/
Mongo.txt
378 lines (269 loc) · 11.1 KB
/
Mongo.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
=======
Mongo()
=======
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Description
-----------
.. versionchanged:: 4.2
.. method:: Mongo(host, ClientSideFieldLevelEncryptionOptions)
JavaScript constructor to instantiate a database connection from the
:binary:`~bin.mongo` shell or from a JavaScript file.
The :method:`Mongo()` method has the following parameters:
.. list-table::
:header-rows: 1
:widths: 20 20 80
* - Parameter
- Type
- Description
* - ``host``
- string
- Optional. The host, either in the form of ``<host>`` or
``<host><:port>``.
If omitted, :method:`Mongo` instantiates a connection to the
localhost interface on the default port ``27017``.
* - ``ClientSideFieldLevelEncryptionOptions``
- Document
- *Optional*
.. versionadded:: 4.2
Configuration parameters for enabling
:doc:`/core/security-client-side-encryption`.
``ClientSideFieldLevelEncryptionOptions`` overrides the
existing client-side field level encryption configuration of
the database connection. If omitted, :method:`Mongo()`
inherits the client-side field level encryption configuration
of the current database connection.
For documentation of usage and syntax, see
:ref:`ClientSideFieldLevelEncryptionOptions`.
.. seealso:: :method:`Mongo.getDB()` and :method:`db.getMongo()`.
.. _ClientSideFieldLevelEncryptionOptions:
``ClientSideFieldLevelEncryptionOptions``
-----------------------------------------
.. versionadded:: 4.2
The ``ClientSideFieldLevelEncryptionOptions`` document specifies
configuration options for :doc:`/core/security-client-side-encryption`.
If the database connection has an existing client-side field level
encryption configuration, specifying
``ClientSideFieldLevelEncryptionOptions`` overrides that configuration.
For example, starting the :binary:`~bin.mongo` shell
with client-side field level encryption :ref:`command-line options
<mongo-client-side-field-level-encryption-options>` enables
client-side encryption for that connection. New database connections
created using :method:`Mongo()` inherit the encryption settings *unless*
:method:`Mongo()` includes ``ClientSideFieldLevelEncryptionOptions``.
The ``ClientSideFieldLevelEncryptionOptions`` document has the following
syntax:
.. code-block:: none
{
"keyVaultClient" : <object>,
"keyVaultNamespace" : "<string>",
"kmsProviders" : <object>,
"schemaMap" : <object>,
"bypassAutoEncryption" : <boolean>
}
The ``ClientSideFieldLevelEncryptionOptions`` document takes the
following parameters:
.. list-table::
:header-rows: 1
:widths: 20 10 80
* - Parameter
- Type
- Description
* - ``keyVaultClient``
- :method:`Mongo()` connection object.
- *(Optional)* The MongoDB cluster hosting the key vault
collection.
Specify a :method:`Mongo()` connection object pointing to the
cluster:
.. code-block:: javascript
var keyVaultClient = Mongo(<MongoDB URI>);
var ClientSideFieldLevelEncryptionOptions = {
"keyVaultClient" : keyVaultClient,
"keyVaultNamespace" : "<database>.<collection>",
"kmsProviders" : { ... }
}
If ``keyVaultClient`` is omitted, the ``host`` specified to the
:method:`Mongo()` object containing the
``ClientSideFieldLevelEncryptionOptions`` document is used as the
key vault host.
* - ``keyVaultNamespace``
- string
- *(Required)* The full :term:`namespace` of the key vault
collection.
* - ``kmsProviders``
- document
- *(Required)* The Key Management Service (KMS) used by
client-side field level encryption for managing a Customer Master
Key (CMK). Client-side field level encryption uses the CMK for
encrypting and decrypting data encryption keys.
Client-side field level encryption either the Amazon Web Services
KMS *or* a Locally Managed Key:
Amazon Web Services KMS
.. include:: /includes/extracts/csfle-aws-kms-4.2.0-4.2.1-broken.rst
Specify the ``aws`` document to ``kmsProvider`` with the
following fields:
.. code-block:: json
"kmsProviders" : {
"aws" : {
"accessKeyId" : "AWSAccessKeyId",
"secretAccessKey" : "AWSSecretAccessKey"
}
}
The specified ``accessKeyId`` must correspond to an IAM user
with all ``List`` and ``Read`` permissions for the KMS service.
Locally Managed Key
Specify the ``local`` document to ``kmsProvider`` with the
following field:
.. code-block:: json
"kmsProviders" : {
"local" : {
"key" : BinData(0, "<96 byte base-64 encoded key>")
}
}
The specified ``key`` *must* be a base64-encoded
96-byte string with no newline characters.
