Skip to content

Security #539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 10 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions modules/ROOT/pages/getting-started/quick-start-guide.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
[[aura-quick-start-guide]]
= Quick start guide
:description: This page describes how to create a Neo4j Aura account, a new instance and connect to existing instances.

== Create an account

To access Neo4j Aura, you need to have an Aura account.
Navigate to link:https://console.neo4j.io[Neo4j Aura console] and follow the instructions for registration.
Once you have accepted the terms and conditions and verified your email address, you can start using the console.

The console exists in two versions, the classic experience, and the early access new console, as mentioned in xref:index.adoc[About Neo4j Aura console].
You can toggle between the different versions, via the account dropdown in the top right corner.

[[create-instance]]
== Create an instance

The first step is to select the plan that best suits your needs.
You can upgrade your plan later if your needs change.

Once you've selected a plan, your instance is created.
A password is generated for the instance, ensure to either copy or download it, as it will **not** be recoverable after.
The password is required to access your instance later.

[NOTE]
====
You can only create **one Free instance** per account.
To create more instances, you need to upgrade your plan.
See link:https://neo4j.com/pricing/[Neo4j Pricing] for more information on the different plans.
====

[[connect-to-instance]]
== Connect to an instance

To interact with a database in an instance, you need to establish a connection.

. Go to *Import*, *Explore* or *Query*.
. Select *Status* and from there you can connect to an instance.
. You may need your *Username* and *Password* credentials.

[.shadow]
.Connection banner
image::connectionbanner.png[]

[.shadow]
.Connection modal
image::connectionauthentication.png[]

[cols="20%,80%"]
|===
| Field | Description

|Protocol
|The protocol is used for the communication between the Neo4j database server and the client application or tool.
If you are a new user, you can use the default the default `neo4j+s//`.
For more information about connection schemes, see link:https://neo4j.com/docs/operations-manual/current/configuration/connectors/[Operations Manual -> Configure network connectors] and link:https://neo4j.com/docs/bolt/current/bolt/[Bolt Protocol].

|Connection URL
|You can get this from your instance details

|Database user
|Neo4j by default

|Password
|You are given the password when you initially create the instance

|Single sign-on
|If this is set up, you can use SSO.

|===

== Migrate metadata from Workspace

If you have an existing Aura instance, you can migrate the metadata from Workspace to the new console and continue working with your data in the new experience.
The metadata includes the data model and saved Cypher queries.
//Add Perspectives and Scenes when they are available.

=== Data model

From the *Import* tab in Workspace, open the more menu (*...*) and download the model, with or without data.

[.shadow]
image::export-model.png[width=300]

Then navigate to the new console and select *Import* -> *Graph models*.
Once you select *New graph model*, you access the more menu (*...*), similar to Workspace, and select *Open model* with or without data.

[.shadow]
image::import-model.png[width=600]

Note that if you have downloaded your data with the model, you can also go a different route via *Import* -> *Data sources* and select *New data source* and then import locally from files.
This leads you to the same *Import* frame as the first route and you can use the more menu (*...*) to open the model *with* your data.

=== Saved Cypher

Any saved Cypher snippets can be downloaded from the *Query* tab in Workspace.
From the Saved Cypher drawer, use the *Export* button to download selected queries as a _.csv_ file.

[.shadow]
image::export-saved-cypher.png[width=300]

In the new console, navigate to the *Query* tab and open the *Saved Cypher* drawer.
Use the *Import* button and select the _.csv_ file you downloaded from Workspace.

[.shadow]
image::import-saved-cypher.png[width=400]

=== Perspectives

Perspectives, except for the default Perspective (which is automatically re-created in the new console), can be exported from the Perspective drawer in Workspace.
Use the *Export* option on the Perspective you want to save.
It is exported as a _.json_ file.

[.shadow]
image::export-perspective.png[width=300]

In the new console, navigate to the *Explore* tab and open the *Perspective* drawer.
Use the *Import* option and select the _.json_ file you downloaded from Workspace.

[.shadow]
image::import-perspective.png[width=600]








2 changes: 1 addition & 1 deletion modules/ROOT/pages/security/encryption.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -203,4 +203,4 @@ You will need these in the next steps.

. Go to the Google Cloud console, click into the key and go to *Permissions* then *Grant Access*.
. In *Add principals* paste the three service accounts from the Aura Console.
. In *Assign roles* assign both *Cloud KMS CryptoKey Encrypter/Decrypter* and *Cloud KMS Viewer* roles to all three service accounts.
. In *Assign roles* assign both *Cloud KMS CryptoKey Encrypter/Decrypter* and *Cloud KMS Viewer* roles to all three service accounts.
15 changes: 15 additions & 0 deletions modules/ROOT/pages/security/tool-auth.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[[tool-auth]]
= Tool authentication
:description: This section describes the seamless tool authentication functionality in AuraDB.

