Release Date: 25 September 2024

Aura September 2024

Neo4j 5.24 database feature updates for Aura

Important Notice for Neo4j Java Driver users 
We are aware of an issue relating to changes to the query notification service in 5.24, which can lead to outdated version of SDN or Neoj4-OGM returning java.lang.NullPointerException.  To avoid this, please ensure that you are using an up-to-date version of SDN or Neoj4-OGM.

The following SDN/OGM versions contain the required bug fix. All patch versions for both SDN and Neo4j-OGM are drop-in replacements and don’t require code changes.

SDN:
Relevant PR / Issue: https://github.com/spring-projects/spring-data-neo4j/pull/2822
  • Since 7.0.12 (Included in Spring Boot 3.0.13)
  • Since 7.1.6 (Included in Spring Boot 3.1.6)
  • Since 7.2.0 (Included in Spring Boot 3.2.0)
  • All of 7.3.x and higher (3.3.0)
SDN 6.x is out of support and requires commercial support from Broadcom.

Neo4j-OGM:
Relevant PR / Issue: https://github.com/neo4j/neo4j-ogm/issues/950
  • 3.2.41 and higher
  • 3.3.0 and higher
  • 4.0.6 and higher

Kernel

  • Neo4j-admin backup/restore can use a new option –temp-path to specify the temporary directory used when sending/receiving data to cloud object stores. For documentation, see Operations Manual (Backup). 
  • Neo4j-admin import can use a new option –schema to specify the Cypher schema commands to create indexes/constraints during the import process. For documentation, see Operations Manual (Full import). 

Surface for Developers and Data Scientists

  • Added the ability to dynamically reference labels and properties in SET and REMOVE clauses. For example: SET n[$prop], REMOVE n[$prop], SET n:$($label) and REMOVE n:$($label). For documentation, see SET and REMOVE
  • Added the GQL conformant OPTIONAL keyword to procedure and subquery calls. If no results are returned from the procedure or subquery, OPTIONAL CALL will return null instead of an empty result. For documentation, see Optional procedure calls and Optional subquery calls.
  • Allow ORDER BY, SKIP/OFFSET, and LIMIT to be standalone clauses. Before, they could be used only in combination with RETURN,  WITH,  or YIELD; now, they can be used anywhere in a query. The keyword OFFSET is a synonym for SKIP. These are now GQL conformant statements. For documentation, see LIMIT, ORDER BY, SKIP and OFFSET

Security

  • Authentication and authorization providers can now be controlled at a user-level with Cypher by setting the Auth Providers option on each user.  This allows each individual user to be authenticated and authorized by a combination of local user management and external user management via LDAP and Single Sign-On (SSO). 

This removes the limitations that exist today when managing users externally. Administrators who’ve linked a local user to an external user can now:

    • Define a ‘HOME DATABASE’ for the user
    • SUSPEND the user’s access using cypher
    • Map an external user to RBAC permissions locally 
    • Allow the user to authenticate to the database with a user friendly name while mapping a unique identifier in an external identity provider.

Example that links a local user to an external SSO user, and sets a role for the user. 

CREATE USER ian  # This is a local user

SET AUTH 'oidc-mysso' {SET ID ‘60a0-d58d-4353….’}  # Linked to a SSO user

GRANT ROLE READER TO ian # RBAC applied to the linked user 
 

For documentation see Operations Manual (User auth providers). 

  • Remove all privileges from natively authenticated users who are deleted mid-session, making the behaviour consistent with being suspended mid-session.
 

Fixes

    • Kernel Fixes
      • Block format import performance has been improved in cases with a high ratio between relationship data and page cache.
      • Fixed a bug that slowed down format migration. The bug has the effect that in some circumstances element ids were preserved during format migration. Please note that you cannot rely on element id preservation during format migration and compaction.
      • Fixed a bug only present in 5.23 that sometimes caused an invalid in-memory state regarding latest committed id after concurrent transactions. Symptoms can include failing backups with messages like: java.lang.IllegalArgumentException: Not a valid range. Range to [xx] must be higher or equal to range from [xx]. Can be fixed in 5.23 by restarting the server.
      • Fixed an issue in  block format  where relationship ids could be incorrectly reused instantly after deletion.
      • Fixed an issue in  block format  where the creation of label/relationship/property names larger than 8KB could lead to database panic.
    • Cypher Fixes
      • OIDC HTTP discovery parsing is more tolerant of missing mandatory fields in the IdP discovery response. These missing values can still be overridden by configuration. 
      • Fixes issues with incorrect evaluation order of UNION in some updating queries. 
    • Driver fixes
      • Fixes a bug where duplicated HTTP headers were returned when returning browser content.
    • Surface fixes
      • Making error messages more general when natively authenticated users are deleted or suspended mid-session. 
Please refer to the changelog for full details of the changes.