-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Queryable Encryption
-
None
-
Server Security
-
Fully Compatible
-
Security 2023-05-15
-
69
Proposal
- Return an error if eccCollection is included in encryptedFields.
Background & Motivation
DRIVERS-2524 requires drivers no longer create eccCollection. libmongocrypt does not include eccCollection in encryptionInformation when using QEv2: https://github.com/mongodb/libmongocrypt/blob/1c3fd9c7593a4273e6a9d8385ca15c2b683aab08/src/mongocrypt-ctx-encrypt.c#L78-L87
QEv1 drivers will continue to send eccCollection.
QEv1 drivers will not receive an error when creating a QE collection. An error may not be received until sending an incompatible QEv1 payload. This may result in unusable QEv1 collections (including eccCollection) being created.
Returning an error if eccCollection is included may help a user discover they need to upgrade their driver. The error could suggest a driver upgrade is necessary to use QEv2. Example: "Driver support of Queryable Encryption is incompatible with server. Upgrade driver to use Queryable Encryption."
This may require updating the validateEncryptedFieldConfig: https://github.com/10gen/mongo/blob/f3ba48c674d343482a4e43d6ff1ab9e0da339c5f/src/mongo/crypto/encryption_fields_validation.cpp#L243-L248
- is related to
-
SERVER-74066 Remove checks that require the eccCollection namespace in EncryptionInformation
- Closed
- related to
-
DRIVERS-2524 Drivers should not create the ECC collection in v2 of queryable encryption
- Closed