Organization admins can allow users in a project to seamlessly and securely connect to a project and the instances within it.

This feature can be enabled and configured from the Org settings.

As an Org admin, you maintain access control of all projects within the organization.
You can select which projects and instances users can connect seamlessly to and which they should be required to use username and password to connect to.

To prevent unauthorized access and allow Project admins full access control, the authentication is used in conjunction with predefined roles with varying levels of access to the database.

This means that Project admins assign roles to the users that grants them seamless connection to the project and its instances as well as certain privileges to the databases there.
See xref:user-management.adoc#roles[User management - Roles] for more information.
192 changes: 174 additions & 18 deletions modules/ROOT/pages/user-management.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -152,40 +152,196 @@ Each project can have multiple users with individual accounts allowing access to
The users with access to a project can be viewed and managed from the **Users** page.
You can access the **Users** page by selecting **Users** from the sidebar menu of the console.

=== Roles
[[roles]]
== Roles

Users within a project can be assigned one of the following roles:
Users within a project can be assigned one of the following predefined roles:

* _Project Admin_
* _Project Member_
* _Project Viewer_
* _Metrics Reader_

These roles grant the users certain privileges both on the console level as well as on the instance level.
The roles are immutable and every new user needs to be assigned one.

:check-mark: icon:check[]

.Roles
[opts="header",cols="3,1,1,1"]
.Roles and console capabilities
[opts="header",cols="3,^,^,^"]
|===
| Capability | Admin | Member | Viewer
| Capability | Viewer | Member | Admin
| View users and their roles | {check-mark} | {check-mark} | {check-mark}
| View and open instances | {check-mark} | {check-mark} | {check-mark}
| Access the Neo4j Customer Support Portal | {check-mark} | {check-mark} | {check-mark}
| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | {check-mark} | {check-mark} |
| Clone data to new and existing instances | {check-mark} | {check-mark} |
| Take on-demand snapshots | {check-mark} | {check-mark} |
| Restore from snapshots | {check-mark} | {check-mark} |
| Edit the project name | {check-mark} | |
| Invite new users to the project | {check-mark} | |
| Edit existing users' roles | {check-mark} | |
| Delete existing users from the project | {check-mark} | |
| View and edit billing information | {check-mark} | |
| Perform all actions on instances footnote:[Actions include creating, deleting, pausing, resuming, and editing instances.] | | {check-mark} | {check-mark}
| Clone data to new and existing instances | | {check-mark} | {check-mark}
| Take on-demand snapshots | | {check-mark} | {check-mark}
| Restore from snapshots | | {check-mark} | {check-mark}
| Edit the project name | | | {check-mark}
| Invite new users to the project | | | {check-mark}
| Edit existing users' roles | | | {check-mark}
| Delete existing users from the project | | | {check-mark}
| View and edit billing information | | | {check-mark}
|===

[NOTE]
====
Each project must have at least one Project Admin, but it is also possible for projects to have multiple Project Admins.
====

Additionally, predefined roles are assigned certain privileges on the instance level as well.

.Roles and database privileges
[options="header", cols="3,^,^,^,^,^"]
|===
| Privilege
| Viewer
| Member
3+| Admin

|
|
|
| Free
| Professional
| Business Critical

| Access to database
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| List constraints
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Create constraints
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}


| Delete constraints
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| List indexes
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Create indexes
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Delete indexes
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Find nodes and relationships and read their properties
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Load external data in queries
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Write to the graph
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| Name management for node labels, relationship types, and property names.
|
| {check-mark}
| {check-mark}
| {check-mark}
| {check-mark}

| List and end transactions for specified users on the database.
|
|
| {check-mark}
| {check-mark}
| {check-mark}

| List, create, delete, and modify users.
|
|
|
| {check-mark}
| {check-mark}

| List roles
|
|
|
| {check-mark}
| {check-mark}

| Create roles
|
|
|
|
| {check-mark}

| Assign roles
|
|
|
| {check-mark}
| {check-mark}

| Rename roles
|
|
|
|
| {check-mark}

| Remove roles
|
|
|
| {check-mark}
| {check-mark}

| Privilege management footnote:[This includes to list, grant, and revoke privileges.]
|
|
|
|
| {check-mark}
|===

=== Inviting users

As an _Admin_, to invite a new user:
Expand Down Expand Up @@ -232,7 +388,7 @@ You can select the project(s) you have been invited to and choose to accept or d

// You can also close the **Project invitation** modal without accepting or declining the invite(s) and later manually re-open the modal by selecting the **Pending invites** envelope icon in the console header.

[TIP]
====
User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
====
// [TIP]
// ====
// User management within the Aura console does not replace built-in roles or fine-grained RBAC at the database level.
// ====