Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-75683

Return error if encryptedFields contains eccCollection

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.1.0-rc0
    • Affects Version/s: None
    • Component/s: Queryable Encryption
    • None
    • Server Security
    • Fully Compatible
    • Security 2023-05-15
    • 69

      Proposal

      • Return an error if eccCollection is included in encryptedFields.

      Background & Motivation

      DRIVERS-2524 requires drivers no longer create eccCollection. libmongocrypt does not include eccCollection in encryptionInformation when using QEv2: https://github.com/mongodb/libmongocrypt/blob/1c3fd9c7593a4273e6a9d8385ca15c2b683aab08/src/mongocrypt-ctx-encrypt.c#L78-L87

      QEv1 drivers will continue to send eccCollection.

      QEv1 drivers will not receive an error when creating a QE collection. An error may not be received until sending an incompatible QEv1 payload. This may result in unusable QEv1 collections (including eccCollection) being created.

      Returning an error if eccCollection is included may help a user discover they need to upgrade their driver. The error could suggest a driver upgrade is necessary to use QEv2. Example: "Driver support of Queryable Encryption is incompatible with server. Upgrade driver to use Queryable Encryption."

      This may require updating the validateEncryptedFieldConfig: https://github.com/10gen/mongo/blob/f3ba48c674d343482a4e43d6ff1ab9e0da339c5f/src/mongo/crypto/encryption_fields_validation.cpp#L243-L248

            Assignee:
            shreyas.kalyan@mongodb.com Shreyas Kalyan
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: