From 60e62c66aac0dec80a674fd994ed3a6154ea2466 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Wed, 12 Nov 2025 11:28:38 +0100 Subject: [PATCH 1/9] Add 22ND1 and 22ND2 Roles are not allowed to have denied privileges and auth rules at the same time --- modules/ROOT/content-nav.adoc | 2 + modules/ROOT/pages/changelogs.adoc | 16 +++++ .../ROOT/pages/errors/gql-errors/22ND1.adoc | 62 +++++++++++++++++++ .../ROOT/pages/errors/gql-errors/22ND2.adoc | 61 ++++++++++++++++++ .../ROOT/pages/errors/gql-errors/index.adoc | 11 ++++ 5 files changed, 152 insertions(+) create mode 100644 modules/ROOT/pages/errors/gql-errors/22ND1.adoc create mode 100644 modules/ROOT/pages/errors/gql-errors/22ND2.adoc diff --git a/modules/ROOT/content-nav.adoc b/modules/ROOT/content-nav.adoc index dc2854a3..78b62e58 100644 --- a/modules/ROOT/content-nav.adoc +++ b/modules/ROOT/content-nav.adoc @@ -160,6 +160,8 @@ **** xref:errors/gql-errors/22NBD.adoc[] **** xref:errors/gql-errors/22NBE.adoc[] **** xref:errors/gql-errors/22NBF.adoc[] +**** xref:errors/gql-errors/22ND1.adoc[] +**** xref:errors/gql-errors/22ND2.adoc[] *** xref:errors/gql-errors/index.adoc#invalid-transaction-state[Invalid transaction state] **** xref:errors/gql-errors/25G02.adoc[] **** xref:errors/gql-errors/25N01.adoc[] diff --git a/modules/ROOT/pages/changelogs.adoc b/modules/ROOT/pages/changelogs.adoc index dbdd0237..ec341cc7 100644 --- a/modules/ROOT/pages/changelogs.adoc +++ b/modules/ROOT/pages/changelogs.adoc @@ -1,6 +1,22 @@ :description: This page lists all changes to status codes per Neo4j version. = Changes to status codes per Neo4j version +// TODO don't know release date yet +== Neo4j 2025.XX +**New:** +[options="header", cols="<1m,<1"] +|=== +| GQLSTATUS +| Neo4j code + +| 22ND1 +| Neo.ClientError.General.InvalidArguments + +| 22ND2 +| Neo.ClientError.General.InvalidArguments + +|=== + == Neo4j 2025.11 **New:** [options="header", cols="<1m,<1"] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc new file mode 100644 index 00000000..5c7a87c1 --- /dev/null +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -0,0 +1,62 @@ +// TODO don't know release date yet +:page-role: new-2025.XX += 22N81 + +== Status description +error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. + +== Explanation +If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. + +When a role contains denied privileges, not giving it to the user leads to elevated privileges. In order to avoid this, roles are prohibited from having denied privileges and be granted to an auth rule at the same time. + +This exception is thrown when attempting to DENY a privilege from a role that is already used by an auth rule. + +== Example scenario +Given that a role is used by an auth rule: +[source, cypher] +---- +CYPHER 25 GRANT ROLE role TO AUTH RULE authrule +---- + +When attempting to deny privileges from the role: +[source, cypher] +---- +DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role +---- +The following error will be thrown. +[source] +---- +error: data exception - operation not allowed here. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. +---- + +[NOTE] +==== +The error message contains the subset of the original query that caused the issue. +Since `otherrole` is not granted to an auth rule it is not included. +==== + +== Possible solutions +Consider if it is possible to implement the security model without using denied privileges. +Often it is possible to revoke granted privileges or reducing the scope of grant statements. + +In the example above, a generic grant such as +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH * NODES * TO role, otherrole +---- +could be replaced by a more fine-grained alternative: +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole +---- + + +If a DENY is required, it needs to be set on a role that is applied directly to users without using auth rules to guarantee that it will always be applied. + +ifndef::backend-pdf[] +[discrete.glossary] +== Glossary + +include::partial$glossary.adoc[] +endif::[] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc new file mode 100644 index 00000000..331ec07e --- /dev/null +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -0,0 +1,61 @@ +// TODO don't know release date yet +:page-role: new-2025.XX += 22N81 + +== Status description +error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. + +== Explanation +If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. + +When a role contains denied privileges, not giving it to the user leads to elevated privileges. In order to avoid this, roles are prohibited from having denied privileges and be granted to an auth rule at the same time. + +This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. + +== Example scenario +Given that a role has denied privileges: +[source, cypher] +---- +DENY MATCH {*} ON GRAPH secret-db NODES * TO role +---- + +When attempting to assign the role to an auth rule: +[source, cypher] +---- +CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule +---- +The following error will be thrown. +[source] +---- +error: data exception - operation not allowed here. