Neo4j Sink Connector for Confluent Cloud

The fully-managed Neo4j Sink connector moves data from Apache Kafka® to Neo4j and Aura databases. The connector uses multiple write strategies, such as Cypher, Change Data Capture (CDC), Pattern, and Create-Update-Delete (CUD).

Note

If you require private networking for fully-managed connectors, make sure to set up the proper networking beforehand. For more information, see Manage Networking for Confluent Cloud Connectors.

Features

The Neo4j Sink connector supports the following features:

• Real-time data delivery: Delivers records from Kafka topics to Neo4j in near real time, enabling continuous data synchronization.

• Flexible data mapping: Maps Kafka record values (including Avro and JSON) to nodes and relationships in Neo4j using Cypher or Pattern strategy defined in the configuration.

• Schema handling: Supports both schema-less records such as JSON and records with schemas such as Avro, allowing the connector to adapt to various data structures.

• Error handling: Provides robust resilience and error handling, including support for a Dead Letter Queue (DLQ) to store records that fail processing.

• Data type conversion: Supports conversion between built-in Kafka Connect types and Neo4j data types.

• Secure authentication: Supports secure authentication for connecting to your Neo4j database using NONE, BASIC, KERBEROS, BEARER, and CUSTOM authentication types.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Limitations

Be sure to review the following information.

• For connector limitations, see Neo4j Sink Connector.

• If you plan to use one or more Single Message Transforms (SMTs), see SMT Limitations.

• If you plan to use Confluent Cloud Schema Registry, see Schema Registry Enabled Environments.

Quick Start

Use this quick start to get up and running with the Confluent Cloud Neo4j Sink connector. The quick start provides the basics of selecting the connector and configuring it to stream Kafka events to a Neo4j database.

Prerequisites

• Authorized access to a Confluent Cloud cluster on Amazon Web Services (AWS), Microsoft Azure (Azure), or Google Cloud.

• The Confluent CLI installed and configured for the cluster. For more information, see Install the Confluent CLI.

• Schema Registry must be enabled to use a Schema Registry-based format such as AVRO, JSON_SR (JSON Schema), or PROTOBUF. For more information, see Schema Registry Enabled Environments.

• Access to a Neo4j or Neo4j Aura database.

• For networking considerations, see Networking and DNS. To use a set of public egress IP addresses, see Public Egress IP Addresses for Confluent Cloud Connectors.

Using the Confluent Cloud Console

Step 1: Launch your Confluent Cloud cluster

To create and launch a Kafka cluster in Confluent Cloud, see Create a kafka cluster in Confluent Cloud.

Step 2: Add a connector

In the left navigation menu, click Connectors. If you already have connectors in your cluster, click + Add connector.

Step 3: Select your connector

Click the Neo4j Sink connector card.

Step 4: Enter the connector details

Note

• Ensure you have all your prerequisites completed.

• An asterisk ( * ) designates a required entry.

At the Add Neo4j Sink Connector screen, complete the following:

Select topic

If you’ve already populated your Kafka topics, select the topics you want to connect from the Topics list.

To create a new topic, click +Add new topic.

Kafka credentials

1. Select the way you want to provide Kafka Cluster credentials. You can choose one of the following options:

   • My account: This setting allows your connector to globally access everything that you have access to. With a user account, the connector uses an API key and secret to access the Kafka cluster. This option is not recommended for production.

   • Service account: This setting limits the access for your connector by using a service account. This option is recommended for production.

   • Use an existing API key: This setting allows you to specify an API key and a secret pair. You can use an existing pair or create a new one. This method is not recommended for production environments.

   Note

   Freight clusters support only service accounts for Kafka authentication.

2. Click Continue.

Authentication

1. Configure the authentication properties:

   Connection

   • Neo4j URI: The Neo4j endpoint URL. For example, neo4j+s://xxxx.databases.neo4j.io. You can specify multiple URIs separated by a comma (,).

   • Database Name: The name of your Neo4j database.

   • Authentication Type: Under Authentication Type, select how you want to authenticate with the database:

     If you select BASIC, enter the following details:

     • Username: The name of the Neo4j database user connecting to the Neo4j database.

     • Password: The password for the Neo4j database user connecting to the Neo4j database.

     • Authentication Realm: The authentication realm to authenticate with. Leave this field empty to use the default realm.

     If you select BEARER, enter the BEARER Token.

     If you select CUSTOM, enter the following details:

     • Custom Authentication Scheme: The custom authentication scheme used to establish the connection.

     • Custom Principal: The custom principal used to establish the connection.

     • Custom Credentials: The custom credential used to establish the connection.

     • Custom Authentication Realm: The custom authentication realm to authenticate with. Set this as required by your custom authentication provider.

     If you select KERBEROS, enter the Kerberos Ticket.

     If you select NONE, enter the Encrypted Connection details as described below.

   • Username: The name of the Neo4j database user connecting to the Neo4j database. Required when neo4j.authentication.type is set to BASIC.

   • Password: The password for the Neo4j database user connecting to the Neo4j database. Required when neo4j.authentication.type is set to BASIC.

   • Authentication Realm: The authentication realm to authenticate with. Leave this field empty to use the default realm.

   • Kerberos Ticket: Kerberos ticket to establish connection with. Required when neo4j.authentication.type is set to KERBEROS.

   • Bearer Token: Bearer token to establish connection with. Required when neo4j.authentication.type is set to BEARER.

   • Custom Authentication Scheme: Custom authentication scheme to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

   • Custom Principal: Custom principal to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

   • Custom Credentials: Custom credential to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

   • Custom Authentication Realm: Custom authentication realm to authenticate with. Set this as required by your custom authentication provider.

   • Encrypted Connection: Defaults to false. When set to true, enter the following details.

     • Trust Strategy: Select the trust strategy to use for TLS connections. Valid options are Valid options are TRUST_ALL_CERTIFICATES, TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, TRUST_SYSTEM_CA_SIGNED_CERTIFICATES. Upload the certificate file if you select TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.

   • Trust Strategy: Trust strategy to use for TLS connections. Valid options are TRUST_ALL_CERTIFICATES, TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, or TRUST_SYSTEM_CA_SIGNED_CERTIFICATES. Required when neo4j.security.encrypted is set to TRUE.

   • Certificate Files: Upload the certificate files that contain X509 certificates of CAs to trust. Required when neo4j.security.trust-strategy is set to TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.

   • Hostname Verification Enabled: Specify whether hostname verification is enabled during the TLS handshake.

2. Click Continue.

Configuration

Note

The connector requires that you assign exactly one strategy per topic. This strategy must be one of the following: Cypher, Pattern, CDC, or CUD.

• Input Kafka record value format: Select the input Kafka record value format (data coming from the Kafka topic). A valid schema must be available in Schema Registry to use a schema-based message format (for example, AVRO, JSON_SR (JSON Schema), or PROTOBUF). Defaults to AVRO.

  For more information, see Schema Registry Enabled Environments.

Common Sink Settings

• Batch Size: The maximum number of messages the connector processes per transaction per topic. Defaults to 1000.

• Batch Timeout: The maximum amount of time the connector allows a batch to be processed. Valid units are ms, s, m, h, and d. Defaults to s.

Cypher Strategy

• Cypher Statement for Topic: The Cypher statement the connector runs for the specified topic. For example:

  {
    "my-topic1": "MERGE (n:Person {name: __value.name})",
    "my-topic2": "MATCH (n:Person {name: __value.name}) SET n.age = __value.age"
  }
  

• Bind Timestamp As: Specifies the name under which the message timestamp is bound in Cypher statements. Set this to an empty string to disable binding.

• Bind Header As: Specifies the name under which the message header is bound in Cypher statements (bound as a map of header names to values). Set to an empty string to disable binding.

• Bind Key As: The name under which the message key is bound in Cypher statements. Set to an empty string to disable binding.

• Bind Value As: The name under which the message value is bound in Cypher statements. Set to an empty string to disable binding.

• Bind Value As Event: Specify whether the message value will be bound as event in Cypher statements for backward compatibility.

Pattern Strategy

• Node/Relationship Pattern for Topic: The node or relationship pattern the connector applies to messages received from the specified topic. For example, {"user1": "(:User{!userId})", "user2": "(:User{!userId})-[:KNOWS]→(:User{!otherUserId})"}.

• Merge Node Properties: Specifies whether to merge incoming properties with existing node properties.

• Merge Relationship Properties: Specifies whether to merge incoming properties with existing relationship properties.

• Pattern Bind Timestamp As: The name under which the message timestamp is bound in patterns. Set to an empty string to disable binding.

• Pattern Bind Header As: The name under which the message header is bound in patterns (bound as a map of header names to values). Set to an empty string to disable binding.

• Pattern Bind Key As: The name under which the message key is bound in patterns. Set to an empty string to disable binding.

• Pattern Bind Value As: The name under which the message value is bound in patterns. Set to an empty string to disable binding.

CDC Strategy

• CDC Event Topics: The topic(s) that contain CDC events generated by a Source instance using the CDC source strategy.

• CDC Source ID Topics: The topic(s) that contain CDC events generated by a Source instance using the CDC source strategy.

• CDC Source ID Label Name: The label name attached to the nodes managed by the CDC Source Id strategy.

• CDC Source ID Property Name: The ID property name attached to the nodes managed by the CDC Source Id strategy.

CUD Strategy

• CUD Event Topics: The topic(s) that contain CUD (Create, Update, Delete) events.

Show advanced configurations

• Schema context: Select a schema context to use for this connector, if using a schema-based data format. This property defaults to the Default context, which configures the connector to use the default schema set up for Schema Registry in your Confluent Cloud environment. A schema context allows you to use separate schemas (like schema sub-registries) tied to topics in different Kafka clusters that share the same Schema Registry environment. For example, if you select a non-default context, a Source connector uses only that schema context to register a schema and a Sink connector uses only that schema context to read from. For more information about setting up a schema context, see What are schema contexts and when should you use them?.

• Input Kafka record key format: Select the input Kafka record key format. Options are AVRO, BYTES, JSON, JSON_SR (JSON Schema), PROTOBUF, or STRING. A valid schema must be available in Schema Registry to use a schema-based message format (for example, AVRO, JSON_SR, or PROTOBUF). See Schema Registry Enabled Environments for additional information.

Additional Configs

• Value Converter Replace Null With Default: Whether to replace fields that have a default value and that are null to the default value. When set to true, the default value is used, otherwise null is used. Applicable for JSON Converter.

• Value Converter Schema ID Deserializer: The class name of the schema ID deserializer for values. This is used to deserialize schema IDs from the message headers.

• Value Converter Reference Subject Name Strategy: Set the subject reference name strategy for value. Valid entries are DefaultReferenceSubjectNameStrategy or QualifiedReferenceSubjectNameStrategy. Note that the subject reference name strategy can be selected only for PROTOBUF format with the default strategy being DefaultReferenceSubjectNameStrategy.

• Schema ID For Value Converter: The schema ID to use for deserialization when using ConfigSchemaIdDeserializer. This is used to specify a fixed schema ID to be used for deserializing message values. Only applicable when value.converter.value.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Value Converter Schemas Enable: Include schemas within each of the serialized values. Input messages must contain schema and payload fields and may not contain additional fields. For plain JSON data, set this to false. Applicable for JSON Converter.

• Errors Tolerance: Use this property if you would like to configure the connector’s error handling behavior. WARNING: This property should be used with CAUTION for SOURCE CONNECTORS as it may lead to dataloss. If you set this property to ‘all’, the connector will not fail on errant records, but will instead log them (and send to DLQ for Sink Connectors) and continue processing. If you set this property to ‘none’, the connector task will fail on errant records.

• Value Converter Ignore Default For Nullables: When set to true, this property ensures that the corresponding record in Kafka is NULL, instead of showing the default column value. Applicable for AVRO,PROTOBUF and JSON_SR Converters.

• Key Converter Schema ID Deserializer: The class name of the schema ID deserializer for keys. This is used to deserialize schema IDs from the message headers.

• Value Converter Decimal Format: Specify the JSON/JSON_SR serialization format for Connect DECIMAL logical type values with two allowed literals: BASE64 to serialize DECIMAL logical types as base64 encoded binary data and NUMERIC to serialize Connect DECIMAL logical type values in JSON/JSON_SR as a number representing the decimal value.

• Schema GUID For Key Converter: The schema GUID to use for deserialization when using ConfigSchemaIdDeserializer. This is used to specify a fixed schema GUID to be used for deserializing message keys. Only applicable when key.converter.key.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Schema GUID For Value Converter: The schema GUID to use for deserialization when using ConfigSchemaIdDeserializer. This is used to specify a fixed schema GUID to be used for deserializing message values. Only applicable when value.converter.value.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Value Converter Connect Meta Data: Allow the Connect converter to add its metadata to the output schema. Applicable for Avro Converters.

• Value Converter Value Subject Name Strategy: Determines how to construct the subject name under which the value schema is registered with Schema Registry.

• Key Converter Key Subject Name Strategy: How to construct the subject name for key schema registration.

• Schema ID For Key Converter: The schema ID to use for deserialization when using ConfigSchemaIdDeserializer. This is used to specify a fixed schema ID to be used for deserializing message keys. Only applicable when key.converter.key.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

Auto-restart policy

• Enable Connector Auto-restart: Control the auto-restart behavior of the connector and its task in the event of user-actionable errors. Defaults to true, enabling the connector to automatically restart in case of user-actionable errors. Set this property to false to disable auto-restart for failed connectors. In such cases, you would need to manually restart the connector.

Consumer configuration

• Max poll interval(ms): Set the maximum delay between subsequent consume requests to Kafka. Use this property to improve connector performance in cases when the connector cannot send records to the sink system. The default is 300,000 milliseconds (5 minutes).

• Max poll records: Set the maximum number of records to consume from Kafka in a single request. Use this property to improve connector performance in cases when the connector cannot send records to the sink system. The default is 500 records.

Transforms

• Single Message Transforms: To add a new SMT, see Add transforms. For more information about unsupported SMTs, see Unsupported transformations.

Processing position

• Set offsets: Click Set offsets to define a specific offset for this connector to begin procession data from. For more information on managing offsets, see Manage offsets.

For all property values and definitions, see Configuration Properties.

• Click Continue.

Sizing

Based on the number of topic partitions you select, you will be provided with a recommended number of tasks.

1. To change the number of recommended tasks, enter the number of tasks for the connector to use in the Tasks field. More tasks may improve performance.

2. Click Continue.

Review and Launch

1. Verify the connection details.

2. Click Launch.

   The status for the connector should go from Provisioning to Running.

Step 5: Check for records

Verify that records are being produced in your Neo4j database.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.

Using the Confluent CLI

Complete the following steps to set up and run the connector using the Confluent CLI.

Note

Make sure you have all your prerequisites completed.

Step 1: List the available connectors

Enter the following command to list available connectors:

confluent connect plugin list

Step 2: List the connector configuration properties

Enter the following command to show the connector configuration properties:

confluent connect plugin describe <connector-plugin-name>

The command output shows the required and optional configuration properties.

Step 3: Create the connector configuration file

Create a JSON file that contains the connector configuration properties. The following example shows the required connector properties.

Note

The connector requires that you assign exactly one strategy per topic. This strategy must be one of the following: Cypher, Pattern, CDC, or CUD.

{
   "connector.class": "Neo4jSink",
   "name": "Neo4jSinkConnector_1",
   "schema.context.name": "default",
   "kafka.auth.mode": "SERVICE_ACCOUNT",
   "kafka.service.account.id": "sa-devczmg337z",
   "neo4j.uri": "neo4j+s://xxxx.databases.neo4j.io",
   "neo4j.authentication.type": "BASIC",
   "neo4j.authentication.basic.username": "neo4j",
   "neo4j.authentication.basic.password": "xxxxxxxxx",
   "neo4j.security.encrypted": "false",
   "neo4j.batch-size": "1000",
   "neo4j.batch-timeout": "0s",
   "neo4j.cypher.topic.map": "{\"neo4j-dummy-topic\": \"MERGE (n:Record {uuid: coalesce(event.f1, apoc.create.uuid())}) SET n += event\"}",
   "neo4j.cypher.bind-timestamp-as": "__timestamp",
   "neo4j.cypher.bind-header-as": "__header",
   "neo4j.cypher.bind-key-as": "__key",
   "neo4j.cypher.bind-value-as": "__value",
   "neo4j.cypher.bind-value-as-event": "true",
   "neo4j.pattern.topic.map": "{}",
   "neo4j.pattern.merge-node-properties": "false",
   "neo4j.pattern.merge-relationship-properties": "false",
   "neo4j.pattern.bind-timestamp-as": "__timestamp",
   "neo4j.pattern.bind-header-as": "__header",
   "neo4j.pattern.bind-key-as": "__key",
   "neo4j.pattern.bind-value-as": "__value",
   "neo4j.cdc.source-id.label-name": "SourceEvent",
   "neo4j.cdc.source-id.property-name": "sourceId",
   "value.converter.replace.null.with.default": "true",
   "value.converter.reference.subject.name.strategy": "DefaultReferenceSubjectNameStrategy",
   "value.converter.schemas.enable": "false",
   "errors.tolerance": "all",
   "value.converter.ignore.default.for.nullables": "false",
   "value.converter.decimal.format": "BASE64",
   "value.converter.value.subject.name.strategy": "TopicNameStrategy",
   "key.converter.key.subject.name.strategy": "TopicNameStrategy",
   "max.poll.interval.ms": "300000",
   "max.poll.records": "500",
   "input.data.format": "JSON",
   "input.key.format": "JSON",
   "tasks.max": "1",
   "topics": "neo4j-dummy-topic",
   "auto.restart.on.user.error": "true"
 }

Note the following property definitions:

• "connector.class": Identifies the connector plugin name.

