Recover admin user and password

This page describes how to reset a password to recover a user’s access when their password is lost. It specifically focuses on how to recover an admin user if all the admin users have been unassigned the admin role, and how to recreate the built-in admin role if it has been dropped.

Disable authentication

  1. Stop Neo4j:

    bin/neo4j stop
  2. Open the neo4j.conf file and set dbms.security.auth_enabled parameter to false to disable the authentication:

    dbms.security.auth_enabled=false
  3. Block network connections during the recovery phase, so users can connect to Neo4j only via localhost. This can be achieved by temporarily commenting out the server.default_listen_address parameter and providing the specific localhost value:

    server.default_listen_address=127.0.0.1

    Ensure, you have blocked all network connections for any individual services configured to listen to listen_addresses.

  4. Start Neo4j:

    bin/neo4j start
  1. Stop all members of the cluster:

    bin/neo4j stop
  2. On each member, open the neo4j.conf file and modify the following settings:

    1. Set dbms.security.auth_enabled parameter to false to disable the authentication:

      dbms.security.auth_enabled=false
    2. Disable the HTTP and HTTPS network connections and restrict the bolt connector to use only localhost. Set server.http.enabled to false. This ensures that no one from outside can access the cluster during the recovery period.

      server.http.enabled=false
      #server.https.enabled=true
      server.bolt.listen_address:127.0.0.1
  3. Start all members of the cluster:

    bin/neo4j start

Recover a lost password

You can use a client such as Cypher Shell or the Neo4j Browser to connect to the system database and set a new password for the admin user.

In a cluster deployment, you should complete the steps only on one of the cluster members.

  1. Complete the steps in Disable authentication as per your deployment.

  2. Connect to the system database using Cypher shell. Alternatively, log into Neo4j Browser.

    bin/cypher-shell -d system

    If you have specified a non-default port for your bolt connector, add -a neo4j://<your-cluster-member>:<non-default-bolt-port> to the cypher-shell command to be able to connect to your cluster member.

  3. Set a new password for the admin user. In this example, the admin user is named neo4j.

    ALTER USER neo4j SET PASSWORD 'mynewpassword'
  4. Exit the cypher-shell console:

    :exit;
  5. Proceed with the post-recovery steps as per your deployment.

Recover an unassigned admin role

You can use a client such as Cypher Shell or the Neo4j Browser to connect to the system database and grant the admin user role to an existing user.

In a cluster deployment, you should complete the steps only on one of the cluster members.

  1. Complete the steps in Disable authentication as per your deployment.

  2. Connect to the system database using Cypher shell. Alternatively, log into Neo4j Browser.

    bin/cypher-shell -d system

    If you have specified a non-default port for your bolt connector, add -a neo4j://<your-cluster-member>:<non-default-bolt-port> to the cypher-shell command to be able to connect to your cluster member.

  3. Grant the admin user role to an existing user. In this example, the user is named neo4j.

    GRANT ROLE admin TO neo4j
  4. Exit the cypher-shell console:

    :exit;
  5. Proceed with the post-recovery steps as per your deployment.

Recover the admin role

If you have removed the admin role from your system entirely, you can use a client such as Cypher Shell or the Neo4j Browser to connect to the system database and recreate the role with its original capabilities.

In a cluster deployment, you should complete the steps only on one of the cluster members.

  1. Complete the steps in Disable authentication as per your deployment.

  2. Connect to the system database using Cypher shell. Alternatively, log into Neo4j Browser.

    bin/cypher-shell -d system

    If you have specified a non-default port for your bolt connector, add -a neo4j://<your-cluster-member>:<non-default-bolt-port> to the cypher-shell command to be able to connect to your cluster member.

  3. Recreate the admin role with its original capabilities.

    CREATE ROLE admin;
    GRANT ALL DBMS PRIVILEGES ON DBMS TO admin;
    GRANT TRANSACTION MANAGEMENT ON DATABASE * TO admin;
    GRANT START ON DATABASE * TO admin;
    GRANT STOP ON DATABASE * TO admin;
    GRANT MATCH {*} ON GRAPH * TO admin;
    GRANT WRITE ON GRAPH * TO admin;
    GRANT ALL ON DATABASE * TO admin;
  4. Grant the admin user role to an existing user.

    Before running the :exit command, we suggest granting the newly created role to a user. Although this is optional, without this step you will have only collected all admin privileges in a role that no one is assigned to.

    To grant the role to a user (assuming your existing user is named neo4j), you can run GRANT ROLE admin TO neo4j;

  5. Exit the cypher-shell console:

    :exit;
  6. Proceed with the post-recovery steps as per your deployment.

Post-recovery steps

  1. Stop Neo4j:

    bin/neo4j stop
  2. Enable the authentication and restore your Neo4j to its original configuration (See Disable authentication).

  3. Start Neo4j:

    bin/neo4j start
  1. Stop the cluster members.

    bin/neo4j stop
  2. Enable the authentication and restore each cluster member to its original configuration (See Disable authentication).

  3. Start the cluster (all cluster members):

    bin/neo4j start