Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-100260

Do not error if QE schema is sent with non-CSFLE JSON schema

XMLWordPrintableJSON

    • Query Integration

      Summary

      Do not error if query analysis (mongocryptd/crypt_shared) receives a command with encryptionInformation and csfleEncryptionSchemas when csfleEncryptionSchemas only contains non-CSFLE remote JSON schema.

      Background

      Support for $lookup requires sending multiple schemas to query analysis. Example:

      # Auto encryption needs schemas for both db.c1 and db.c2:
results = encrypted_client["db"]["c1"].aggregate([{
    "$lookup": {
        "from": "c2",
        "localField": "joinme",
        "foreignField": "joinme",
        "as": "matched"
    }
}]).to_list()

      Using QE and CSFLE in the same operation is unsupported. 8.1.0-alpha0 mongocryptd expectedly errors if receiving both QE schema and a CSFLE schema:

      Cannot specify both encryptionInformation and csfleEncryptionSchemas

      However, if db.c1 has a QE schema (encryptedFields) and db.c2 has a non-CSFLE remote JSON schema, the error is (unexpectedly) still returned. See example.

      This poses a problem for libmongocrypt. libmongocrypt does not parse the JSON schema to identify encrypted fields. libmongocrypt relies on query analysis to determine if the JSON schema requires encryption.

      In the short-term, MONGOCRYPT-768 plans to return an explanatory error when $lookup is done with a QE schema and a remote JSON schema. Users can specify collections in encryptedFieldsMap to ignore the remote JSON schema.

            Assignee:
            naama.bareket@mongodb.com Naama Bareket
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: