memgraph-platform icon indicating copy to clipboard operation
memgraph-platform copied to clipboard
verified publisher icon memgraph

Memgraph Lab does not ask for authentication credentials, leading to inabillity to connect

Open courtarro opened this issue 9 months ago • 6 comments

I'm running new instances of Memgraph and Memgraph Lab running as containers in a Podman instance. I am attempting to create users for the first time, and this is my experience:

  1. Connect via Memgraph Lab (works)
  2. Enter a user creation cypher statement (works)
  3. Enter a second user creation cypher statement (fails with a confusing error)
  4. Refresh Lab
  5. Lab no longer automatically connects (ok, I guess that's because I have a user now?)
  6. Manually add a localhost entry and click "Connect"
  7. Lab relays the error: "Connection error: Failed to connect to server. Please ensure that your database is listening on the correct host and port and that you have compatible encryption settings both on Neo4j server and driver. Note that the default encryption setting has changed in Neo4j 4.0."

Note that Lab does not ask me for credentials. When I attempt to access Memgraph directly via the bolt protocol using a Python script, I get a authorization failure message, which is resolved by adding the new credentials to my script. So MG itself is still working, but there's something lost in translation between MG and Lab.

Thus, Lab is useless until I can get it to ask for authentication.

Versions:

  • Memgraph: 3.1.1
  • Memgraph Lab: 3.1.0

courtarro avatar Mar 28 '25 18:03 courtarro

Hi @courtarro, thanks for reporting this issue. Could you provide a bit more details to help replicate the issue: what command/config are you using to run Memgraph and could you provide us the queries used to create first and second user?

matea16 avatar Mar 31 '25 09:03 matea16

When we added SSO support in the Lab, we moved authentication to the second step of the connection process. With that in mind, Lab is listening for authentication errors to show you auth as step 2 of the connection process. By checking your message, it seems to me that Lab is not able to even open the connection:

The error message mentions encryption - is your Memgraph running with SSL encryption, and is Encryption turned on on the Lab connection screen? Also the vice versa, if your Memgraph is running regular BOLT (not BOLTS - BOLT + SSL), is your Encryption turned off on the Lab connection screen?

tonilastre avatar Apr 01 '25 12:04 tonilastre

In this case it looks like the issue has to do with running these services in Docker.

I first started the containers for memgraph/memgraph-mage and memgraph/lab and opening ports to 0.0.0.0. I named the containers memgraph and memgraph_lab, respectively. I opened Lab in a web browser. Lab was able to immediately see and connect to Memgraph without any manual steps being necessary.

However, as soon as I added a user, the connection went cold and I wasn't able to communicate with the server anymore. Manually adding a server looking for localhost also didn't work. But adding memgraph as a server ended up working. It makes sense that memgraph would work as a hostname since that's the container's name. But with the ports forwarded, why would localhost not work? And why did it work at first?

courtarro avatar Apr 01 '25 15:04 courtarro

localhost might be tricky when using Docker, especially on Mac and Win due to extra system virtualization. In those cases localhost for the Lab will be localhost within the Lab docker container. The lab system that is running within a container receives a command to start a connection towards localhost, and that network request never leaves the container because it is already within localhost.

There are ways to overcome this issue:

  1. Use network host for all containers, where all containers should see localhost totally fine
  2. Use a container management service that creates a new network and registers containers by their names - I think this is your case with memgraph name working fine because Podman (or for example docker-compose) creates a network and registers containers that are discoverable by their name, and localhost won't work there
  3. Use the provided host lookup DNS; for example, Docker registers DNS host.docker.internal which you can use as an alias for locahost - service within a container that creates a connection towards host.docker.internal will be rerouted to the host localhost: https://memgraph.com/docs/getting-started/install-memgraph/docker#issues-with-connecting-mgconsole-to-the-database

tonilastre avatar Apr 01 '25 20:04 tonilastre

@tonilastre That makes sense. I think my confusion mainly stems from the fact that it did work silently at first, without me having to set up the explicit memgraph host as a connection, but then mysteriously stopped working later. It's possible that I changed something in the interim. In any case, it seems like setting up a specific server that points to the container running memgraph is the solution, and in my case using the Podman container's hostname works.

Sorry for the confusion. I will leave it open in case anyone plans to investigate further, otherwise feel free to close.

courtarro avatar Apr 01 '25 20:04 courtarro

Yep, it's strange that it worked at first.

Are you referring maybe to the "Quick connect" feature in the lab for that first connection? Quick connect doesn't have auth, so it could be valid at first, but then once auth is added, "Quick connect" is showing "Disconnected" status.

No worries about the confusion; networking is tricky with containers.

tonilastre avatar Apr 02 '25 20:04 tonilastre