• "input.data.format": Sets the input Kafka record value format (data coming from the Kafka topic). Valid entries are AVRO, JSON_SR, PROTOBUF, or JSON. You must have Confluent Cloud Schema Registry configured if using a schema-based message format such as Avro, JSON_SR (JSON Schema), or Protobuf.

• "name": Sets a name for your new connector.

• "kafka.auth.mode": Identifies the connector authentication mode you want to use. There are two options: SERVICE_ACCOUNT or KAFKA_API_KEY (the default). To use an API key and secret, specify the configuration properties kafka.api.key and kafka.api.secret, as shown in the example configuration (above). To use a service account, specify the Resource ID in the property kafka.service.account.id=<service-account-resource-ID>. To list the available service account resource IDs, use the following command:

  confluent iam service-account list
  

  For example:

  confluent iam service-account list
  
     Id     | Resource ID |       Name        |    Description
  +---------+-------------+-------------------+-------------------
     123456 | sa-l1r23m   | sa-1              | Service account 1
     789101 | sa-l4d56p   | sa-2              | Service account 2
  

• "neo4j.uri": A URI with the form neo4j+s://c8560e2d.databases.neo4j.io.

• "neo4j.database": The name of your Neo4j database.

• "neo4j.authentication.type": The Neo4j authentication type to authenticate with the database. Valid options are NONE, BASIC, KERBEROS, BEARER, and CUSTOM. Defaults to BASIC.

• "neo4j.batch-size": The maximum number of messages the connector processes per transaction per topic. Defaults to 1000.

• "neo4j.batch-timeout": The maximum amount of time the connector allows a batch to be processed. Valid units are ms, s, m, h, and d. Defaults to 0s.

• "tasks.max": The number of tasks to use with the connector. More tasks may improve performance.

Single Message Transforms: See the Single Message Transforms (SMT) documentation for details about adding SMTs using the Confluent CLI.

For all configuration property values and descriptions, see Configuration Properties.

Step 4: Load the properties file and create the connector

Enter the following command to load the configuration and start the connector:

confluent connect cluster create --config-file <file-name>.json

For example:

confluent connect cluster create --config-file Neo4j-sink-config.json

Example output:

Created connector Neo4jSinkConnector_0 lcc-do6vzd

Step 4: Check the connector status.

Enter the following command to check the connector status:

confluent connect cluster list

Example output:

ID           |             Name              | Status  | Type | Trace
+------------+-------------------------------+---------+------+-------+
lcc-do6vzd   | Neo4jSinkConnector_0          | RUNNING | sink |       |

Step 5: Check for records

Verify that records are populating the endpoint.

For more information and examples to use with the Confluent Cloud API for Connect, see the Confluent Cloud API for Connect Usage Examples section.

Tip

When you launch a connector, a Dead Letter Queue topic is automatically created. See View Connector Dead Letter Queue Errors in Confluent Cloud for details.

Configuration Properties

Use the following configuration properties with the fully-managed connector. For self-managed connector property definitions and other details, see the connector docs in Self-managed connectors for Confluent Platform.

How should we connect to your data?

name

Sets a name for your connector.

• Type: string

• Valid Values: A string at most 64 characters long

• Importance: high

Schema Config

schema.context.name

Add a schema context name. A schema context represents an independent scope in Schema Registry. It is a separate sub-schema tied to topics in different Kafka clusters that share the same Schema Registry instance. If not used, the connector uses the default schema configured for Schema Registry in your Confluent Cloud environment.

• Type: string

• Default: default

• Importance: medium

Kafka Cluster credentials

kafka.auth.mode

Kafka Authentication mode. It can be one of KAFKA_API_KEY or SERVICE_ACCOUNT. It defaults to KAFKA_API_KEY mode, whenever possible.

• Type: string

• Valid Values: SERVICE_ACCOUNT, KAFKA_API_KEY

• Importance: high

kafka.api.key

Kafka API Key. Required when kafka.auth.mode==KAFKA_API_KEY.

• Type: password

• Importance: high

kafka.service.account.id

The Service Account that will be used to generate the API keys to communicate with Kafka Cluster.

• Type: string

• Importance: high

kafka.api.secret

Secret associated with Kafka API key. Required when kafka.auth.mode==KAFKA_API_KEY.

• Type: password

• Importance: high

Connection

neo4j.uri

The Neo4j endpoint URL. For example, neo4j+s://xxxx.databases.neo4j.io. You can specify multiple URIs separated by a comma (,).

• Type: string

• Default: “”

• Importance: high

neo4j.database

The name of your Neo4j database.

• Type: string

• Default: “”

• Importance: high

neo4j.authentication.type

Authentication type to use to authenticate with the database. Valid values are NONE, BASIC, KERBEROS, BEARER, CUSTOM.

• Type: string

• Default: BASIC

• Valid Values: BASIC, BEARER, CUSTOM, KERBEROS, NONE

• Importance: high

neo4j.authentication.basic.username

The name of the Neo4j database user connecting to the Neo4j database. Required when neo4j.authentication.type is set to BASIC.

• Type: string

• Default: “”

• Importance: high

neo4j.authentication.basic.password

The password for the Neo4j database user connecting to the Neo4j database. Required when neo4j.authentication.type is set to BASIC.

• Type: password

• Default: [hidden]

• Importance: high

neo4j.authentication.basic.realm

The authentication realm to authenticate with. Leave this field empty to use the default realm.

• Type: string

• Default: “”

• Importance: low

neo4j.authentication.kerberos.ticket

Kerberos ticket to establish connection with. Required when neo4j.authentication.type is set to KERBEROS.

• Type: password

• Default: [hidden]

• Importance: high

neo4j.authentication.bearer.token

Bearer token to establish connection with. Required when neo4j.authentication.type is set to BEARER.

• Type: password

• Default: [hidden]

• Importance: high

neo4j.authentication.custom.scheme

Custom authentication scheme to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

• Type: string

• Default: “”

• Importance: high

neo4j.authentication.custom.principal

Custom principal to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

• Type: string

• Default: “”

• Importance: high

neo4j.authentication.custom.credentials

Custom credential to establish connection with. Required when neo4j.authentication.type is set to CUSTOM.

• Type: password

• Default: [hidden]

• Importance: high

neo4j.authentication.custom.realm

Custom authentication realm to authenticate with. Set this as required by your custom authentication provider.

• Type: string

• Default: “”

• Importance: high

neo4j.security.encrypted

Specify whether connection encryption is enabled. Only applicable when bolt or neo4j schemes are used inside the neo4j.uri.

• Type: boolean

• Default: false

• Importance: low

neo4j.security.trust-strategy

Trust strategy to use for TLS connections. Valid options are TRUST_ALL_CERTIFICATES, TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, TRUST_SYSTEM_CA_SIGNED_CERTIFICATES. Required when neo4j.security.encrypted is set to true.

• Type: string

• Default: TRUST_SYSTEM_CA_SIGNED_CERTIFICATES

• Valid Values: TRUST_ALL_CERTIFICATES, TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, TRUST_SYSTEM_CA_SIGNED_CERTIFICATES

• Importance: low

neo4j.security.cert-files

Upload the certificate files that contain X509 certificates of CAs to trust. Required when neo4j.security.trust-strategy is set to TRUST_CUSTOM_CA_SIGNED_CERTIFICATES.

• Type: password

• Importance: low

neo4j.security.hostname-verification-enabled

Specify whether hostname verification is enabled during the TLS handshake.

• Type: boolean

• Default: true

• Importance: low

Common Sink Settings

neo4j.batch-size

The maximum number of messages the connector processes per transaction per topic.

• Type: int

• Default: 1000

• Valid Values: [1000,…,100000]

• Importance: medium

neo4j.batch-timeout

The maximum amount of time the connector allows a batch to be processed. Valid units are ms, s, m, h, and d. Defaults to s.

• Type: string

• Default: 0s

• Valid Values: Must match the regex ^[0-9]\d*(ms|s|m|h|d)$

• Importance: medium

Cypher Strategy

neo4j.cypher.topic.map

Cypher statement to run for the specified topic. For example, {“my-topic1”: “MERGE (n:Person {name: __value.name})”, “my-topic2”: “MATCH (n:Person {name: __value.name}) SET n.age = __value.age”}

• Type: string

• Default: {}

• Importance: medium

neo4j.cypher.bind-timestamp-as

Specify the name under which the message timestamp will be bound in Cypher statements. Set this to an empty string to disable binding.

• Type: string

• Default: __timestamp

• Importance: medium

neo4j.cypher.bind-header-as

Specify the name under which the message header will be bound in Cypher statements (bound as a map of header names to values). Set to an empty string to disable binding.

• Type: string

• Default: __header

• Importance: medium

neo4j.cypher.bind-key-as

The name under which the message key will be bound in Cypher statements. Set to an empty string to disable binding.

• Type: string

• Default: __key

• Importance: medium

neo4j.cypher.bind-value-as

The name under which the message value will be bound in Cypher statements. Set to an empty string to disable binding.

• Type: string

• Default: __value

• Importance: medium

neo4j.cypher.bind-value-as-event

Specify whether the message value will be bound as event in Cypher statements for backward compatibility.

• Type: boolean

• Default: true

• Importance: medium

Pattern Strategy

neo4j.pattern.topic.map

The node or relationship pattern the connector applies to messages received from the specified topic. For example, {“user1”: “(:User{!userId})”, “user2”: “(:User{!userId})-[:KNOWS]→(:User{!otherUserId})”}

• Type: string

• Default: {}

• Importance: medium

neo4j.pattern.merge-node-properties

Specify whether to merge incoming properties with existing properties of nodes.

• Type: boolean

• Default: false

• Importance: medium

neo4j.pattern.merge-relationship-properties

Specify whether to merge incoming properties with existing properties of relationships.

• Type: boolean

• Default: false

• Importance: medium

neo4j.pattern.bind-timestamp-as

The name under which the message timestamp will be bound in patterns. Set to an empty string to disable binding.

• Type: string

• Default: __timestamp

• Importance: medium

neo4j.pattern.bind-header-as

The name under which the message header will be bound in patterns (bound as a map of header names to values). Set to an empty string to disable binding.

• Type: string

• Default: __header

• Importance: medium

neo4j.pattern.bind-key-as

The name under which the message key will be bound in patterns. Set to an empty string to disable binding.

• Type: string

• Default: __key

• Importance: medium

neo4j.pattern.bind-value-as

The name under which the message value will be bound in patterns. Set to an empty string to disable binding.

• Type: string

• Default: __value

• Importance: medium

CDC Strategy

neo4j.cdc.schema.topics

The topic(s) that contain CDC events generated by a Source instance of this connector using CDC source strategy.

