|
nicholas.zolnierz
SO it turns out this might be a more widespread issue:
var AutoClientSideFieldLevelEncryptionOptions = {
|
"keyVaultNamespace" : "encryption.__dataKeys",
|
"kmsProviders" : {
|
"local" : {
|
"key" : BinData(0, "w4+YaEYJc91kI+vi3zID6ryXhQDzRDsoGiV7KczPTbHFKvfg7Ypa0C5gnqB+ybaY+xxl3nYijfhWA0xvMSUO1IzEi3XwpwbH1Zune2AnYuyhq44nXfgn5Yk1rbO0Jxes")
|
}
|
},
|
schemaMap : {
|
"hr.employees" : {
|
"bsonType" : "object",
|
"properties": {
|
"taxid": {
|
"encrypt" : {
|
"keyId" : [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
|
"algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
|
}
|
}
|
}
|
}
|
}
|
}
|
The code above has an incomplete definition for the encrypt field. However, I can still create a connection with the incorrect schemaMap:
autoEncryptionCluster = Mongo(
|
...
|
... "mongodb://192.168.56.11:27017/?replicaSet=warzone",
|
... AutoClientSideFieldLevelEncryptionOptions
|
...
|
... )
|
connection to warzone/192.168.56.11:27017
|
MongoDB Enterprise warzone:PRIMARY>
|
MongoDB Enterprise warzone:PRIMARY> autoEncryptionCluster.getKeyVault()
|
{
|
"mongo" : connection to warzone/192.168.56.11:27017,
|
"keyColl" : encryption.__dataKeys
|
}
|
I only get an error when I try to perform a write operation:
MongoDB Enterprise warzone:PRIMARY> autoEncryptionCluster.getDB("hr").getCollection("employees").insertOne({"taxid" : "foo"})
|
2019-10-25T15:51:29.490-0400 E QUERY [js] Error: A deterministically encrypted field must have exactly one specified type. :
|
runClientFunctionWithRetries@src/mongo/shell/session.js:366:27
|
runCommand@src/mongo/shell/session.js:460:25
|
DB.prototype._runCommandImpl@src/mongo/shell/db.js:147:12
|
DB.prototype.runCommand@src/mongo/shell/db.js:162:16
|
DBCollection.prototype._dbCommand@src/mongo/shell/collection.js:171:16
|
executeBatch@src/mongo/shell/bulk_api.js:912:22
|
Bulk/this.execute@src/mongo/shell/bulk_api.js:1163:21
|
DBCollection.prototype.insertOne@src/mongo/shell/crud_api.js:264:9
|
@(shell):1:1
|
cc mark.benvenuto@mongodb.com as an aside this somewhat reinforces SERVER-43884, as the returned error does not make it clear at all that the user has an issue with their automatic encryption schema. This is actually made worse if the client is inheriting from the server, as there is no indication that the remote schema is the source of failure.
|