[英]MongoDB Client Side Field Level Encryption (CSFLE) Restricts Operations On Unencrypted Collections
My database contains 3 collections: "patients", "therapists", "subscriptions".我的数据库包含 3 collections:“患者”、“治疗师”、“订阅”。
I've configured CSFLE on the db connection, providing a json schema which defines field level encryption only on the 'name' and 'email' fields in the 'patients' collection.我已经在数据库连接上配置了 CSFLE,提供了一个 json 模式,它仅在“患者”集合中的“姓名”和“电子邮件”字段上定义字段级加密。
The field level encryption / decryption on the 'patients' collection works as expected. “患者”集合的字段级加密/解密按预期工作。
However, now an unrelated aggregation query fails with "MongoError: Pipeline over an encrypted collection cannot reference additional collections."但是,现在不相关的聚合查询失败并显示“MongoError:加密集合上的管道无法引用其他 collections”。
This error occurs when executing an aggregation query on the 'therapists' collection, which includes a $lookup from the 'subscriptions' collection (not "over an encrypted collection" as the error suggests).当对“治疗师”集合执行聚合查询时会发生此错误,其中包括来自“订阅”集合的 $lookup(而不是错误提示的“通过加密集合”)。
Neither 'therapists' nor 'subscriptions' are defined in the CSFLE json schema, and are not encrypted. “治疗师”和“订阅”均未在 CSFLE json 架构中定义,并且未加密。 I don't understand why should this $lookup on unencrypted collections, lead to an error.我不明白为什么在未加密的 collections 上进行 $lookup 会导致错误。 According to the documentation根据文档
Automatic client-side field level encryption supports the $lookup and $graphLookup only if the from collection matches the collection on which the aggregation runs against (ie self-lookup operations).仅当from集合与聚合运行所针对的集合(即自查找操作)相匹配时,自动客户端字段级加密才支持 $lookup 和 $graphLookup。
While the limitation may be acceptable when dealing with the 'patients' collection, I don't think it is acceptable when dealing with other, non CSFLE, collections.虽然在处理“患者”集合时限制可能是可以接受的,但我认为在处理其他非 CSFLE collections 时这是不可接受的。
I know that I can create 2 separate MongoClient instances, one with CSFLE enabled, and one without, and use the non CSFLE client for the $lookup, but this would introduce extra complexity, and it doesn't seem like a clean and reasonable solution to me.我知道我可以创建 2 个单独的 MongoClient 实例,一个启用 CSFLE,一个不启用,并使用非 CSFLE 客户端进行 $ 查找,但这会引入额外的复杂性,而且它似乎不是一个干净合理的解决方案大部头书。
BTW, I'm using mongoose, but the behaviour is the same when using mongodb directly.顺便说一句,我使用的是 mongoose,但直接使用 mongodb 时的行为是相同的。
Would you say this is a bug with mongodb?你会说这是 mongodb 的错误吗?
Any suggestions would be greatly appreciated.任何建议将不胜感激。
This turned out to be a bug with MongoDB..结果证明这是 MongoDB 的一个错误。
Jira ticket: https://jira.mongodb.org/browse/SERVER-50092 Jira票据: https://jira.mongodb.org/browse/SERVER-50092
This is a current limitation where using encrypted client assumes that it's necessary and doesn't allow $lookup into another collection.这是当前的限制,使用加密的客户端假定它是必要的并且不允许 $lookup 到另一个集合。
Current workaround would be to use a non-encrypted client for such aggregations.当前的解决方法是使用未加密的客户端进行此类聚合。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.