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with DENY privileges. +---- + +[NOTE] +==== +The error message contains the subset of the original query that caused the issue. +Since `otherrole` does not have denied privileges it is not included. +==== + +== Possible solutions +Consider if it is possible to implement the security model without using denied privileges. +Often it is possible to revoke granted privileges or reducing the scope of grant statements. + +In the example above, a generic grant such as +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH * NODES * TO role, otherrole +---- +could be replaced by a more fine-grained alternative: +[source, cypher] +---- +GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole +---- + +If a DENY is required, it needs to be set on a role that is applied directly to users without using auth rules to guarantee that it will always be applied. + +ifndef::backend-pdf[] +[discrete.glossary] +== Glossary + +include::partial$glossary.adoc[] +endif::[] diff --git a/modules/ROOT/pages/errors/gql-errors/index.adoc b/modules/ROOT/pages/errors/gql-errors/index.adoc index 6b82c856..8b4c5061 100644 --- a/modules/ROOT/pages/errors/gql-errors/index.adoc +++ b/modules/ROOT/pages/errors/gql-errors/index.adoc @@ -644,6 +644,17 @@ Status description:: error: data exception - invalid vector dimensions. Invalid Status description:: error: data exception - property value too big. Property value of type `{ <> }` is too big (more than `{ <> }` bytes): `{ <> }` +// TODO don't know release date yet +[role=label--new-2025.XX] +=== xref:errors/gql-errors/22ND1.adoc[22ND1] + +Status description:: error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. + +// TODO don't know release date yet +[role=label--new-2025.XX] +=== xref:errors/gql-errors/22ND2.adoc[22ND2] + +Status description:: error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. [[invalid-transaction-state]] == Invalid transaction state From 8b6b46333af46f275032e0ae900571435b766891 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Thu, 13 Nov 2025 08:51:07 +0100 Subject: [PATCH 2/9] Fix copy-paste error --- modules/ROOT/pages/errors/gql-errors/22ND1.adoc | 2 +- modules/ROOT/pages/errors/gql-errors/22ND2.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index 5c7a87c1..167d1937 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -1,6 +1,6 @@ // TODO don't know release date yet :page-role: new-2025.XX -= 22N81 += 22ND1 == Status description error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index 331ec07e..915c3795 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -1,6 +1,6 @@ // TODO don't know release date yet :page-role: new-2025.XX -= 22N81 += 22ND2 == Status description error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. From b0b661ffdbdfdb3077496c5097b343003be1a1c1 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Thu, 13 Nov 2025 08:51:20 +0100 Subject: [PATCH 3/9] Remove changelog updates --- modules/ROOT/pages/changelogs.adoc | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/modules/ROOT/pages/changelogs.adoc b/modules/ROOT/pages/changelogs.adoc index ec341cc7..dbdd0237 100644 --- a/modules/ROOT/pages/changelogs.adoc +++ b/modules/ROOT/pages/changelogs.adoc @@ -1,22 +1,6 @@ :description: This page lists all changes to status codes per Neo4j version. = Changes to status codes per Neo4j version -// TODO don't know release date yet -== Neo4j 2025.XX -**New:** -[options="header", cols="<1m,<1"] -|=== -| GQLSTATUS -| Neo4j code - -| 22ND1 -| Neo.ClientError.General.InvalidArguments - -| 22ND2 -| Neo.ClientError.General.InvalidArguments - -|=== - == Neo4j 2025.11 **New:** [options="header", cols="<1m,<1"] From f569c206358bda4c739fc17b7fd2a4096d0e0a06 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Tue, 18 Nov 2025 12:52:22 +0100 Subject: [PATCH 4/9] Update sub-condition as it must be unique --- modules/ROOT/pages/errors/gql-errors/22ND1.adoc | 4 ++-- modules/ROOT/pages/errors/gql-errors/22ND2.adoc | 4 ++-- modules/ROOT/pages/errors/gql-errors/index.adoc | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index 167d1937..a01220b9 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -3,7 +3,7 @@ = 22ND1 == Status description -error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. +error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. == Explanation If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. @@ -27,7 +27,7 @@ DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role The following error will be thrown. [source] ---- -error: data exception - operation not allowed here. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. +error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. ---- [NOTE] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index 915c3795..f26a633a 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -3,7 +3,7 @@ = 22ND2 == Status description -error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. +error: data exception - operation not allowed for roles with DENY privileges. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. == Explanation If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. @@ -27,7 +27,7 @@ CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule The following error will be thrown. [source] ---- -error: data exception - operation not allowed here. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with DENY privileges. +error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with DENY privileges. ---- [NOTE] diff --git a/modules/ROOT/pages/errors/gql-errors/index.adoc b/modules/ROOT/pages/errors/gql-errors/index.adoc index 8b4c5061..1bdd5fa7 100644 --- a/modules/ROOT/pages/errors/gql-errors/index.adoc +++ b/modules/ROOT/pages/errors/gql-errors/index.adoc @@ -648,13 +648,13 @@ Status description:: error: data exception - property value too big. Property va [role=label--new-2025.XX] === xref:errors/gql-errors/22ND1.adoc[22ND1] -Status description:: error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. +Status description:: error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. // TODO don't know release date yet [role=label--new-2025.XX] === xref:errors/gql-errors/22ND2.adoc[22ND2] -Status description:: error: data exception - operation not allowed here. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. +Status description:: error: data exception - operation not allowed for roles with DENY privileges. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. [[invalid-transaction-state]] == Invalid transaction state From c45d64efa467e98a5e37635b99a307c2cef6f234 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Wed, 19 Nov 2025 15:08:46 +0100 Subject: [PATCH 5/9] Remove version labels --- modules/ROOT/pages/errors/gql-errors/22ND1.adoc | 2 -- modules/ROOT/pages/errors/gql-errors/22ND2.adoc | 2 -- 2 files changed, 4 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index a01220b9..ab4aebbb 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -1,5 +1,3 @@ -// TODO don't know release date yet -:page-role: new-2025.XX = 22ND1 == Status description diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index f26a633a..12338a05 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -1,5 +1,3 @@ -// TODO don't know release date yet -:page-role: new-2025.XX = 22ND2 == Status description From c2273f61ce6dcbefa937a9aa2a42981a8d2f8b4a Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Wed, 19 Nov 2025 15:53:58 +0000 Subject: [PATCH 6/9] regenerate the index file --- modules/ROOT/pages/errors/gql-errors/index.adoc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/index.adoc b/modules/ROOT/pages/errors/gql-errors/index.adoc index 1bdd5fa7..881a0826 100644 --- a/modules/ROOT/pages/errors/gql-errors/index.adoc +++ b/modules/ROOT/pages/errors/gql-errors/index.adoc @@ -644,18 +644,15 @@ Status description:: error: data exception - invalid vector dimensions. Invalid Status description:: error: data exception - property value too big. Property value of type `{ <> }` is too big (more than `{ <> }` bytes): `{ <> }` -// TODO don't know release date yet -[role=label--new-2025.XX] === xref:errors/gql-errors/22ND1.adoc[22ND1] Status description:: error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. -// TODO don't know release date yet -[role=label--new-2025.XX] === xref:errors/gql-errors/22ND2.adoc[22ND2] Status description:: error: data exception - operation not allowed for roles with DENY privileges. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. + [[invalid-transaction-state]] == Invalid transaction state From 145e7ecf0b42ae0b7dbbaeb003d2e9e542621dc9 Mon Sep 17 00:00:00 2001 From: Lasse Heemann <7661319+l-heemann@users.noreply.github.com> Date: Thu, 20 Nov 2025 09:18:00 +0100 Subject: [PATCH 7/9] Apply suggestions from code review Applied straightforward suggestions, leaving some suggestions that require more thought Co-authored-by: Reneta Popova --- .../ROOT/pages/errors/gql-errors/22ND1.adoc | 16 ++++++++------ .../ROOT/pages/errors/gql-errors/22ND2.adoc | 22 ++++++++++++------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index ab4aebbb..365e4c3e 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -1,15 +1,17 @@ = 22ND1 == Status description -error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. +error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <> }'` is not allowed for roles that are granted to an `AUTH RULE`. == Explanation -If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. +If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. -When a role contains denied privileges, not giving it to the user leads to elevated privileges. In order to avoid this, roles are prohibited from having denied privileges and be granted to an auth rule at the same time. +When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. +To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. -This exception is thrown when attempting to DENY a privilege from a role that is already used by an auth rule. +This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule. +[[22ND1-example-scenario]] == Example scenario Given that a role is used by an auth rule: [source, cypher] @@ -30,8 +32,8 @@ error: data exception - operation not allowed for roles that are granted to an A [NOTE] ==== -The error message contains the subset of the original query that caused the issue. -Since `otherrole` is not granted to an auth rule it is not included. +The error message contains a subset of the original query that caused the issue. +Since `otherrole` is not granted to an auth rule, it is not included. ==== == Possible solutions @@ -50,7 +52,7 @@ GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole ---- -If a DENY is required, it needs to be set on a role that is applied directly to users without using auth rules to guarantee that it will always be applied. +If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. ifndef::backend-pdf[] [discrete.glossary] diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index 12338a05..13fcad0d 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -1,16 +1,21 @@ = 22ND2 == Status description -error: data exception - operation not allowed for roles with DENY privileges. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. +error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <> }'` is not allowed for roles with `DENY` privileges. == Explanation -If an auth rule fails to evaluate, for example because it depends on a claim that the users auth token does not have, Neo4j will default to not give the role to the user. -When a role contains denied privileges, not giving it to the user leads to elevated privileges. In order to avoid this, roles are prohibited from having denied privileges and be granted to an auth rule at the same time. +If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. + + +When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. +To avoid this, roles cannot have both `DENY` privileges and be granted to an auth rule. This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. +[[22ND2-example-scenario]] == Example scenario + Given that a role has denied privileges: [source, cypher] ---- @@ -22,20 +27,21 @@ When attempting to assign the role to an auth rule: ---- CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule ---- + The following error will be thrown. [source] ---- -error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with DENY privileges. +error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule'` is not allowed for roles with `DENY` privileges. ---- [NOTE] ==== -The error message contains the subset of the original query that caused the issue. -Since `otherrole` does not have denied privileges it is not included. +The error message contains a subset of the original query that caused the issue. +Since `otherrole` does not have denied privileges, it is not included. ==== == Possible solutions -Consider if it is possible to implement the security model without using denied privileges. +Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. Often it is possible to revoke granted privileges or reducing the scope of grant statements. In the example above, a generic grant such as @@ -49,7 +55,7 @@ could be replaced by a more fine-grained alternative: GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole ---- -If a DENY is required, it needs to be set on a role that is applied directly to users without using auth rules to guarantee that it will always be applied. +If a `DENY` is required, it must be set to a role that is directly assigned to users without using auth rules, to guarantee that it will always be applied. ifndef::backend-pdf[] [discrete.glossary] From 33b2e6794f3a100a872bef8bc0debf9503966512 Mon Sep 17 00:00:00 2001 From: Lasse Heemann Date: Thu, 20 Nov 2025 09:52:56 +0100 Subject: [PATCH 8/9] Refer to existing examples instead of repeating them --- modules/ROOT/pages/errors/gql-errors/22ND1.adoc | 8 +------- modules/ROOT/pages/errors/gql-errors/22ND2.adoc | 8 +------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index 365e4c3e..9820babb 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -38,14 +38,8 @@ Since `otherrole` is not granted to an auth rule, it is not included. == Possible solutions Consider if it is possible to implement the security model without using denied privileges. -Often it is possible to revoke granted privileges or reducing the scope of grant statements. -In the example above, a generic grant such as -[source, cypher] ----- -GRANT MATCH {*} ON GRAPH * NODES * TO role, otherrole ----- -could be replaced by a more fine-grained alternative: +For example, you can replace the generic grant from the <<22ND1-example-scenario, Example scenario>> with the following more fine-grained alternative: [source, cypher] ---- GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index 13fcad0d..e6d64f03 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -42,14 +42,8 @@ Since `otherrole` does not have denied privileges, it is not included. == Possible solutions Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. -Often it is possible to revoke granted privileges or reducing the scope of grant statements. -In the example above, a generic grant such as -[source, cypher] ----- -GRANT MATCH {*} ON GRAPH * NODES * TO role, otherrole ----- -could be replaced by a more fine-grained alternative: +For example, you can replace the generic grant from the <<22ND2-example-scenario, Example scenario>> with the following more fine-grained alternative: [source, cypher] ---- GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole From 9bc78bb91e1eb9a9033883a38145dc371dd762da Mon Sep 17 00:00:00 2001 From: Reneta Popova Date: Thu, 20 Nov 2025 12:08:33 +0000 Subject: [PATCH 9/9] fix the anchors and regenerate the index file --- modules/ROOT/pages/errors/gql-errors/22ND1.adoc | 10 +++++++--- modules/ROOT/pages/errors/gql-errors/22ND2.adoc | 9 +++++---- modules/ROOT/pages/errors/gql-errors/index.adoc | 6 +++--- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc index 9820babb..f1f00fd7 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND1.