• Type: string

• Default: “”

• Importance: medium

neo4j.cdc.source-id.topics

The topic(s) that contain CDC events generated by a Source instance of this connector using CDC source strategy.

• Type: string

• Default: “”

• Importance: medium

neo4j.cdc.source-id.label-name

The label name attached to the nodes managed by the CDC Source Id strategy.

• Type: string

• Default: SourceEvent

• Importance: medium

neo4j.cdc.source-id.property-name

The ID property name attached to the nodes managed by the CDC Source Id strategy.

• Type: string

• Default: sourceId

• Importance: medium

CUD Strategy

neo4j.cud.topics

The topic(s) that contain CUD (Create, Update, Delete) events.

• Type: string

• Default: “”

• Importance: medium

Additional Configs

consumer.override.auto.offset.reset

Defines the behavior of the consumer when there is no committed position (which occurs when the group is first initialized) or when an offset is out of range. You can choose either to reset the position to the “earliest” offset (the default) or the “latest” offset. You can also select “none” if you would rather set the initial offset yourself and you are willing to handle out of range errors manually. More details: https://docs.confluent.io/platform/current/installation/configuration/consumer-configs.html#auto-offset-reset

• Type: string

• Importance: low

consumer.override.isolation.level

Controls how to read messages written transactionally. If set to read_committed, consumer.poll() will only return transactional messages which have been committed. If set to read_uncommitted (the default), consumer.poll() will return all messages, even transactional messages which have been aborted. Non-transactional messages will be returned unconditionally in either mode. More details: https://docs.confluent.io/platform/current/installation/configuration/consumer-configs.html#isolation-level

• Type: string

• Importance: low

header.converter

The converter class for the headers. This is used to serialize and deserialize the headers of the messages.

• Type: string

• Importance: low

key.converter.use.schema.guid

The schema GUID to use for deserialization when using ConfigSchemaIdDeserializer. This allows you to specify a fixed schema GUID to be used for deserializing message keys. Only applicable when key.converter.key.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Type: string

• Importance: low

key.converter.use.schema.id

The schema ID to use for deserialization when using ConfigSchemaIdDeserializer. This allows you to specify a fixed schema ID to be used for deserializing message keys. Only applicable when key.converter.key.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Type: int

• Importance: low

value.converter.allow.optional.map.keys

Allow optional string map key when converting from Connect Schema to Avro Schema. Applicable for Avro Converters.

• Type: boolean

• Importance: low

value.converter.auto.register.schemas

Specify if the Serializer should attempt to register the Schema.

• Type: boolean

• Importance: low

value.converter.connect.meta.data

Allow the Connect converter to add its metadata to the output schema. Applicable for Avro Converters.

• Type: boolean

• Importance: low

value.converter.enhanced.avro.schema.support

Enable enhanced schema support to preserve package information and Enums. Applicable for Avro Converters.

• Type: boolean

• Importance: low

value.converter.enhanced.protobuf.schema.support

Enable enhanced schema support to preserve package information. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.flatten.unions

Whether to flatten unions (oneofs). Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.generate.index.for.unions

Whether to generate an index suffix for unions. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.generate.struct.for.nulls

Whether to generate a struct variable for null values. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.int.for.enums

Whether to represent enums as integers. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.latest.compatibility.strict

Verify latest subject version is backward compatible when use.latest.version is true.

• Type: boolean

• Importance: low

value.converter.object.additional.properties

Whether to allow additional properties for object schemas. Applicable for JSON_SR Converters.

• Type: boolean

• Importance: low

value.converter.optional.for.nullables

Whether nullable fields should be specified with an optional label. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.optional.for.proto2

Whether proto2 optionals are supported. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.scrub.invalid.names

Whether to scrub invalid names by replacing invalid characters with valid characters. Applicable for Avro and Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.use.latest.version

Use latest version of schema in subject for serialization when auto.register.schemas is false.

• Type: boolean

• Importance: low

value.converter.use.optional.for.nonrequired

Whether to set non-required properties to be optional. Applicable for JSON_SR Converters.

• Type: boolean

• Importance: low

value.converter.use.schema.guid

The schema GUID to use for deserialization when using ConfigSchemaIdDeserializer. This allows you to specify a fixed schema GUID to be used for deserializing message values. Only applicable when value.converter.value.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Type: string

• Importance: low

value.converter.use.schema.id

The schema ID to use for deserialization when using ConfigSchemaIdDeserializer. This allows you to specify a fixed schema ID to be used for deserializing message values. Only applicable when value.converter.value.schema.id.deserializer is set to ConfigSchemaIdDeserializer.

• Type: int

• Importance: low

value.converter.wrapper.for.nullables

Whether nullable fields should use primitive wrapper messages. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

value.converter.wrapper.for.raw.primitives

Whether a wrapper message should be interpreted as a raw primitive at root level. Applicable for Protobuf Converters.

• Type: boolean

• Importance: low

errors.tolerance

Use this property if you would like to configure the connector’s error handling behavior. WARNING: This property should be used with CAUTION for SOURCE CONNECTORS as it may lead to dataloss. If you set this property to ‘all’, the connector will not fail on errant records, but will instead log them (and send to DLQ for Sink Connectors) and continue processing. If you set this property to ‘none’, the connector task will fail on errant records.

• Type: string

• Default: all

• Importance: low

key.converter.key.schema.id.deserializer

The class name of the schema ID deserializer for keys. This is used to deserialize schema IDs from the message headers.

• Type: string

• Default: io.confluent.kafka.serializers.schema.id.DualSchemaIdDeserializer

• Importance: low

key.converter.key.subject.name.strategy

How to construct the subject name for key schema registration.

• Type: string

• Default: TopicNameStrategy

• Importance: low

key.converter.replace.null.with.default

Whether to replace fields that have a default value and that are null to the default value. When set to true, the default value is used, otherwise null is used. Applicable for JSON Key Converter.

