On Tue, Sep 27, 2011 at 11:29 PM, Nuo Yan <yan....@gmail.com> wrote: > Hi Jake, > > Thanks for your reply. > > Sorry if my previous email was misleading, but I don't absolutely need > key-based authentication; that just turned out to be the what I first > thought of. I was trying to figure out what authentication methods were > supported so that I can evaluate. HTTPS + basic auth with strong passwords > do sound good to me at this moment. However, at this moment, instead of > using authentication, I turned out configured security rules on my the > neo4j > server to only take connections from my app server so I temporarily don't > have a problem in the near future. But it's good to know about the > authentication extension. > > By the way, do you have any data about the performance impact of using the > authentication extension to do basic auth + HTTPS compare to talking to > neo4j without authentication (both through REST)? If you have such data, > please let me know. That would be very helpful information. >
I'm afraid not. However, as long as you make sure to reuse TCP connections (Connection:keep-alive), the overhead of https should be minimal. While the same does not apply for basic auth, it should not add a significant performance overhead compared to "normal" REST. /Jake > > Thanks, > Nuo > > > > On Tue, Sep 27, 2011 at 6:10 AM, Jacob Hansson < > jacob.hans...@neotechnology.com> wrote: > > > As far as I know, the auth plugin currently only supports HTTP BASIC > > authentication. But it would be interesting to expand it to allow other > > authentication methods, for instance by allowing pluggable authentication > > providers. > > > > So if I understand your question correctly, yes, it does support > > authentication beyond just limiting access by IP, but it does not support > > authentication using keys or certificates. > > > > Out of curiosity, what is the driver behind needing key-based > > authentication? The combination of HTTP BASIC, strong passwords and HTTPS > > seems like it would supply quite strong security, no? > > > > /Jake > > > > On Wed, Sep 21, 2011 at 9:16 PM, Nuo Yan <yan....@gmail.com> wrote: > > > > > Limiting access to certain URIs or IPs is great, but ideally at this > > moment > > > I also need something like a key-based authentication so I can send a > > > private key in the headers from my restclient and neo4j would > > authenticate > > > and only take authenticated requests. Does the authentication extension > > > support key-based authentication? If not, what forms of authentication > > does > > > it currently support (user/password, token-based, shared-secret)? > > > > > > Thanks, > > > Nuo > > > > > > On Wed, Sep 21, 2011 at 11:24 AM, Peter Neubauer < > > > peter.neuba...@neotechnology.com> wrote: > > > > > > > Nuo, > > > > Thomas Baum has been working on an authentication extension for Neo4j > > > > Server, see https://github.com/neo4j/authentication-extension. He > > > > could help you set it up and test it - it's used in hosting scenarios > > > > and should do what you want in terms of limiting access to certain > > > > URIs if that is what you want? > > > > > > > > Cheers, > > > > > > > > /peter neubauer > > > > > > > > GTalk: neubauer.peter > > > > Skype peter.neubauer > > > > Phone +46 704 106975 > > > > LinkedIn http://www.linkedin.com/in/neubauer > > > > Twitter http://twitter.com/peterneubauer > > > > > > > > http://www.neo4j.org - Your high performance graph > > > database. > > > > http://startupbootcamp.org/ - Ă–resund - Innovation happens HERE. > > > > http://www.thoughtmade.com - Scandinavia's coolest Bring-a-Thing > > party. > > > > > > > > > > > > > > > > On Wed, Sep 21, 2011 at 6:14 PM, Nuo Yan <yan....@gmail.com> wrote: > > > > > For my scenario, I currently only use the LB for request > > > authentication, > > > > so > > > > > that not everyone on the network can access the neo4j server. In my > > use > > > > > case, I think making the base uri configurable (including the > > protocol, > > > > e.g. > > > > > https://foobar.com/) is enough. > > > > > > > > > > There are a couple other approaches that may also solve my problem. > > For > > > > > example, having a configurable option to make the REST APIs return > > only > > > > > relative paths in the result. Or, if neo4j could have a built-in > > > request > > > > > authentication mechanism for the REST interface, I may be able to > get > > > rid > > > > of > > > > > the lb completely. > > > > > > > > > > > > > > > On Wed, Sep 21, 2011 at 7:04 AM, Peter Neubauer < > > > > > peter.neuba...