Revert "3.0 extract server docs"

community/server/pom.xml

@@ -507,6 +507,52 @@
         </configuration>
       </plugin>
 
+      <plugin>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <version>1.7</version>
+        <!--$NO-MVN-MAN-VER$-->
+        <executions>
+          <execution>
+            <id>generate-source-based-documentation</id>
+            <phase>process-classes</phase>
+            <configuration>
+              <target>
+                <java classname="org.neo4j.server.rest.transactional.error.ErrorDocumentationGenerator"
+                      classpathref="maven.compile.classpath" failonerror="true">
+                  <arg value="${project.build.directory}/docs/dev/rest-api"/>
+                </java>
+              </target>
+            </configuration>
+            <goals>
+              <goal>run</goal>
+            </goals>
+          </execution>
+        </executions>
+        <dependencies>
+          <dependency>
+            <groupId>ant-contrib</groupId>
+            <artifactId>ant-contrib</artifactId>
+            <version>1.0b3</version>
+            <exclusions>
+              <exclusion>
+                <groupId>ant</groupId>
+                <artifactId>ant</artifactId>
+              </exclusion>
+            </exclusions>
+          </dependency>
+          <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+            <version>1.8.2</version>
+          </dependency>
+          <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant-apache-regexp</artifactId>
+            <version>1.8.2</version>
+          </dependency>
+        </dependencies>
+      </plugin>
+
     </plugins>
 
     <pluginManagement>

manual/server-docs/src/docs/dev/rest-api/security.asciidoc → community/server/src/docs/dev/rest-api/security.asciidoc

@@ -3,6 +3,7 @@
 
 In order to prevent unauthorized access to Neo4j, the REST API supports authorization and authentication.
 When enabled, requests to the REST API must be authorized using the username and password of a valid user.
+Authorization is enabled by default, see <<security-server-auth>> for how to disable it.
 
 When Neo4j is first installed you can authenticate with the default user `neo4j` and the default password `neo4j`.
 However, the default password must be changed (see <<rest-api-security-user-status-and-password-changing>>) before access to resources will be permitted.

manual/server-docs/src/docs/dev/rest-api/traversals.asciidoc → community/server/src/docs/dev/rest-api/traversals.asciidoc

@@ -4,7 +4,7 @@
 [WARNING]
 The Traversal REST Endpoint executes arbitrary Javascript code under the hood as part of the evaluators definitions. In hosted and open environments, this can constitute a security risk.
 In these case, consider using declarative approaches like <<cypher>> or write your own server side plugin executing the
-interesting traversals with the Java API ( see <<server-plugins>> ) or secure your server.
+interesting traversals with the Java API ( see <<server-plugins>> ) or secure your server, see <<operations-security>>.
 
 Traversals are performed from a start node.
 The traversal is controlled by the URI and the body sent with the request.

community/server/src/docs/ops/powershell.asciidoc

@@ -0,0 +1,126 @@
+[[powershell]]
+= Windows PowerShell module
+
+The Neo4j PowerShell module allows administrators to:
+
+* install, start and stop Neo4j Windows® Services
+* and start tools, such as `Neo4j Shell` and `Neo4j Import`.
+
+The PowerShell module is installed as part of the http://neo4j.com/download/[ZIP file] distributions of Neo4j.
+
+[[powershell-requirements]]
+== System Requirements
+
+* Requires PowerShell v2.0 or above.
+* Supported on either 32 or 64 bit operating systems.
+
+[[powershell-windows]]
+== Managing Neo4j on Windows
+
+On Windows it is sometimes necessary to _Unblock_ a downloaded zip file before you can import its contents as a module. If you right-click on the zip file and choose "Properties" you will get a dialog. Bottom-right on that dialog you will find an "Unblock" button. Click that. Then you should be able to import the module.
+
+Running scripts has to be enabled on the system.
+This can for example be achieved by executing the following from an elevated PowerShell prompt:
+[source,powershell]
+----
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
+----
+For more information see https://technet.microsoft.com/en-us/library/hh847748.aspx[About execution policies].
+
+The powershell module will display a warning if it detects that you do not have administrative rights.
+
+[[powershell-module-import]]
+== How do I import the module?
+
+The module file is located in the _bin_ directory of your Neo4j installation, i.e. where you unzipped the downloaded file.
+For example, if Neo4j was installed in _C:\Neo4j_ then the module would be imported like this:
+
+[source,powershell]
+----
+Import-Module C:\Neo4j\bin\Neo4j-Management.psd1
+----
+
+This will add the module to the current session.
+
+Once the module has been imported you can start an interactive console version of a Neo4j Server like this:
+
+[source,powershell]
+----
+Invoke-Neo4j console
+----
+
+To stop the server, issue `Ctrl-C` in the console window that was created by the command.
+
+[[powershell-help]]
+== How do I get help about the module?
+
+Once the module is imported you can query the available commands like this:
+
+[source,powershell]
+----
+Get-Command -Module Neo4j-Management
+----
+
+The output should be similar to the following:
+
+[source]
+----
+CommandType     Name                                Version    Source
+-----------     ----                                -------    ------
+Function        Invoke-Neo4j                        3.0.0      Neo4j-Management
+Function        Invoke-Neo4jAdmin                   3.0.0      Neo4j-Management
+Function        Invoke-Neo4jBackup                  3.0.0      Neo4j-Management
+Function        Invoke-Neo4jImport                  3.0.0      Neo4j-Management
+Function        Invoke-Neo4jShell                   3.0.0      Neo4j-Management
+----
+
+The module also supports the standard PowerShell help commands.
+
+[source,powershell]
+----
+Get-Help Invoke-Neo4j
+----
+
+To see examples for a command, do like this:
+
+[source,powershell]
+----
+Get-Help Invoke-Neo4j -examples
+----
+
+[[powershell-examples]]
+== Example usage
+
+* List of available commands:
++
+[source,powershell]
+----
+Invoke-Neo4j
+----
+
+* Current status of the Neo4j service:
++
+[source,powershell]
+----
+Invoke-Neo4j status
+----
+
+* Install the service with verbose output:
++
+[source,powershell]
+----
+Invoke-Neo4j install-service -Verbose
+----
+
+* Available commands for administrative tasks:
++
+[source,powershell]
+----
+Invoke-Neo4jAdmin
+----
+
+[[powershell-common-parameters]]
+== Common PowerShell parameters
+
+The module commands support the common PowerShell parameter of `Verbose`.
+

community/server/src/docs/ops/security.asciidoc

@@ -0,0 +1,163 @@
+[[security-server]]
+= Securing Neo4j Server
+
+== Secure the port and remote client connection accepts ==
+
+By default, the Neo4j Server is bundled with a Web server that binds to host +localhost+ on port +7474+, answering only requests from the local machine.
+
+This is configured in <<file-locations, _neo4j.conf_>>:
+
+[source,properties]
+----
+# Let the webserver only listen on the specified IP. Default is localhost (only
+# accept local connections). Uncomment to allow any connection.
+dbms.connector.http.type=HTTP
+dbms.connector.http.enabled=true
+#dbms.connector.http.address=0.0.0.0:7474
+----
+
+If you want the server to listen to external hosts, configure the Web server in _neo4j.conf_ by setting the property +dbms.connector.http.address=0.0.0.0:7474+ which will cause the server to bind to all available network interfaces.
+Note that firewalls et cetera have to be configured accordingly as well.
+
+[[security-server-auth]]
+== Server authentication and authorization ==
+
+Neo4j requires clients to supply authentication credentials when accessing the REST API.
+Without valid credentials, access to the database will be forbidden.
+
+The authentication and authorization data is stored under _data/dbms/auth_.
+If necessary, this file can be copied over to other neo4j instances to ensure they share the same username/password (see <<rest-api-security-copy-config>>).
+
+Please refer to <<rest-api-security>> for additional details.
+When accessing Neo4j over unsecured networks, make sure HTTPS is configured and used for access (see <<security-server-https>>).
+
+If necessary, authentication may be disabled.
+This will allow any client to access the database without supplying authentication credentials.
+
+[source,properties]
+----
+# Disable authorization
+dbms.security.auth_enabled=false
+----
+
+[WARNING]
+Disabling authentication is not recommended, and should only be done if the operator has a good understanding of their network security, including protection against http://en.wikipedia.org/wiki/Cross-site_scripting[cross-site scripting (XSS)] attacks via web browsers.
+Developers should not disable authentication if they have a local installation using the default listening ports.
+
+[[security-server-https]]
+== HTTPS support ==
+
+The Neo4j server includes built in support for SSL encrypted communication over HTTPS.
+The first time the server starts, it automatically generates a self-signed SSL certificate and a private key.
+Because the certificate is self signed, it is not safe to rely on for production use, instead, you should provide your own key and certificate for the server to use.
+
+[CAUTION]
+Using auto-generation of self-signed SSL certificates will not work if the Neo4j server has been configured with multiple connectors that bind to different IP addresses.
+If you need to use multiple IP addresses, please configure certificates manually and use multi-host or wildcard certificates instead.
+
+To provide your own key and certificate put them in the <<file-locations, _certificates_>> directory.
+The files must be named _neo4j.key_ and _neo4j.cert_.
+The location of the directory can be configured by setting _dbms.directories.certificates_ in <<file-locations, _neo4j.conf_>>.
+
+[source,properties]
+----
+# Certificates location (auto generated if the file does not exist)
+dbms.directories.certificates=certificates
+
+----
+
+Note that the key should be unencrypted.
+Make sure you set correct permissions on the private key, so that only the Neo4j server user can read/write it.
+
+Neo4j also supports chained SSL certificates.
+This requires to have all certificates in PEM format combined in one file and the private key needs to be in DER format.
+
+You can set what port the HTTPS connector should bind to in the same configuration file, as well as turn HTTPS on or off:
+
+[source,properties]
+----
+dbms.connector.https.type=HTTP
+dbms.connector.https.enabled=true
+dbms.connector.https.encryption=TLS
+dbms.connector.https.address=localhost:7473
+----
+
+== Arbitrary code execution ==
+
+[IMPORTANT]
+The Neo4j server exposes remote scripting functionality by default that allow full access to the underlying system.
+Exposing your server without implementing a security layer presents a substantial security vulnerability.
+
+By default, the Neo4j Server comes with some places where arbitrary code code execution can happen. These are the <<rest-api-traverse>> REST endpoints.
+To secure these, either disable them completely by removing offending plugins from the server classpath, or secure access to these URLs through proxies or Authorization Rules.
