfig { public static final String NATIVE_REALM_NAME = "native"; + public static final String NATIVE_GRAPH_REALM_NAME = "native-graph"; public static final String LDAP_REALM_NAME = "ldap"; public static final String PLUGIN_REALM_NAME_PREFIX = "plugin-"; @@ -67,7 +68,7 @@ public class SecuritySettings implements LoadableConfig //========================================================================= @Description( "The authentication and authorization provider that contains both the users and roles. " + - "This can be one of the built-in `" + NATIVE_REALM_NAME + "` or `" + LDAP_REALM_NAME + "` providers, " + + "This can be one of the built-in `" + NATIVE_REALM_NAME + "`, `" + NATIVE_GRAPH_REALM_NAME + "` or `" + LDAP_REALM_NAME + "` providers, " + "or it can be an externally provided plugin, with a custom name prefixed by `" + PLUGIN_REALM_NAME_PREFIX + "`, i.e. `" + PLUGIN_REALM_NAME_PREFIX + "`." ) public static final Setting auth_provider = @@ -83,13 +84,13 @@ public class SecuritySettings implements LoadableConfig @Internal public static final Setting native_authentication_enabled = derivedSetting( "dbms.security.native.authentication_enabled", auth_providers, - providers -> providers.contains( NATIVE_REALM_NAME ), BOOLEAN ); + providers -> providers.contains( NATIVE_REALM_NAME ) || providers.contains( NATIVE_GRAPH_REALM_NAME ), BOOLEAN ); @Description( "Enable authorization via native authorization provider." ) @Internal public static final Setting native_authorization_enabled = derivedSetting( "dbms.security.native.authorization_enabled", auth_providers, - providers -> providers.contains( NATIVE_REALM_NAME ), BOOLEAN ); + providers -> providers.contains( NATIVE_REALM_NAME ) || providers.contains( NATIVE_GRAPH_REALM_NAME ), BOOLEAN ); @Description( "Enable authentication via settings configurable LDAP authentication provider." ) @Internal @@ -117,14 +118,6 @@ public class SecuritySettings implements LoadableConfig providers -> providers.stream().anyMatch( r -> r.startsWith( PLUGIN_REALM_NAME_PREFIX ) ), BOOLEAN ); - //========================================================================= - // Native graph settings - //========================================================================= - @Description( "Use NativeGraphRealm for native security." ) - @Internal - public static final Setting native_graph_enabled = - setting( "dbms.security.native.graph_enabled", BOOLEAN, "false" ); - //========================================================================= // LDAP settings //========================================================================= diff --git a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java index dbed935dc2dcd..abb58196c78ca 100644 --- a/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java +++ b/enterprise/security/src/test/java/org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.java @@ -225,7 +225,6 @@ public void setup() when( mockLogProvider.getLog( anyString() ) ).thenReturn( mockLog ); when( mockLog.isDebugEnabled() ).thenReturn( true ); when( config.get( SecuritySettings.property_level_authorization_enabled ) ).thenReturn( false ); - when( config.get( SecuritySettings.native_graph_enabled ) ).thenReturn( false ); when( config.get( SecuritySettings.auth_cache_ttl ) ).thenReturn( Duration.ZERO ); when( config.get( SecuritySettings.auth_cache_max_capacity ) ).thenReturn( 10 ); when( config.get( SecuritySettings.auth_cache_use_ttl ) ).thenReturn( true );