Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-591

Keyvault collection might be created on the wrong server

XMLWordPrintableJSON

    • Not Needed
    • Iteration Vegetable

      Problem Description

      • I would expect that I can use FLE by opening a shell initially connected to no db (--nodb option but that isn't possible
      • The keyvault deb/collection seems to be always attached to the original cluster mongosh is connected to

      Steps to Reproduce

      See this script: https://github.com/mmarcon/mongosh-examples/blob/main/fle-gcp.mongodb

      Expected Results

      I can use the script with --nodb and most importantly, I don't have to initially open mongosh connecting to the same cluster where I am eventually going to use FLE.

      Actual Results

      It's all broken and confusing: the keyvault collection is always created on the original connection and not on the one specifically created for that purpose.

      Additional Notes

      I am happy to pair on reproducing it as I have all the variables/credentials required for the script above to run properly but I have the feeling the same behavior can be reproduced also with a local key store.

      In fact, the same happens with the original, simpler script that anna.henningsen wrote:

      use('hr');
db.employees.drop();

// Factory function to work around https://jira.mongodb.org/browse/MONGOSH-547
const local = () => ({ key: BinData(0, 'kh4Gv2N8qopZQMQYMEtww/AkPsIrXNmEMxTrs3tUoTQZbZu4msdRUaR8U5fXD7A7QXYHcEvuu4WctJLoT+NvvV3eeIg3MD+K8H9SR794m/safgRHdIfy6PD+rFpvmFbY') });

const keyMongo = Mongo(db.getMongo()._uri, {
  keyVaultNamespace: 'encryption.__keyVault',
  kmsProvider: { local: local() }
});

const keyVault = keyMongo.getKeyVault();
let keyId= keyVault.createKey('local', '');

const schemaMap = {
  'hr.employees': {
    bsonType: 'object',
    properties: {
      taxid: {
        encrypt: {
          keyId: [keyId],
          bsonType: 'string',
          algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random'
        }
      }
    }
  }
};

const autoMongo = Mongo(db.getMongo()._uri, {
  keyVaultNamespace: 'encryption.__keyVault',
  kmsProvider: { local: local() },
  schemaMap
});

db = autoMongo.getDB('hr');
db.employees.insertOne({ taxid: 'abc' });

      If we run that script with --nodb, it will complain with MongoshInvalidInputError: [SHAPI-10004] No connected database.

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            massimiliano.marcon@mongodb.com Massimiliano Marcon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: