docs: updated and added OIDC credential forwarding COPS-264 and COPS-284 #2692
Conversation
|
Maybe we should have a figure showing the OIDC flow as well... Something like the one bellow. As of now, the added documentation is written as if there is a figure included. |
modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc
Show resolved
Hide resolved
| When creating a remote database alias, the credentials used to target to the remote DBMS need to be specified. This can be done by providing the credentials of a native user, or | ||
| by forwarding the OIDC credentials of the user logged in to the local DBMS. |
There was a problem hiding this comment.
We probably need to have one of these version tags somewhere indicating that CREDENTIAL FORWARDING is new.
I believe we would want that to show the version in which we set internal.cypher.enable_oidc_credential_forwarding to default to true. Before we set that flag to true I think we would want the SHOW updates to be done and also have done our manual testing.
Question for the docs reviewer: Do we ever document features that aren't released yet, e.g. "This feature is in beta and you need to set config x.y.z=true to access it"
There was a problem hiding this comment.
I've added a few labels now
modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Show resolved
Hide resolved
| . Set up SSO and support for the identity provider. | ||
| . Map the identity provider groups to the Neo4j roles. This is where the permission to use the remote database alias is set. |
There was a problem hiding this comment.
I think we might want more details here. I.e. the same OIDC config as for B, and maybe the command to create the alias and the commands to give Carol a role with access on the alias.
There was a problem hiding this comment.
Duplicated and moved the Manage remote database aliases section to be included under both setup examples. A bit of duplicate information but might be a better way of having it, the Connect to remote database aliases still lies outside the two setup examples.
evelinadanielsson
force-pushed
the
dev-update-create-show-remote-database-alias-docs
branch
from
1d858a2 to
8d95871
Compare
| When using `OIDC CREDENTIAL FORWARDING` the actual end-user's credentials and permissions will be used, this will result in per-user audit trails being logged on the remote DBMS. | ||
| ==== | ||
|
|
||
| [NOTE] |
There was a problem hiding this comment.
A lot of [NOTE] containers after each other, is this ok or should we structure it in a different way?
There was a problem hiding this comment.
I think it's fine, maybe docs reviewer has a better idea 🤷
evelinadanielsson
force-pushed
the
dev-update-create-show-remote-database-alias-docs
branch
from
82c30c3 to
6d3f524
Compare
evelinadanielsson
added
the
team-cypher-operations
|
Included this figure, matching the design of the one for stored credentials on the same page.
|
evelinadanielsson
force-pushed
the
dev-update-create-show-remote-database-alias-docs
branch
2 times, most recently
from
3050604 to
82c30c3
Compare
evelinadanielsson
changed the title
I think the "token" arrow should go from IDP to Carol. Do we need the second DB in DBMS B? |
l-heemann
left a comment
l-heemann
left a comment
There was a problem hiding this comment.
Starting to look very good I think. Mostly some nit-picks left
modules/ROOT/pages/database-administration/aliases/manage-aliases-standard-databases.adoc
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
| _Bob_ is the administrator responsible for the setup of the remote DBMS, which includes the following steps: | ||
|
|
||
| . Set up SSO and support for the identity provider. | ||
| . Map the identity provider groups to the Neo4j roles. If you don’t want specific users to access `Db2`, here is where you set it. |
There was a problem hiding this comment.
Maybe this is a good point to link to
https://neo4j.com/docs/operations-manual/current/tutorial/tutorial-sso-configuration/
Same for "Configure local DBMS" below
There was a problem hiding this comment.
I added SSO tutorials as you mentioned, but I have previously added xref:authentication-authorization/sso-integration.adoc#auth-sso-map-idp-roles[Map the identity provider groups to the Neo4j roles] in other places of in the docs when talking about the mapping, which links to https://neo4j.com/docs/operations-manual/2025.10/authentication-authorization/sso-integration/#auth-sso-map-idp-roles
evelinadanielsson
force-pushed
the
dev-update-create-show-remote-database-alias-docs
branch
3 times, most recently
from
6d237b1 to
6173293
Compare
| When using `OIDC CREDENTIAL FORWARDING` the actual end-user's credentials and permissions will be used, this will result in per-user audit trails being logged on the remote DBMS. | ||
| ==== | ||
|
|
||
| [NOTE] |
There was a problem hiding this comment.
