-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Query Integration
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Request: Error in server 7.x and 8.0 if receiving a Queryable Encryption payload in a $lookup sub-pipeline.
Background
Pre-8.1 servers appear to ignore the QE payload in a sub-pipeline. This may result in missing results.
This example tests behavior on server 8.0:
def testSelfLookup(self): # "db.qe" is configured with QE and contains `{ "qe": "qe" }`. "qe" is encrypted. pipeline = [ { "$lookup": { "from": "qe", "pipeline": [ {"$match": {"qe": "qe"}} ], "as": "matched", } }, {"$project": {"_id": 0, "__safeContent__": 0}}, ] got = self.auto_client["db"]["qe"].aggregate(pipeline).to_list() self.assertEqual(got, [{"qe": "qe", "matched": []}]) # Does not match { "qe": "qe" } in sub-pipeline! def testExplicitLookup(self): # "db.qe2" is configured with QE and contains `{ "qe2": "qe2" }`. "qe2" is encrypted. payload = self.client_encryption.encrypt( "qe2", algorithm=Algorithm.INDEXED, contention_factor=0, key_id=self.key_id ) pipeline = [ { "$lookup": { "from": "qe2", "pipeline": [ {"$match": {"qe2": payload}}, ], "as": "matched", } }, {"$project": {"_id": 0, "__safeContent__": 0}}, ] got = self.explicit_client["db"]["qe"].aggregate(pipeline).to_list() self.assertEqual(got, [{"qe": "qe", "matched": []}]) # Does not match { "qe2": "qe2" } in sub-pipeline!
This may be more likely encountered with SPM-2472. SPM-2472 adds support for auto-encryption of $lookup on multiple collections. If a user has crypt_shared/mongocryptd 8.1+ and uses a pre-8.1 server, it may also miss matches in the sub-pipeline. This was encountered when testing drivers with mixed versions (see slack).
- is related to
-
SERVER-97755 Implement QE server rewrites of $lookup sub-pipelines.
-
- Closed
-