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND1.adoc @@ -4,6 +4,7 @@ error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <> }'` is not allowed for roles that are granted to an `AUTH RULE`. == Explanation + If an auth rule fails to evaluate, for example, because it depends on a claim that the user's auth token does not contain, Neo4j will default to not assigning that role to the user. When a role contains denied privileges, not assigning the role actually removes the denies, which means the user ends up with more privileges than they should. @@ -11,8 +12,9 @@ To avoid this, roles cannot have both `DENY` privileges and be granted to an aut This exception is thrown when attempting to `DENY` a privilege from a role that is already used by an auth rule. -[[22ND1-example-scenario]] +[[example-scenario-22nd1]] == Example scenario + Given that a role is used by an auth rule: [source, cypher] ---- @@ -24,7 +26,8 @@ When attempting to deny privileges from the role: ---- DENY MATCH {*} ON GRAPH secret-db NODES * TO otherrole, role ---- -The following error will be thrown. + +The following error will be thrown: [source] ---- error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: 'DENY MATCH {*} ON GRAPH secret-db NODES * TO role' is not allowed for roles that are granted to an AUTH RULE. @@ -37,9 +40,10 @@ Since `otherrole` is not granted to an auth rule, it is not included. ==== == Possible solutions + Consider if it is possible to implement the security model without using denied privileges. -For example, you can replace the generic grant from the <<22ND1-example-scenario, Example scenario>> with the following more fine-grained alternative: +For example, you can replace the generic grant from the <> with the following more fine-grained alternative: [source, cypher] ---- GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole diff --git a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc index e6d64f03..7a51cf43 100644 --- a/modules/ROOT/pages/errors/gql-errors/22ND2.adoc +++ b/modules/ROOT/pages/errors/gql-errors/22ND2.adoc @@ -13,7 +13,7 @@ To avoid this, roles cannot have both `DENY` privileges and be granted to an aut This exception is thrown when attempting to grant a role to an auth rule when the role has denied privileges. -[[22ND2-example-scenario]] +[[example-scenario-22nd2]] == Example scenario Given that a role has denied privileges: @@ -28,10 +28,10 @@ When attempting to assign the role to an auth rule: CYPHER 25 GRANT ROLE otherrole, role TO AUTH RULE authrule ---- -The following error will be thrown. +The following error will be thrown: [source] ---- -error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule'` is not allowed for roles with `DENY` privileges. +error: data exception - operation not allowed for roles with DENY privileges. Invalid input: 'CYPHER 25 GRANT ROLE role TO AUTH RULE authrule' is not allowed for roles with `DENY` privileges. ---- [NOTE] @@ -41,9 +41,10 @@ Since `otherrole` does not have denied privileges, it is not included. ==== == Possible solutions + Consider whether it is possible to implement the security model without using denied privileges, for example, by revoking granted privileges or reducing the scope of the grant statements. -For example, you can replace the generic grant from the <<22ND2-example-scenario, Example scenario>> with the following more fine-grained alternative: +For example, you can replace the generic grant from the <> with the following more fine-grained alternative: [source, cypher] ---- GRANT MATCH {*} ON GRAPH public-db, documentation-db NODES * TO role, otherrole diff --git a/modules/ROOT/pages/errors/gql-errors/index.adoc b/modules/ROOT/pages/errors/gql-errors/index.adoc index 881a0826..827bced7 100644 --- a/modules/ROOT/pages/errors/gql-errors/index.adoc +++ b/modules/ROOT/pages/errors/gql-errors/index.adoc @@ -646,11 +646,11 @@ Status description:: error: data exception - property value too big. Property va === xref:errors/gql-errors/22ND1.adoc[22ND1] -Status description:: error: data exception - operation not allowed for roles that are granted to an AUTH RULE. Invalid input: '{ <> }' is not allowed for roles that are granted to an AUTH RULE. +Status description:: error: data exception - operation not allowed for roles that are granted to an `AUTH RULE`. Invalid input: `'{ <> }'` is not allowed for roles that are granted to an `AUTH RULE`. === xref:errors/gql-errors/22ND2.adoc[22ND2] -Status description:: error: data exception - operation not allowed for roles with DENY privileges. Invalid input: '{ <> }' is not allowed for roles with DENY privileges. +Status description:: error: data exception - operation not allowed for roles with `DENY` privileges. Invalid input: `'{ <> }'` is not allowed for roles with `DENY` privileges. [[invalid-transaction-state]] @@ -1067,7 +1067,7 @@ Status description:: error: syntax error or access rule violation - missing LOOK === xref:errors/gql-errors/42I62.adoc[42I62] -Status description:: error: syntax error or access rule violation - unsupported distance metric. Unknown distance metric: `{ <> }`. +Status description:: error: syntax error or access rule violation - unsupported distance metric. Unknown distance metric: `{ <> }`. === xref:errors/gql-errors/42I63.adoc[42I63]