[Spike] Investigate PyMongo's create_encrypted_collection should include keyAltNames

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • Python Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Context

      Queryable Encryption integration in Django revealed the need to query the key vault for existing keys which is only possible if the keys have keyAltName set

      The solution would look like this:

              for field in fields:                                                    
            if getattr(field, "encrypted", False):                              
                key_alt_name = f"{db_table}_{field.column}"                     
                if from_db:                                                     
                    key_doc = key_vault_collection.find_one({"keyAltNames": key_alt_name})
                    if not key_doc:                                             
                        raise ValueError(f"No key found in keyvault for keyAltName={key_alt_name}")
                    data_key = key_doc["_id"]                                   
                else:                                                           
                    data_key = client_encryption.create_data_key(               
                        kms_provider=kms_provider,                                                  
                        master_key=master_key,                                  
                        key_alt_names=[key_alt_name],                           
                    )                                                                           
                field_dict = {                                                  
                    "bsonType": field.db_type(connection),                                       
                    "path": field.column,                                       
                    "keyId": data_key,                                          
                }                                                               
                if field.queries:                                               
                    field_dict["queries"] = field.queries                       
                field_list.append(field_dict)         

      Definition of done

      Add code to PyMongo's create_data_keys to add keyAltName

       

      Pitfalls

      None assuming adding keyAltName does not include unforeseen consequences which at present it does not.

            Assignee:
            Unassigned
            Reporter:
            Alex Clark
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: