Neo4j credential rotation during application runtime

[vboerner]

Hi!

I've started to integrate HashiCorp Vault into my Spring-based application with spring-data-neo4j 6. I am using a Neo4j in version 4.4.11 and the neo4j-java-driver runs in version 4.4.11, too.

When starting the application, it's being able to authenticate successfully with HashiCorp Vault and retrieve the neo4j credentials.

My problem begins when trying to rotate the database credentials because I did not find a way to update the neo4j credentials during application runtime.

After digging around, I found that Spring creates a bean of type org.neo4j.driver.Driver via GraphDatabase.driver(serverUri,authToken,config);

And org.neo4j.driver.internal.async.pool.ConnectionPoolImpl is used as ConnectionPool.

As far as I can see I have found no way to set username and password for the neo4j in driver class or connection pool during application runtime.

For example, if a database uses the HikariCP, it is possible to update the credentials at runtime because HikariCP provides a way to do it via the HikariConfigMXBean. See: HikariConfig.java, Line 61-72

Is this type of update also possible in the Neo4j driver or connection pool? Or is it planned for the future?

Many thanks in advance for your help.

[injectives]

Hello. Thanks for your question.

At present, it is not possible. Credentials are set for the lifetime of the driver.

However, we are currently working on an ability to re-authenticate. The current plan is to let driver pull new credentials with TTL when needed. This feature should be released in 5.x driver series in near future.

[sathishkumar294]

Hi @injectives, thanks for the explanation. Is there a roadmap on when this improvement will be released?

[injectives]

Hi @injectives, thanks for the explanation. Is there a roadmap on when this improvement will be released?

Hello!

Probably end of March or end of April. This is assuming no other thing affects our hopes on this.