neo4j functions: Interacting with a Neo4J database | Enterprise OPA
The neo4j built-in functions allow you to interact with a Neo4J database.
Check out our tutorial on querying Neo4J.
Auth
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
auth.scheme | String | Yes | Determines the type of auth credentials to use with Neo4J. Must be one of none, basic, kerberos, or bearer | |
auth.principal | String | No | Stores the username when auth.scheme is basic. | |
auth.credentials | String | No | Stores the password when auth.scheme is basic, the token when auth.scheme is bearer, and the ticket when auth.scheme is kerberos. | |
auth.realm | String | No | Stores the (optional) realm when auth.scheme is basic. |
Errors
By default—and if raise_error is true—then an error returned will halt policy evaluation.
If raise_error is false, then the response object contains the error in an error key instead of its usual response.
{
"error": ...
}
neo4j.query
The neo4j.query function allows you to make a query against a Neo4J database, returning multiple objects.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
uri | String | Yes | The URI of the database. | |
auth | Object | No | See Auth | |
cache | Bool | No | false | Cache the results of queries. |
cache_duration | Integer | No | 60 | Duration (in seconds) to keep cached query results. |
raise_error | Bool | No | true | See Errors |
query | String | Yes | Cypher query to run against the Neo4J database. | |
parameters | Object | No | Parameters for substitution into the query. |
Example usage
neo4j.query({
"auth": {
"scheme": "basic",
"principal": "neo4j",
"credentials": "letmein1!",
},
"uri": "http://localhost:7687",
"query": "MATCH (n:Pet) WHERE n.age > $a RETURN n.name",
"parameters": {"a": 3}
}) # => { "results": [ <object>, ... ] }
Utility helpers
Enterprise OPA comes with a helper method for using this builtin together with
vault.send: neo4j.query.
This method is available in Enterprise OPA at data.system.eopa.utils.neo4j.v1.vault.
package example
import data.system.eopa.utils.neo4j.v1.vault as neo4j
example_1 := neo4j.query({"query": " ... ", "parameters": { ... }})
# => {"results": [ ... ]}
The utility method will lookup connection data from a map it expects to find in
Vault, under the path secret/neo4j:
{
"uri": "...",
"scheme": "...",
"credentials": "...",
"principal": "...",
"realm": "...",
}
If uri is not defined, it defaults to neo4j://localhost:7687. The scheme, credentials, principal, and realm keys behave as in the auth field of the neo4j.query() request object, see Auth.
To override the secret path within Vault, use:
package example
import data.system.eopa.utils.neo4j.v1.vault as neo4j
neo4j_query(req) := result {
result := neo4j.query(req)
with neo4j.override.secret_path as "secret/prod/eopa-neo4j"
example_2 := neo4j_query({"query": " ... ", "parameters": { ... }})
) # => {"results": [ ... ]}
If you need to override the Vault address or token, you can use this:
package example
import data.system.eopa.utils.vault.v1.env as vault
import data.system.eopa.utils.neo4j.v1.vault as neo4j
neo4j_query(req) := result {
result := neo4j.query(req)
with neo4j.override.secret_path as "secret/prod/eopa-neo4j"
with vault.override.address as "localhost"
with vault.override.token as "dev-token-2"
}
example_3 := neo4j_query({"query": " ... ", "parameters": { ... }})
) # => {"results": [ ... ]}