[英]MongoDB field level encryption in AWS Lambda
我嘗試在 Lambda 中使用 MongoDB 字段級加密。 我使用 lambda 為 Amazon Linux 2 打包了二進制 mongocryptd,並確保它存在於當前路徑中。 但是連接到服務器不起作用。 我收到以下錯誤"MongoServerSelectionError: connect ECONNREFUSED 127.0.0.1:27020"
在 Amazon Linux 2 的 docker 映像中運行處理程序的代碼按預期工作。 在沒有自動加密選項的情況下運行 lambda 也可以按預期工作。 所以基本上 lambda 可以訪問 mongo 集群。 我還嘗試使用本地主密鑰提供程序 - 無濟於事。
更新:在 lambda const child = spawn("mongocryptd", []) 中手動生成 mongocryptd 進程會導致錯誤,因為缺少 Lambda 容器中缺少的庫(盡管存在於 Amazon Linux 2 docker 映像中)。 我添加了所有缺少的庫,因此我可以手動生成該過程。 但是我仍然收到上面的錯誤。
這是我的 lambda 代碼
const { Binary, MongoClient } = require("mongodb");
const connectionString = "mongodb+srv://OMMITED.mongodb.net/development?retryWrites=true&w=majority";
const keyVaultNamespace = "development.__keyVault";
const base64KeyId = "OMMITED";
const path = require("path");
// add mongocryptd to $PATH
process.env.PATH = `${process.env.PATH}:${path.resolve(__dirname, "bin")}`;
const kmsProviders = {
aws: {
accessKeyId: "OMMITED",
secretAccessKey: "OMMITED",
},
};
const createSchema = () => {
return {
"development.test": {
bsonType: "object",
encryptMetadata: {
keyId: [new Binary(Buffer.from(base64KeyId, "base64"), 4)],
},
properties: {
foo: {
encrypt: {
bsonType: "string",
algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
},
},
},
},
};
};
module.exports.hello = async (event) => {
const secureClient = new MongoClient(connectionString, {
useNewUrlParser: true,
useUnifiedTopology: true,
autoEncryption: {
keyVaultNamespace,
kmsProviders,
schemaMap: createSchema(),
},
});
try {
await secureClient.connect();
const collection = secureClient.db("development").collection("test");
const resp = await collection.find({}).toArray();
console.log("RESP", JSON.stringify(resp));
} catch (error) {
console.log(error);
}
return {
statusCode: 200,
body: JSON.stringify(resp),
};
};
更新 2在 lambda 中手動生成 mongocryptd 進程並記錄標准輸出給我以下輸出。 第一個輸出中似乎有問題。
START RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87 Version: $LATEST
2020-08-29T07:44:54.379Z 52efeae4-3da9-46d2-b04a-72ba18c92d87 INFO {"t":{"$date":"2020-08-29T07:44:54.372+00:00"},"s":"I", "c":"CONTROL", "id":23103, "ctx":"SignalHandler","msg":"Ignoring error from setting thread name","attr":{"error":"Operation not permitted"}}
2020-08-29T07:44:54.381Z 52efeae4-3da9-46d2-b04a-72ba18c92d87 INFO {"t":{"$date":"2020-08-29T07:44:54.380+00:00"},"s":"I", "c":"CONTROL", "id":4615669, "ctx":"initandlisten","msg":"MongoCryptD starting","attr":{"pid":20,"port":27020,"socketFile":"/tmp/mongocryptd.sock","architecture":"64-bit","host":"169.254.13.13"}}
2020-08-29T07:44:54.381Z 52efeae4-3da9-46d2-b04a-72ba18c92d87 INFO {"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I", "c":"CONTROL", "id":23403, "ctx":"initandlisten","msg":"Build Info","attr":{"buildInfo":{"version":"4.4.0","gitVersion":"563487e100c4215e2dce98d0af2a6a5a2d67c5cf","openSSLVersion":"OpenSSL 1.0.2k-fips 26 Jan 2017","modules":["enterprise"],"allocator":"tcmalloc","environment":{"distmod":"amazon2","distarch":"x86_64","target_arch":"x86_64"}}}}
{"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I", "c":"CONTROL", "id":51765, "ctx":"initandlisten","msg":"Operating System","attr":{"os":{"name":"Amazon Linux release 2 (Karoo)","version":"Kernel 4.14.177-104.253.amzn2.x86_64"}}}
{"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I", "c":"CONTROL", "id":21951, "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"processManagement":{"idleShutdownTimeoutSecs":60}}}}
2020-08-29T07:44:54.381Z 52efeae4-3da9-46d2-b04a-72ba18c92d87 INFO {"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I", "c":"CONTROL", "id":24225, "ctx":"initandlisten","msg":"Using lock file","attr":{"file":"/var/task/mongocryptd.pid"}}
{"t":{"$date":"2020-08-29T07:44:54.380+00:00"},"s":"I", "c":"CONTROL", "id":23103, "ctx":"SignalHandler","msg":"Ignoring error from setting thread name","attr":{"error":"Operation not permitted"}}
2020-08-29T07:44:54.382Z 52efeae4-3da9-46d2-b04a-72ba18c92d87 INFO {"t":{"$date":"2020-08-29T07:44:54.382+00:00"},"s":"E", "c":"CONTROL", "id":24231, "ctx":"initandlisten","msg":"Failed to open pid file, exiting","attr":{"error":{"code":98,"codeName":"DBPathInUse","errmsg":"Unable to create/open the lock file: /var/task/mongocryptd.pid (Read-only file system). Ensure the user executing mongod is the owner of the lock file and has the appropriate permissions. Also make sure that another mongod instance is not already running on the /var/task directory"}}}
END RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87
REPORT RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87 Duration: 3014.10 ms Billed Duration: 3100 ms Memory Size: 1024 MB Max Memory Used: 137 MB Init Duration: 360.02 ms
驅動程序需要使 mongocryptd 的輸出靜音,從而使生成問題難以調試。 你可以:
使用 Lambda 和 Atlas 進行 MongoDB 字段級加密如何包含 mongocryptd
[英]MongoDB field level encryption with Lambda and Atlas how to include mongocryptd
無法將 AWS IAM 角色與 KMS 提供程序一起用於 MongoDB 客戶端字段級加密?
[英]Can't use AWS IAM Roles with KMS Providers for MongoDB Client Side Field Level Encryption?
MongoDb 'Client Side Field Level Encryption' (CSFLE) 是否支持在數據庫中搜索加密字段?
[英]Does MongoDb 'Client Side Field Level Encryption' (CSFLE) support searching DB for a encryted field?
將 spring 引導執行器與 mongodb 客戶端字段級加密一起使用時,自動加密不支持命令
[英]Command Not Supported for auto encryption when using spring boot actuator with mongodb client-side field-level encryption
MongoDB 客戶端字段級加密 (CSFLE) 限制未加密的操作 Collections
[英]MongoDB Client Side Field Level Encryption (CSFLE) Restricts Operations On Unencrypted Collections
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.