* - ``schemaMap``
- document
- *(Optional)* The automatic client-side field level encryption
rules specified using the JSON schema Draft 4 standard syntax and
encryption-specific keywords.
For complete documentation, see
:doc:`/reference/security-client-side-automatic-json-schema`.
* - ``bypassAutoEncryption``
- boolean
- *(Optional)* Specify ``true`` to bypass automatic client-side field
level encryption rules and perform explicit (manual) per-field
encryption.
Example
-------
Connect to a MongoDB Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following operation creates a new connection object from the
:binary:`~bin.mongo` shell:
.. code-block:: javascript
cluster = Mongo("mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster")
Issue operations against the ``cluster`` object to interact with the
``mymongo.example.net:27017`` cluster:
.. code-block:: javascript
myDB = cluster.getDB("myDB"); //returns the database object
myColl = myDB.getCollection("myColl"); // returns the collection object
.. _mongo-connection-client-side-encryption-enabled:
Connect to a MongoDB Cluster with Client-Side Encryption Enabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuring client-side field level encryption for a :ref:`locally
managed key <field-level-encryption-local-kms>` requires specifying a
base64-encoded 96-byte string with no line breaks. The following
operation generates a key that meets the stated requirements and loads
it into the :binary:`~bin.mongo` shell:
.. code-block:: shell
:emphasize-lines: 1
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
The following operation creates a new connection object from the
:binary:`~bin.mongo` shell. The
:ref:`ClientSideFieldLevelEncryptionOptions` option specifies
the required options for enabling client-side field level encryption
using a locally managed key:
.. code-block:: javascript
:emphasize-lines: 4-6, 10-13
var ClientSideFieldLevelEncryptionOptions = {
"keyVaultNamespace" : "encryption.dataKeys",
"kmsProviders" : {
"local" : {
"key" : BinData(0, TEST_LOCAL_KEY)
}
}
}
cluster = Mongo(
"mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster",
ClientSideFieldLevelEncryptionOptions
)
Issue operations against the ``cluster`` object to interact with the
``mymongo.example.net:27017`` cluster and perform explicit encryption:
.. code-block:: javascript
// returns the database object
myDB = cluster.getDB("myDB");
// returns the collection object
myColl = myDB.getCollection("myColl");
// returns object for managing data encryption keys
keyVault = cluster.getKeyVault();
// returns object for explicit encryption/decryption
clientEncryption = cluster.getClientEncryption();
See :doc:`/reference/method/js-client-side-field-level-encryption` for
a complete list of client-side field level encryption methods.
.. _mongo-connection-automatic-client-side-encryption-enabled:
Connect to a MongoDB Cluster with Automatic Client-Side Encryption Enabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuring client-side field level encryption for a :ref:`locally
managed key <field-level-encryption-local-kms>` requires specifying a
base64-encoded 96-byte string with no line breaks. The following
operation generates a key that meets the stated requirements and loads
it into the :binary:`~bin.mongo` shell:
.. code-block:: shell
:emphasize-lines: 1
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongo --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
The following operation creates a new connection object from the
:binary:`~bin.mongo` shell. The
:ref:`ClientSideFieldLevelEncryptionOptions` option specifies
the required options for enabling :ref:`automatic client-side encryption
<field-level-encryption-automatic>` on the ``hr.employees`` collection:
.. code-block:: javascript
:emphasize-lines: 4-6, 8-21, 24-27
var ClientSideFieldLevelEncryptionOptions = {
"keyVaultNamespace" : "encryption.dataKeys",
"kmsProviders" : {
"local" : {
"key" : BinData(0,"BASE64-ENCODED-96-BYTE-LOCAL-KEY")
}
},
schemaMap : {
"hr.employees" : {
"bsonType": "object",
"properties" : {
"taxid" : {
"encrypt" : {
"keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
"bsonType" : "string",
"algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
}
},
"taxid-short": {
"encrypt": {
"keyId": [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
"algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
"bsonType": "string"
}
}
}
}
}
}
cluster = Mongo(
"mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster",
ClientSideFieldLevelEncryptionOptions
)
Issue operations against the ``cluster`` object to interact with the
``mymongo.example.net:27017`` cluster and utilize automatic encryption:
.. code-block:: javascript
// returns the database object
myDB = cluster.getDB("myDB");
// returns the collection object
myColl = myDB.getCollection("myColl");
myColl.insertOne(
{
"name" : "J Doe",
"taxid" : "123-45-6789",
"taxid-short" : "6789"
}
)
The specified automatic encryption rules encrypt the ``taxid`` and
``taxid-short`` fields using the specified data encryption key and
algorithm. Only clients configured for the correct KMS *and* access to
the specified data encryption key can decrypt the field.
See :doc:`/reference/method/js-client-side-field-level-encryption` for
a complete list of client-side field level encryption methods.