• Type: boolean

• Default: true

• Importance: low

key.converter.schemas.enable

Include schemas within each of the serialized keys. Input message keys must contain schema and payload fields and may not contain additional fields. For plain JSON data, set this to false. Applicable for JSON Key Converter.

• Type: boolean

• Default: false

• Importance: low

value.converter.decimal.format

Specify the JSON/JSON_SR serialization format for Connect DECIMAL logical type values with two allowed literals:

BASE64 to serialize DECIMAL logical types as base64 encoded binary data and

NUMERIC to serialize Connect DECIMAL logical type values in JSON/JSON_SR as a number representing the decimal value.

• Type: string

• Default: BASE64

• Importance: low

value.converter.flatten.singleton.unions

Whether to flatten singleton unions. Applicable for Avro and JSON_SR Converters.

• Type: boolean

• Default: false

• Importance: low

value.converter.ignore.default.for.nullables

When set to true, this property ensures that the corresponding record in Kafka is NULL, instead of showing the default column value. Applicable for AVRO,PROTOBUF and JSON_SR Converters.

• Type: boolean

• Default: false

• Importance: low

value.converter.reference.subject.name.strategy

Set the subject reference name strategy for value. Valid entries are DefaultReferenceSubjectNameStrategy or QualifiedReferenceSubjectNameStrategy. Note that the subject reference name strategy can be selected only for PROTOBUF format with the default strategy being DefaultReferenceSubjectNameStrategy.

• Type: string

• Default: DefaultReferenceSubjectNameStrategy

• Importance: low

value.converter.replace.null.with.default

Whether to replace fields that have a default value and that are null to the default value. When set to true, the default value is used, otherwise null is used. Applicable for JSON Converter.

• Type: boolean

• Default: true

• Importance: low

value.converter.schemas.enable

Include schemas within each of the serialized values. Input messages must contain schema and payload fields and may not contain additional fields. For plain JSON data, set this to false. Applicable for JSON Converter.

• Type: boolean

• Default: false

• Importance: low

value.converter.value.schema.id.deserializer

The class name of the schema ID deserializer for values. This is used to deserialize schema IDs from the message headers.

• Type: string

• Default: io.confluent.kafka.serializers.schema.id.DualSchemaIdDeserializer

• Importance: low

value.converter.value.subject.name.strategy

Determines how to construct the subject name under which the value schema is registered with Schema Registry.

• Type: string

• Default: TopicNameStrategy

• Importance: low

Consumer configuration

max.poll.interval.ms

The maximum delay between subsequent consume requests to Kafka. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 300000 milliseconds (5 minutes).

• Type: long

• Default: 300000 (5 minutes)

• Valid Values: [60000,…,1800000] for non-dedicated clusters and [60000,…] for dedicated clusters

• Importance: low

max.poll.records

The maximum number of records to consume from Kafka in a single request. This configuration property may be used to improve the performance of the connector, if the connector cannot send records to the sink system. Defaults to 500 records.

• Type: long

• Default: 500

• Valid Values: [1,…,500] for non-dedicated clusters and [1,…] for dedicated clusters

• Importance: low

Input messages

input.data.format

Sets the input Kafka record value format. Valid entries are AVRO, JSON_SR, PROTOBUF, JSON or BYTES. Note that you need to have Confluent Cloud Schema Registry configured if using a schema-based message format like AVRO, JSON_SR, and PROTOBUF.

• Type: string

• Default: JSON

• Importance: high

input.key.format

Sets the input Kafka record key format. Valid entries are AVRO, BYTES, JSON, JSON_SR, PROTOBUF, or STRING. Note that you need to have Confluent Cloud Schema Registry configured if using a schema-based message format like AVRO, JSON_SR, and PROTOBUF

• Type: string

• Default: JSON

• Valid Values: AVRO, BYTES, JSON, JSON_SR, PROTOBUF, STRING

• Importance: high

Number of tasks for this connector

tasks.max

Maximum number of tasks for the connector.

• Type: int

• Valid Values: [1,…]

• Importance: high

Which topics do you want to get data from?

topics.regex

A regular expression that matches the names of the topics to consume from. This is useful when you want to consume from multiple topics that match a certain pattern without having to list them all individually.

• Type: string

• Importance: low

topics

Identifies the topic name or a comma-separated list of topic names.

• Type: list

• Importance: high

errors.deadletterqueue.topic.name

The name of the topic to be used as the dead letter queue (DLQ) for messages that result in an error when processed by this sink connector, or its transformations or converters. Defaults to ‘dlq-${connector}’ if not set. The DLQ topic will be created automatically if it does not exist. You can provide ${connector} in the value to use it as a placeholder for the logical cluster ID.

• Type: string

• Default: dlq-${connector}

• Importance: low

Auto-restart policy

auto.restart.on.user.error

Enable connector to automatically restart on user-actionable errors.

• Type: boolean

• Default: true

• Importance: medium

FAQs

Find answers to frequently asked questions about the Neo4j Sink connector for Confluent Cloud.

What is the correct format for the Neo4j URI?

The connector supports the following URI schemes:

• neo4j:// — Unencrypted connection.

• neo4j+s:// — Encrypted connection using a CA-signed certificate.

• neo4j+ssc:// — Encrypted connection using a self-signed certificate.

• bolt:// — Unencrypted connection using the Bolt protocol directly.

• bolt+s:// — Encrypted Bolt connection using a CA-signed certificate.

• bolt+ssc:// — Encrypted Bolt connection using a self-signed certificate.

For neo4j+s://, neo4j+ssc://, bolt+s://, and bolt+ssc:// schemes, the driver handles encryption natively.

The port number is optional and defaults to 7687. Do not include https:// in the URI.

