Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-30329

WiredTiger encryption at rest downgrade path from 3.6 -> 3.4

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.5.11
    • Affects Version/s: None
    • Component/s: Security, Storage
    • None
    • Fully Compatible
    • Storage 2017-07-31

      Encryption at rest uses a second WiredTiger database to store encryption keys to the standard MongoDB databases. Without modification, the wiredtiger_open call of this second database in 3.6 will upgrade WT's file compatibility to 3.0. A shutdown on FCV 3.4 would require changing the compatibility back to 2.9.

      One option is to never upgrade this inner wiredtiger instance to 3.0 and keep it on 2.9. The bug fixed in WT's journal is unlikely to happen on this keystore database.

      Alternatively, this keystore could run in "no journal" mode and require a checkpoint to make writes durable.

      Another edge case to consider is that key rotation does an early shutdown of the `mongod` process. This happens before the FCV value is read from the `admin.system.version` collection. This leaves storage engine cleanup in a state where it does not know what version the file compatibility should be set to. It may make sense for key rotation to always use file compatibility 2.9. Alternatively WiredTiger can expose a method for keeping the file compatibility the same instead of auto-upgrading.

            Assignee:
            daniel.gottlieb@mongodb.com Daniel Gottlieb (Inactive)
            Reporter:
            daniel.gottlieb@mongodb.com Daniel Gottlieb (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: