[DOCS-12596] Docs for SERVER-39251: Implement translation of delete command for mongocryptd Created: 02/Apr/19  Updated: 13/Nov/23  Resolved: 26/Nov/19

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.1.10, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Unassigned
Resolution: Gone away Votes: 0
Labels: docs-4.2-client-side-encryption
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-39251 Implement translation of delete comma... Closed
Participants:
Days since reply: 4 years, 11 weeks, 1 day ago
Epic Link: DOCS: 4.2 Server/Tools

 Description   

Description

Description:

This probably should be documented as part of our docs for the FLE project as a whole. But it should mention that delete is supported for automatic encryption using mongocryptd.

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Ravind Kumar (Inactive) [ 26/Nov/19 ]

Documented here: https://docs.mongodb.com/manual/reference/security-client-side-query-aggregation-support/#supported-read-and-write-commands

Comment by Ravind Kumar (Inactive) [ 12/Jul/19 ]

Can't find the source for the life of me, but your explanation captured what I was looking for. Thanks!

Comment by David Storch [ 10/Jul/19 ]

ravind.kumar, where did that text come from? I'm having a hard time parsing it myself!

If I understand correctly, the example scenario is that the schema says both foo and bar are deterministically encrypted, and you wish to delete documents that have particular values of foo and bar. That's a supported scenario. If you have a shell or driver with client-side encryption enabled, then you can write code to issue an operation like db.collection.remove({foo: {$eq: 3}, bar: {$eq: 4}}). The shell or driver will use its protocol involving mongocryptd and libmongocrypt to encrypt the constants 3 and 4 before shipping the operation to the server. The server will then perform the delete operation, using the BinData ciphertext to determine which documents to delete.

For deterministic deletions I assume this is somewhat straightforward, but with random I'm assuming we'd have to check every document in the collection to find matching values of foo and bar ?

The operation I described above will only work transparently if foo and bar are both encrypted with the deterministic algorithm. If either one of them is encrypted with the random algorithm, then mongocryptd will return an error (which will be propagated to the user) before the command ever makes it to the server. Since randomly encrypted values aren't queryable on the server, I don't think there is an easy way for the user to perform the db.collection.remove({foo: {$eq: 3}, bar: {$eq: 4}}) operation over randomly encrypted fields. The application would have to be written to delete only by unencrypted fields or deterministically encrypted fields.

Did that answer your question?

Comment by Ravind Kumar (Inactive) [ 08/Jul/19 ]

david.storch@mongodb.com having a bit of trouble parsing this, but spitballing:

 

If deleting foo : a, bar: b where both foo and bar are encrypted, we support decrypting values of foo and bar to only delete documents with matching values?

For deterministic deletions I assume this is somewhat straightforward, but with random I'm assuming we'd have to check every document in the collection to find matching values of foo and bar ?

Generated at Thu Feb 08 08:05:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.