Recover admin user and password
This page describes how to reset a password to recover a user’s access when their password is lost. It specifically focuses on how to recover an admin user if all the admin users have been unassigned the admin role, and how to recreate the built-in admin role if it has been dropped.
Disable authentication
-
Stop Neo4j:
bin/neo4j stop
-
Open the neo4j.conf file and set
dbms.security.auth_enabled
parameter tofalse
to disable the authentication:dbms.security.auth_enabled=false
-
Block network connections during the recovery phase, so users can connect to Neo4j only via
localhost
. This can be achieved by temporarily commenting out theserver.default_listen_address
parameter and providing the specific localhost value:server.default_listen_address=127.0.0.1
Ensure, you have blocked all network connections for any individual services configured to listen to
listen_addresses
. -
Start Neo4j:
bin/neo4j start
-
Stop all members of the cluster:
bin/neo4j stop
-
On each member, open the neo4j.conf file and modify the following settings:
-
Set
dbms.security.auth_enabled
parameter tofalse
to disable the authentication:dbms.security.auth_enabled=false
-
Disable the HTTP and HTTPS network connections and restrict the
bolt
connector to use onlylocalhost
. Setserver.http.enabled
tofalse
. This ensures that no one from outside can access the cluster during the recovery period.server.http.enabled=false #server.https.enabled=true server.bolt.listen_address:127.0.0.1
-
-
Start all members of the cluster:
bin/neo4j start
Recover a lost password
You can use a client such as Cypher Shell or the Neo4j Browser to connect to the system
database and set a new password for the admin user.
In a cluster deployment, you should complete the steps only on one of the cluster members. |
-
Complete the steps in Disable authentication as per your deployment.
-
Connect to the
system
database using Cypher shell. Alternatively, log into Neo4j Browser.bin/cypher-shell -d system
If you have specified a non-default port for your
bolt
connector, add-a neo4j://<your-cluster-member>:<non-default-bolt-port>
to thecypher-shell
command to be able to connect to your cluster member. -
Set a new password for the admin user. In this example, the admin user is named
neo4j
.ALTER USER neo4j SET PASSWORD 'mynewpassword'
-
Exit the
cypher-shell
console::exit;
-
Proceed with the post-recovery steps as per your deployment.
Recover an unassigned admin role
You can use a client such as Cypher Shell or the Neo4j Browser to connect to the system
database and grant the admin user role to an existing user.
In a cluster deployment, you should complete the steps only on one of the cluster members. |
-
Complete the steps in Disable authentication as per your deployment.
-
Connect to the
system
database using Cypher shell. Alternatively, log into Neo4j Browser.bin/cypher-shell -d system
If you have specified a non-default port for your
bolt
connector, add-a neo4j://<your-cluster-member>:<non-default-bolt-port>
to thecypher-shell
command to be able to connect to your cluster member. -
Grant the admin user role to an existing user. In this example, the user is named
neo4j
.GRANT ROLE admin TO neo4j
-
Exit the
cypher-shell
console::exit;
-
Proceed with the post-recovery steps as per your deployment.
Recover the admin role
If you have removed the admin role from your system entirely, you can use a client such as Cypher Shell or the Neo4j Browser to connect to the system
database and recreate the role with its original capabilities.
In a cluster deployment, you should complete the steps only on one of the cluster members. |
-
Complete the steps in Disable authentication as per your deployment.
-
Connect to the
system
database using Cypher shell. Alternatively, log into Neo4j Browser.bin/cypher-shell -d system
If you have specified a non-default port for your
bolt
connector, add-a neo4j://<your-cluster-member>:<non-default-bolt-port>
to thecypher-shell
command to be able to connect to your cluster member. -
Recreate the admin role with its original capabilities.
CREATE ROLE admin; GRANT ALL DBMS PRIVILEGES ON DBMS TO admin; GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin; GRANT START ON DATABASE * TO admin; GRANT STOP ON DATABASE * TO admin; GRANT MATCH {*} ON GRAPH * TO admin; GRANT WRITE ON GRAPH * TO admin; GRANT ALL ON DATABASE * TO admin;
-
Grant the admin user role to an existing user.
Before running the
:exit
command, we suggest granting the newly created role to a user. Although this is optional, without this step you will have only collected all admin privileges in a role that no one is assigned to.To grant the role to a user (assuming your existing user is named
neo4j
), you can runGRANT ROLE admin TO neo4j;
-
Exit the
cypher-shell
console::exit;
-
Proceed with the post-recovery steps as per your deployment.
Post-recovery steps
-
Stop Neo4j:
bin/neo4j stop
-
Enable the authentication and restore your Neo4j to its original configuration (See Disable authentication).
-
Start Neo4j:
bin/neo4j start
-
Stop the cluster members.
bin/neo4j stop
-
Enable the authentication and restore each cluster member to its original configuration (See Disable authentication).
-
Start the cluster (all cluster members):
bin/neo4j start