Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-591

Keyvault collection might be created on the wrong server

    • Not Needed

      Problem Description

      • I would expect that I can use FLE by opening a shell initially connected to no db (--nodb option but that isn't possible
      • The keyvault deb/collection seems to be always attached to the original cluster mongosh is connected to

      Steps to Reproduce

      See this script: https://github.com/mmarcon/mongosh-examples/blob/main/fle-gcp.mongodb

      Expected Results

      I can use the script with --nodb and most importantly, I don't have to initially open mongosh connecting to the same cluster where I am eventually going to use FLE.

      Actual Results

      It's all broken and confusing: the keyvault collection is always created on the original connection and not on the one specifically created for that purpose.

      Additional Notes

      I am happy to pair on reproducing it as I have all the variables/credentials required for the script above to run properly but I have the feeling the same behavior can be reproduced also with a local key store.

      In fact, the same happens with the original, simpler script that anna.henningsen wrote:

      use('hr');
      db.employees.drop();
      
      // Factory function to work around https://jira.mongodb.org/browse/MONGOSH-547
      const local = () => ({ key: BinData(0, 'kh4Gv2N8qopZQMQYMEtww/AkPsIrXNmEMxTrs3tUoTQZbZu4msdRUaR8U5fXD7A7QXYHcEvuu4WctJLoT+NvvV3eeIg3MD+K8H9SR794m/safgRHdIfy6PD+rFpvmFbY') });
      
      const keyMongo = Mongo(db.getMongo()._uri, {
        keyVaultNamespace: 'encryption.__keyVault',
        kmsProvider: { local: local() }
      });
      
      const keyVault = keyMongo.getKeyVault();
      let keyId= keyVault.createKey('local', '');
      
      const schemaMap = {
        'hr.employees': {
          bsonType: 'object',
          properties: {
            taxid: {
              encrypt: {
                keyId: [keyId],
                bsonType: 'string',
                algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
              }
            }
          }
        }
      };
      
      const autoMongo = Mongo(db.getMongo()._uri, {
        keyVaultNamespace: 'encryption.__keyVault',
        kmsProvider: { local: local() },
        schemaMap
      });
      
      db = autoMongo.getDB('hr');
      db.employees.insertOne({ taxid: 'abc' });
      

      If we run that script with --nodb, it will complain with MongoshInvalidInputError: [SHAPI-10004] No connected database.

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            massimiliano.marcon@mongodb.com Massimiliano Marcon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: