[SERVER-68371] Enabling CSFLE in your MongoClient causes Atlas Search to fail Created: 27/Jul/22 Updated: 29/Oct/23 Resolved: 27/Sep/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Field Level Encryption |
| Affects Version/s: | None |
| Fix Version/s: | 6.0.3, 6.1.0-rc4, 6.2.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | James Kovacs | Assignee: | Jacob Evans |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v6.1, v6.0
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
| Steps To Reproduce: | 1. Create a MongoDB Atlas cluster. (M0 is fine.)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | QO 2022-08-22, QO 2022-09-05, QO 2022-09-19, QO 2022-10-03 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Linked BF Score: | 167 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
When CSFLE is enabled, all commands are sent to the mongocryptd (or the shared library) for processing since drivers do not know which fields must be encrypted. mongocryptd/shared library is not aware of Atlas Search's $search aggregation pipeline stage and errs with:
Because all commands must be sent to mongocryptd/shared library for processing prior to dispatch to a MongoDB Atlas cluster node, Atlas Search ($search) stops working as soon as you enable CSFLE in your MongoClient. |
| Comments |
| Comment by Githook User [ 03/Oct/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 03/Oct/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 03/Oct/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 03/Oct/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 26/Sep/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 26/Sep/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by Githook User [ 22/Sep/22 ] | ||||||||||||||
|
Author: {'name': 'Uladzimir Makouski', 'email': 'uladzimir.makouski@mongodb.com', 'username': 'umakouski'}Message: Revert " This reverts commit 1399e9cb228f5360bf0950933616d548f19cc730. | ||||||||||||||
| Comment by Githook User [ 21/Sep/22 ] | ||||||||||||||
|
Author: {'name': 'Jacob Evans', 'email': 'jacob.evans@10gen.com'}Message: | ||||||||||||||
| Comment by James Kovacs [ 02/Aug/22 ] | ||||||||||||||
|
I ran the repro on my Intel-based MBP, though OS and CPU shouldn't make a difference. mongocryptd version is 6.0.0.
| ||||||||||||||
| Comment by James Kovacs [ 02/Aug/22 ] | ||||||||||||||
|
elizabeth.roytburd@mongodb.com: My investigation started with a Community Forums question. Based on that report, they were using MongoDB .NET/C# Driver 2.16 (which was latest at the time). I debugged through the issue on our main branch. It will present itself on 2.17.1 (latest) as well. If you have .NET 6 installed on any OS, you can create a new console app and add the latest .NET/C# Driver to it:
Then replace Program.cs with the above repro being sure to replace <<YOUR_MONGODB_ATLAS_URI>> appropriately. | ||||||||||||||
| Comment by Chris Kelly [ 29/Jul/22 ] | ||||||||||||||
|
Assigning to security team because they have ownership of file level encryption. | ||||||||||||||
| Comment by James Kovacs [ 27/Jul/22 ] | ||||||||||||||
|
One possible workaround is to instantiate two MongoClient instances with the same connection string, but one configured for CSFLE and the other not. You must then run all Atlas Search queries using the MongoClient without CSFLE enabled. |