I think it's fine, maybe docs reviewer has a better idea 🤷
evelinadanielsson
force-pushed
the
dev-update-create-show-remote-database-alias-docs
branch
from
6173293 to
bdd167a
Compare
|
I've made some editorial changes, but I haven't finished reviewing the PR. |
|
@renetapopova this feature is not yet GA so we can keep the do not merge tag on til further 🙂 |
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
| _Carol_ can use her own regular credentials to access the remote database `Db1` in DBMS after _Alice_ assigns this privilege to her user profile. | ||
| This configuration will also allow _Carol_ to access `Db2` in **DBMS B**. | ||
| If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges (see xref:authentication-authorization/index.adoc[Authentication and authorization] for further information). | ||
| _Carol_ can use her own regular credentials to access the remote database `db1` in *DBMS B* after _Alice_ assigns this privilege to her user profile. |
There was a problem hiding this comment.
If Carol can access db1 directly, why would she need the access to the remote alias of this db1?
There was a problem hiding this comment.
I agree, usually* Carol would not have access directly on the remote DBMS B. Carol uses her own regular credentials to log into DBMS A and access db1-remote-alias. The alias then uses the stored credentials (alice/secretpassword)** to log into DBMS B and access the database db1.
* There are edge cases where it is useful to have both types of access, but that is out of scope for these docs.
** It is very confusing that we use alice to reference to the person that is administering DBMS A and also use alice as the stored credentials. We should be using different credentials for this.
There was a problem hiding this comment.
Why are we updating the docs for the stored native credentials? They need a lot of work, I would prefer if we can get the new credential forwarding docs merged before we start improving the existing docs.
| This configuration will also allow _Carol_ to access `Db2` in **DBMS B**. | ||
| If the administrators decide this should not be the case, then _Bob_ must define the appropriate privileges (see xref:authentication-authorization/index.adoc[Authentication and authorization] for further information). | ||
| _Carol_ can use her own regular credentials to access the remote database `db1` in *DBMS B* after _Alice_ assigns this privilege to her user profile. | ||
| This configuration will also allow _Carol_ to access `db2` in *DBMS B*, if _Bob_ grants the necessary privileges to the user profile shared with _Alice_. |
There was a problem hiding this comment.
tbh, this sentence is confusing. Which configuration are we speaking about?
Is the following correct?:
If Alice assigns necessary privileges to Carol to access both databases on a remote DBMS B, then Bob has to grant the same privileges to Carol. And only after aligning all privileges, Carol will get access to the db2.
On the other hand, earlier we say that "Alice is the administrator that assigns who has access to the privileges set by Bob." See line 38.
So, who is the head here: Alice or Bob? We set access to the databases 1 and 2? Is it even important here, in this guide?
There was a problem hiding this comment.
I understand it like this: Bob grants privileges for accessing dbs in DBMS B to Carol's user profile, which he shares with Alice. Then, Alice decides which of those privileges to assign to Carol to access via the local DBMS. I am not sure how this will work, given that we have just one remote database alias, and it's for db1.
There was a problem hiding this comment.
The docs are using alice for both the stored credentials and for the person that administers DBMS A. This is confusing. We should change the name for this user to something like alias_user. I will write the rest here as if the Example setup administrator B has been updated to:
CREATE USER alias_user SET PASSWORD 'secretpassword'
CREATE ROLE remote
GRANT ACCESS ON DATABASE db1 TO remote
GRANT MATCH {*} ON GRAPH db1 TO remote
GRANT ROLE remote TO alias_user
Bob is not granting privileges to either Carol nor Alice. Bob is only granting access to alias_user. Bob then gives the username/password for alias_user to Alice.