For Neo4j Aura, use neo4j+s://<instance-id>.databases.neo4j.io.

For private networking, use the VPC endpoint DNS name provided by Confluent Cloud as the hostname.

How do I configure SSL/TLS with custom CA certificates?

The URI scheme and the manual security properties are mutually exclusive. Use one of the following approaches:

• URI scheme encryption (recommended): Use neo4j+s:// or bolt+s:// for CA-signed certificates, or neo4j+ssc:// or bolt+ssc:// for self-signed certificates. The driver handles encryption natively and ignores the neo4j.security.encrypted, neo4j.security.trust-strategy, and neo4j.security.cert-files properties when using these schemes.

• Manual encryption configuration: Use neo4j:// or bolt:// and configure the following properties:

  • neo4j.security.encrypted: Set to true.

  • neo4j.security.trust-strategy: Set to TRUST_CUSTOM_CA_SIGNED_CERTIFICATES for custom CA certificates or TRUST_SYSTEM_CA_SIGNED_CERTIFICATES for system CAs.

  • neo4j.security.cert-files: Upload the X509 certificate files in PEM format.

Common handshake failures include missing CA certificates, an incomplete certificate chain, hostname mismatch, or mixing URI scheme encryption with manual security properties.

What should I do if I get Invalid Neo4j credentials errors?

If you receive invalid credentials errors after successfully establishing network connectivity:

1. Verify that the credentials work with your self-managed connector or Neo4j client tools to confirm they are correct.

2. Ensure the authentication type (neo4j.authentication.type) matches your Neo4j server configuration. Valid options are NONE, BASIC, KERBEROS, BEARER, and CUSTOM.

3. For BASIC authentication, double-check the neo4j.authentication.basic.username and neo4j.authentication.basic.password values.

4. Check that the Neo4j user has the necessary privileges to write to the target database.

5. If using SSL/TLS, ensure certificate configuration is correct - see the SSL/TLS configuration question above.

What authentication methods are supported?

Configure authentication via neo4j.authentication.type:

• BASIC (default): Username and password. Configure neo4j.authentication.basic.username and neo4j.authentication.basic.password.

• NONE: No authentication (not recommended for production).

• KERBEROS: Enterprise authentication via neo4j.authentication.kerberos.ticket.

• BEARER: Token authentication via neo4j.authentication.bearer.token.

• CUSTOM: Custom scheme via neo4j.authentication.custom.scheme, neo4j.authentication.custom.principal, and neo4j.authentication.custom.credentials.

BASIC authentication is recommended for most use cases.

How can I improve connector performance and throughput?

Optimize performance by adjusting:

• neo4j.batch-size: Increase from default 1000 for larger batches (reduces transactions but consumes more memory).

• neo4j.batch-timeout: Set to 1s or 5s to accumulate batches (default 0s processes immediately).

• tasks.max: Increase tasks to process partitions in parallel.

• max.poll.records: Increase from default 500 to fetch more records per poll.

• max.poll.interval.ms: Adjust from default 300000 milliseconds.

Monitor Kafka Connect worker memory usage when increasing batch sizes and ensure your Neo4j database has sufficient resources.

Why is my connector showing Running status but not processing records?

If the connector status is RUNNING but records are not being written to Neo4j:

1. Check connector tasks: Verify that all tasks are in the RUNNING state. A connector can show as RUNNING even if individual tasks have failed.

2. Review error logs: Check the connector logs in the Confluent Cloud console for error messages or warnings that indicate processing failures.

3. Verify topic data: Ensure your source Kafka topic contains records and the connector is consuming from the correct offset.

4. Validate configuration: Confirm that your strategy configuration for Cypher, Pattern, or CDC is syntactically correct and matches your data format.

5. Test database connectivity: Verify that the connector can reach your Neo4j database by checking for any network or authentication errors in the logs.

6. Check Dead Letter Queue: If you have configured a Dead Letter Queue (DLQ), check if failed records are being sent there, which indicates processing errors.

How do I configure a Dead Letter Queue for failed records?

The DLQ topic is created automatically for sink connectors when you configure the following properties:

• errors.tolerance: Set to all to continue processing on errors.

• errors.deadletterqueue.topic.name: Specify your DLQ topic name.

• errors.deadletterqueue.context.headers.enable: Set to true for error context (recommended).

• errors.log.enable and errors.log.include.messages: Optionally log errors.

Common reasons for DLQ records: Malformed Cypher queries, data type mismatches, constraint violations, missing required fields, or serialization errors. Monitor your DLQ topic regularly.

What should I do if connector validation fails during creation?

If the connector fails validation when you try to create or update it:

1. Review the error message: The validation error provides specific details about which configuration property is invalid.

2. Common validation errors:

   • Invalid URI format: Ensure the neo4j.uri follows the correct format. See the URI format question above.

   • Missing required properties: Check that all required authentication properties are provided including username and password.

   • Strategy configuration syntax errors: Verify that JSON in neo4j.cypher.topic.map or neo4j.pattern.topic.map is properly formatted and escaped.

   • Invalid authentication type: Ensure neo4j.authentication.type matches one of the supported values.

3. Test connectivity separately: Before configuring the connector, verify that you can connect to your Neo4j database from Confluent Cloud using the URI and credentials.

4. Check for typos: Configuration property names are case-sensitive. Common mistakes include:

   • neo4j.uri (correct) vs neo4j.url (incorrect)

   • neo4j.batch-size (correct) vs neo4j.batchsize (incorrect)

5. If validation continues to fail, use the Confluent Cloud CLI or API to retrieve detailed error messages that may not be visible in the console.

Next Steps

For an example that shows fully-managed Confluent Cloud connectors in action with Confluent Cloud for Apache Flink, see the Cloud ETL Demo. This example also shows how to use Confluent CLI to manage your resources in Confluent Cloud.