[SERVER-67421] Support Multiple Encrypted Index Types on a Single Field Created: 21/Jun/22  Updated: 05/Dec/22

Status: Backlog
Project: Core Server
Component/s: Queryable Encryption
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Reilly McBride Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

Reasoning/Need:

Now that we're adding Range, a single field could be associated with multiple encrypted indices–in particular, both Range and Equality. So, when a field is being analyzed in an FLE2 supported queries context, that field could be associated with a set of queries. And, thus, every member of that query set should be checked (i.e., confirm that it's a currently supported type).

 

The critical change begins in resolved_encryption_info.h by changing:

stdx::variant<FleAlgorithmEnum, Fle2AlgorithmInt> algorithm;  

TO:
stdx::variant<FleAlgorithmEnum, std::set<Fle2AlgorithmInt>> algorithm;
 
(unless a better type has been determined). 
 

Details:

Main files:

resolved_encryption_info.cpp & resolved_encryption_info.h (src>mongo>db>modules>enterprise>src>fle>query_analysis)

Notes:

Examples of functions that will likely need to be modified (in resolved_encryption_info.cpp):

  • ResolvedEncryptionInfo constructor. E.g.,:
    • initialize algorithm as something like std::set<Fle2AlgorithmInt> algorithm;
      • would then set to default kUnindexed IF the set is empty before type checking at the end of the constructor
    • instead of algorithm = Fle2AlgorithmInt::kRange, would use something like algorithm.insert(Fle2AlgorithmInt::kEquality)
  • algorithmIs(Fle2AlgorithmInt fle2Alg)
    • instead of the current get_if<FleAlgorithmEnum>
    • do something like: ...get_if<std::set<Fle2AlgorithmInt>>...


 Comments   
Comment by Davis Haupt (Inactive) [ 03/Nov/22 ]

Given that, after checking with elizabeth.roytburd@mongodb.com, I'll remove this from PM-2470 and assign it to the Security backlog so that this can be triaged again.

Comment by Mark Benvenuto [ 02/Nov/22 ]

Yes, we would need to make lot of changes on storage and execution-side to support multiple index types simultaneously for one field. It will get more complicated when you can add and remove index types for a given query.

Comment by Davis Haupt (Inactive) [ 02/Nov/22 ]

mark.benvenuto@mongodb.com, were you still thinking that this ticket would get promoted to an epic?

Comment by Davis Haupt (Inactive) [ 29/Jul/22 ]

Comment from mark.benvenuto@mongodb.com on a PR:

Supporting multiple query types means we need a storage format that supports multiple formats which we do not have support for now. We will have to decide if we should add support for multiple query types now as part of this project into the storage format.

Generated at Thu Feb 08 06:08:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.