Why Neo4J docker authentication doesn't work

Question

I want to run a Neo4J instance through docker using a docker-compose.

docker-compose.yml

version: '3'
services:
  neo4j:
    container_name: neo4j-lab
    image: neo4j:latest
    environment:
      - NEO4J_dbms_memory_pagecache_size=2G
      - NEO4J_dbms_memory_heap_maxSize=4G
      - NEO4J_dbms_memory_heap_initialSize=512M
      - NEO4J_AUTH=neo4j/changeme
    ports:
      - 7474:7474
      - 7687:7687
    volumes:
      - neo4j_data:/data
      - neo4j_conf:/conf
      - ./import:/import
volumes:
  neo4j_data:
  neo4j_conf:

Running the following with docker-compose up is perfectly fine, and I can reach the login screen.

But when I set the credentials, I get the following error on my container logs : Neo.ClientError.Security.Unauthorized The client is unauthorized due to authentication failure. whereas I am sure that I fill with right credentials (the ones used in my docker-compose file)

Furthermore,

when I set NEO4J_AUTH to none, then no credentials have been asked.
when I set it to neo4j/neo4j it said that I can't use the default password

According the documentation, this is perfectly fine :

By default Neo4j requires authentication and requires you to login with neo4j/neo4j at the first connection and set a new password. You can set the password for the Docker container directly by specifying --env NEO4J_AUTH=neo4j/password in your run directive. Alternatively, you can disable authentication by specifying --env NEO4J_AUTH=none instead.

Do you have any idea of what's going on ?

Hope you could help me to solve this !

EDIT

Docker logs output :

neo4j-lab | 2019-03-13 23:02:32.378+0000 INFO  Starting...
neo4j-lab | 2019-03-13 23:02:37.796+0000 INFO  Bolt enabled on 0.0.0.0:7687.
neo4j-lab | 2019-03-13 23:02:41.102+0000 INFO  Started.
neo4j-lab | 2019-03-13 23:02:43.935+0000 INFO  Remote interface available at http://localhost:7474/
neo4j-lab | 2019-03-13 23:02:56.105+0000 WARN  The client is unauthorized due to authentication failure.

EDIT 2 :

It seems that deleting the volume associated first works. The password is now changed.

However, if I docker-compose down then docker-compose up whereas I change the password in my docker-compose file then the issue reappears.

So I think that when we change the password through docker-compose more than once while a volume exists, we need to remove the auth file presents in the volumes.

To do that :

docker volume inspect <volume_name>

You should get something like that :

[
    {
        "CreatedAt": "2019-03-14T11:17:08+01:00",
        "Driver": "local",
        "Labels": {
            "com.docker.compose.project": "neo4j",
            "com.docker.compose.volume": "neo4j_data"
        },
        "Mountpoint": "/data/docker/volumes/neo4j_neo4j_data/_data",
        "Name": "neo4j_neo4j_data",
        "Options": null,
        "Scope": "local"
    }
]

This is obviously different if you named your container and your volumes not like me (neo4j, neo4j_data).

The important part is the Mountpoint which locates the volume.

In this volume, you can delete the auth file which is in dbms directory.

Then restart your docker and everything should be fine.

it seems like started the container with old data where the password was not `changeme` — Mostafa Hussein, Mar 13 '19 at 23:34
This is the problem.. :( I didn't mention it, but I ran these docker-compose file on two different machine, and it worked on one of them... — Dralucas, Mar 14 '19 at 08:07
I finally find the reason of my problem, I let you see my edit 2. :) — Dralucas, Mar 14 '19 at 10:25
Glad you did it!. That's why to told you to remove the old data :D because the volume will keep the old password — Mostafa Hussein, Mar 14 '19 at 10:31
I think the problem is not only the password because I didn't change it. But I pull the latest image yesterday and the volume was associated to an older version, I don't know if this kind of situation can cause this kind of issue... But now it works ! — Dralucas, Mar 14 '19 at 10:37
@Dralucas your post just ended 6 hours of head banging because my password wasn't accepted. I've not seen anything in the neo docs that mentions what you explained above. Thank you so much! — Laurent S, Feb 26 '20 at 23:31
I was hoping this would fix things for me, but no. https://github.com/neo4j/docker-neo4j/issues/238 — dcsan, Mar 16 '20 at 13:29

score 15 · Answer 1 · answered Mar 19 '20 at 08:37

15

Neo4j docker developer here.

The reason this is happening is that the NEO4J_AUTH environment variable doesn't set the database password, it sets the INITIAL password only.

If you're mounting a data volume with an existing database inside, then NEO4J_AUTH has no effect because that database already has a password. It sounds like that's what you're experiencing here.

The documentation around this feature was not great and I've updated it! See: Neo4j docker authentication documentation

answered Mar 19 '20 at 08:37

jenny

454
4
8

How does one reset the password, by modifying the auth file after the initial password is set? Some details on this in the docs would be great @jenny – prrao Dec 05 '22 at 22:11
Is there a way to stop the requirement to change the password on first logon when running in docker? – SteveR Apr 25 '23 at 11:33

score 2 · Answer 2 · answered Aug 19 '20 at 02:40

2

define Neo4j password with docker-compose

neo4j:
   image: 'neo4j:4.1'
   environment:
      NEO4J_AUTH: 'neo4j/your_password'
   ports:
      - "7474:7474"
   volumes:
      ...

answered Aug 19 '20 at 02:40

Armel Drey

27
1
3

The issue appears when there is a password change inside the container. Providing password through docker-compose makes it a static one. – Wander3r Aug 19 '20 at 03:22

Why Neo4J docker authentication doesn't work

2 Answers2

define Neo4j password with docker-compose