-
Type: Spec Change
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Client Side Encryption
-
None
-
Needed
Summary
The key management specification currently leaves the implementation of sessions in the Key Management API as optional for drivers to implement (see https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#support-sessions-in-key-management-functions). Session support should be added to the key management functions so that users can provide explicit sessions to their key management operations.
An additional consideration would be to provide a mechanism for users to create explicit sessions from the ClientEncryption interface, to ensure that any sessions explicit sessions with the key management API are created by the correct client (the key vault client).
Motivation
Who is the affected end user?
Any user of CSFLE.
How does this affect the end user?
Currently, users do not have a mechanism to provide a session to the key management API. As a result, the key vault can only be accessed by a single client at a time.
This prohibits use of operations within a transaction. MONGOCRYPT-659 is a request to support within a transaction.
How likely is it that this problem or use case will occur?
Sessions currently are not supported on the ClientEncryption object, so unlikely.
If the problem does occur, what are the consequences and how severe are they?
If a user did attempt to access the key vault with multiple clients (without support for sessions and transactions), it is conceivable that they could end up with the keyvault in an invalid state.
Is this issue urgent?
No.
Is this ticket required by a downstream team?
No.
Is this ticket only for tests?
No.
- is depended on by
-
GODRIVER-3166 Creating and using a data encryption key in a transaction fails
- Backlog
- related to
-
DRIVERS-1937 Support explicit sessions in CSFLE auto encryption internal commands
- Backlog