Bob stays in control over what happens on DBMS B:
- He can delete
alias_user - He can grant or deny the
readandwriteprivileges on db1 / db2 to the groupremote
Alice creates a remote alias using the credentials given by Bob:
CREATE ALIAS `db1-remote-alias` FOR DATABASE `db1` AT "neo4j+s://location:7687" USER alias_user PASSWORD 'secretpassword'
Anybody who accesses this alias connects to DBMS B as if they where alias_user.
This alias is specifically for db1 on DBMS B. Alice could create another alias for db2 however alias_user (remote) does not yet have access to db2. Bob would need to do:
GRANT ACCESS ON DATABASE db2 TO remote
GRANT MATCH {*} ON GRAPH db2 TO remote
Alice is in control over what happens on DBMS A:
- She can delete the alias
- She can grant or deny the
accessprivilege ondb1-remote-alias
Carol is only able to do anything if:
- She is able to log into DBMS A
- Her user account on DBMS A has the privilege to access
db1-remote-alias - The credentials stored on
db1-remote-aliasare able to log into DBMS B - The credentials stored on
db1-remote-aliashave read or write privileges ondb1
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
| ---- | ||
|
|
||
| == Manage remote database aliases | ||
| === Manage remote database aliases |
There was a problem hiding this comment.
This section is about Carol, isn’t it? When she gets all privileges, she can manage the remote database alias
There was a problem hiding this comment.
No. Alice is the administrator of DBMS A and should be the one that is managing the remote database alias.
Carol is a non-admin user, she only uses the alias that Alice has set up.
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
| dbms.security.oidc.<provider>.authorization.group_to_role_mapping= "engineers" = admin; \ | ||
| "collaborators" = reader | ||
| ---- | ||
| === Manage remote database aliases |
There was a problem hiding this comment.
so, this section is about Carol and how she is going to manage remote database alias for db1.
There was a problem hiding this comment.
I think so, but I am not sure if the command GRANT CREATE ALIAS ON DBMS TO admin is assigned to her or to Alice. Additionally, there has been no administrator role so far. Do we mean the role admin (the role mapped to engineers, which Carol is part of) or remote (the one Alice is assigned to) here? @l-heemann
There was a problem hiding this comment.
Ah this is more confusing setup probably copied over from somewhere else.
Carol should not have admin or administrator for this documentation.
Alice technically needs the CREATE ALIAS privilege to execute CREATE ALIAS ....
However I think we can safely assume that Alice and Bob have the default admin role on DBMS A and DBMS B respectively.
modules/ROOT/pages/database-administration/aliases/remote-database-alias-configuration.adoc
Outdated
Show resolved
Hide resolved
|
This PR includes documentation updates Updated pages: |
| [source, Cypher] | ||
| ---- | ||
| GRANT CREATE ALIAS ON DBMS TO administrator | ||
| GRANT ACCESS ON DATABASE `db1-remote-alias` TO remote |
There was a problem hiding this comment.
This should maybe be something along the lines of
CREATE ROLE remote_access
GRANT ACCESS ON DATABASE `db1-remote-alias` TO remote_access
GRANT ROLE remote_access TO CAROL
To disambiguate the remote role on DBMS B from this role on DBMS A.
There was a problem hiding this comment.
Also this should happen after the
CREATE ALIAS `db1-remote-alias`
below. Otherwise the GRANT ACCESS fails with db1-remote-alias doesn't exist.
l-heemann
left a comment
l-heemann
left a comment
There was a problem hiding this comment.
I don't have time to properly review the entire page today. I believe it would be good to merge the new credential forwarding docs without updating all the existing docs and then re-write the existing docs as a separate cleanup task.
I wouldn't merge this PR. If we are confused, users will be even more confused. Also, wasn't this feature behind a feature flag? I'll try to accommodate your comments, @l-heemann, and then we'll see. |
5 participants
We have added OIDC credential forwarding as an additional way to configure a remote database alias. We need to update and add documentation to describe how it is supposed to be used and how it works.