+Also, the Java Security Manager, see http://docs.oracle.com/javase/7/docs/technotes/guides/security/index.html, can be used to secure parts of the codebase.
+
+== Server authorization rules ==
+
+Administrators may require more fine-grained security policies in addition to the basic authorization and/or IP-level restrictions on the Web server.
+Neo4j server supports administrators in allowing or disallowing access the specific aspects of the database based on credentials that users or applications provide.
+
+To facilitate domain-specific authorization policies in Neo4j Server, security rules can be implemented and registered with the server.
+This makes scenarios like user and role based security and authentication against external lookup services possible.
+See +org.neo4j.server.rest.security.SecurityRule+ in the javadocs downloadable from http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.neo4j.app%22%20AND%20a%3A%22neo4j-server%22[Maven Central (org.neo4j.app:neo4j-server)].
+
+[CAUTION]
+The use of Server Authorization Rules may interact unexpectedly with the built-in authentication and authorization (see <<security-server-auth>>), if enabled.
+
+include::enforcing-server-authorization-rules.asciidoc[]
+
+include::using-wildcards-to-target-security-rules.asciidoc[]
+
+include::using-complex-wildcards-to-target-security-rules.asciidoc[]
+
+
+== Using a proxy ==
+
+Although the Neo4j server has a number of security features built-in (see the above chapters), for sensitive deployments it is often sensible to front against the outside world it with a proxy like Apache `mod_proxy` footnote:[http://httpd.apache.org/docs/2.2/mod/mod_proxy.html].
+
+This provides a number of advantages:
+
+* Control access to the Neo4j server to specific IP addresses, URL patterns and IP ranges. This can be used to make for instance only the '/db/data' namespace accessible to non-local clients, while the '/db/admin' URLs only respond to a specific IP address.
++
+[source]
+---------------
+<Proxy *>
+  Order Deny,Allow
+  Deny from all
+  Allow from 192.168.0
+</Proxy>
+---------------
++
+While it is possible to develop plugins using Neo4j's `SecurityRule` (see above), operations professionals would often prefer to configure proxy servers such as Apache.
+However, it should be noted that in cases where both approaches are being used, they will work harmoniously provided that the behavior is consistent across proxy server and `SecurityRule` plugins.
+
+* Run Neo4j Server as a non-root user on a Linux/Unix system on a port < 1000 (e.g. port 80) using
++
+[source]
+---------------
+ProxyPass /neo4jdb/data http://localhost:7474/db/data
+ProxyPassReverse /neo4jdb/data http://localhost:7474/db/data
+---------------
+
+* Simple load balancing in a clustered environment to load-balance read load using the Apache `mod_proxy_balancer` footnote:[http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html] plugin
++
+[source]
+--------------
+<Proxy balancer://mycluster>
+BalancerMember http://192.168.1.50:80
+BalancerMember http://192.168.1.51:80
+</Proxy>
+ProxyPass /test balancer://mycluster
+--------------
+
+== LOAD CSV
+
+The Cypher `LOAD CSV` clause can load files from the filesystem, and its default configuration allows any file on the system to be read using a `file:///` URL.
+This presents a security vulnerability in production environments where database users should not otherwise have access to files on the system.
+For production deployments, configure the <<config_dbms.directories.import>> setting, which will make all files identified in a `file:///` URL relative to the specified directory, similarly to how a unix chroot works.
+Alternatively, set the <<config_dbms.security.allow_csv_import_from_file_urls>> setting to false, which disables the use of `file:///` URLs entirely.
+Further information can be found in <<query-load-csv>>.
+
+== Neo4j Web Interface Security
+
+For configuration settings to consider in order to get the level of security you want to achieve, see <<configuration-settings>>.

community/server/src/docs/ops/server-debugging.asciidoc

@@ -0,0 +1,16 @@
+[[server-debugging]]
+= Setup for remote debugging
+
+In order to configure the Neo4j server for remote debugging sessions, the Java debugging parameters need to be passed to the Java process through the configuration.
+They live in the _conf/neo4j-wrapper.properties_ file.
+
+In order to specify the parameters, add a line for the additional Java arguments like this:
+
+[source,properties]
+----
+dbms.jvm.additional=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
+----
+
+This configuration will start a Neo4j server ready for remote debugging attachement at localhost and port `5005`.
+Use these parameters to attach to the process from Eclipse, IntelliJ or your remote debugger of choice after starting the server.
+