@neotechnology.com> wrote: > > > > > > > > > >> Nuo, > > > > >> right now the server is discovering its own IP upon startup. > > However, > > > > >> it sounds reasonable to return configurable base URL. I am just > > > > >> wondering if that really is enough to support a LB scenario? Do > you > > > > >> need more stuff there? > > > > >> > > > > >> Cheers, > > > > >> > > > > >> /peter neubauer > > > > >> > > > > >> GTalk: neubauer.peter > > > > >> Skype peter.neubauer > > > > >> Phone +46 704 106975 > > > > >> LinkedIn http://www.linkedin.com/in/neubauer > > > > >> Twitter http://twitter.com/peterneubauer > > > > >> > > > > >> http://www.neo4j.org - Your high performance graph > > > > database. > > > > >> http://startupbootcamp.org/ - Ă–resund - Innovation happens > HERE. > > > > >> http://www.thoughtmade.com - Scandinavia's coolest Bring-a-Thing > > > party. > > > > >> > > > > >> > > > > >> > > > > >> On Tue, Sep 20, 2011 at 6:57 PM, Nuo Yan <yan....@gmail.com> > wrote: > > > > >> > I access my neo4j server through the REST API. For security > > purpose, > > > I > > > > >> put > > > > >> > the neo4j server behind a nginx lb. I'm wondering if there is > > config > > > > >> entry > > > > >> > somewhere that I can set the neo4j server to return a customized > > > base > > > > uri > > > > >> > that I can set to my LB's uri. > > > > >> > > > > > >> > For example, currently creating a node by POSTing to the lb (say > > > > >> > https://10.0.0.1/db/data) returns > > > > >> > > > > > >> > { > > > > >> > "outgoing_relationships" : " > > > > >> > http://neo4j/db/data/node/160/relationships/out";, > > > > >> > "data" : { > > > > >> > }, > > > > >> > "traverse" : " > > http://neo4j/db/data/node/160/traverse/{returnType} > > > ", > > > > >> > "all_typed_relationships" : " > > > > >> > http://neo4j/db/data/node/160/relationships/all/{-list|&|types} > ", > > > > >> > "property" : "http://neo4j/db/data/node/160/properties/{key}";, > > > > >> > "self" : "http://neo4j/db/data/node/160";, > > > > >> > "properties" : "http://neo4j/db/data/node/160/properties";, > > > > >> > "outgoing_typed_relationships" : " > > > > >> > http://neo4j/db/data/node/160/relationships/out/{-list|&|types} > ", > > > > >> > "incoming_relationships" : " > > > > >> http://neo4j/db/data/node/160/relationships/in > > > > >> > ", > > > > >> > "extensions" : { > > > > >> > }, > > > > >> > "create_relationship" : " > > > http://neo4j/db/data/node/160/relationships > > > > ", > > > > >> > "paged_traverse" : " > > > > >> > > > > > >> > > > > > > > > > > http://neo4j/db/data/node/160/paged/traverse/{returnType}{?pageSize,leaseTime} > > > > >> > ", > > > > >> > "all_relationships" : " > > > > http://neo4j/db/data/node/160/relationships/all > > > > >> ", > > > > >> > "incoming_typed_relationships" : " > > > > >> > http://neo4j/db/data/node/160/relationships/in/{-list|&|types}" > > > > >> > > > > > >> > > > > > >> > Is there a config on the neo4j server that I can set to make it > > > either > > > > >> > return the lb URI "https://10.0.0.1"; as the base uri or return > > > > relative > > > > >> path > > > > >> > in the result? > > > > >> > _______________________________________________ > > > > >> > Neo4j mailing list > > > > >> > User@lists.neo4j.org > > > > >> > https://lists.neo4j.org/mailman/listinfo/user > > > > >> > > > > > >> _______________________________________________ > > > > >> Neo4j mailing list > > > > >> User@lists.neo4j.org > > > > >> https://lists.neo4j.org/mailman/listinfo/user > > > > >> > > > > > _______________________________________________ > > > > > Neo4j mailing list > > > > > User@lists.neo4j.org > > > > > https://lists.neo4j.org/mailman/listinfo/user > > > > > > > > > _______________________________________________ > > > > Neo4j mailing list > > > > User@lists.neo4j.org > > > > https://lists.neo4j.org/mailman/listinfo/user > > > > > > > _______________________________________________ > > > Neo4j mailing list > > > User@lists.neo4j.org > > > https://lists.neo4j.org/mailman/listinfo/user > > > > > > > > > > > -- > > Jacob Hansson > > Phone: +46 (0) 763503395 > > Twitter: @jakewins > > _______________________________________________ > > Neo4j mailing list > > User@lists.neo4j.org > > https://lists.neo4j.org/mailman/listinfo/user > > > _______________________________________________ > Neo4j mailing list > User@lists.neo4j.org > https://lists.neo4j.org/mailman/listinfo/user > -- Jacob Hansson Phone: +46 (0) 763503395 Twitter: @jakewins _______________________________________________ Neo4j mailing list User@lists.neo4j.org https://lists.neo4j.org/mailman/listinfo/user
