Mongo()

On this page本页内容

Description描述

Changed in version 4.2.在版本4.2中更改

Mongo(host, ClientSideFieldLevelEncryptionOptions)

JavaScript constructor to instantiate a database connection from mongosh or from a JavaScript file.JavaScript构造函数,用于从mongosh或JavaScript文件实例化数据库连接。

The Mongo() method has the following parameters:Mongo()方法具有以下参数:

Parameter参数Type类型Description描述
hoststring

Optional. 可选。The host, either in the form of <host> or <host><:port>.主机,形式为<host> or <host><:port>

If omitted, Mongo() instantiates a connection to the localhost interface on the default port 27017.如果省略,Mongo()将在默认端口27017上实例化到本地主机接口的连接。

ClientSideFieldLevelEncryptionOptionsDocument

Optional

New in version 4.2.在版本4.2中新增

Configuration parameters for enabling Client-Side Field Level Encryption.用于启用客户端字段级加密的配置参数。

ClientSideFieldLevelEncryptionOptions overrides the existing client-side field level encryption configuration of the database connection. 覆盖数据库连接的现有客户端字段级加密配置。If omitted, Mongo() inherits the client-side field level encryption configuration of the current database connection.如果省略,Mongo()将继承当前数据库连接的客户端字段级加密配置。

For documentation of usage and syntax, see ClientSideFieldLevelEncryptionOptions.有关用法和语法的文档,请参阅ClientSideFieldLevelEncryptionOptions

Tip提示
See also: 参阅:

Mongo.getDB() and db.getMongo()

ClientSideFieldLevelEncryptionOptions

New in version 4.2.在版本4.2中新增

The ClientSideFieldLevelEncryptionOptions document specifies configuration options for Client-Side Field Level Encryption. ClientSideFieldLevelEncryptionOptions文档指定客户端字段级加密的配置选项If the database connection has an existing client-side field level encryption configuration, specifying ClientSideFieldLevelEncryptionOptions overrides that configuration.如果数据库连接具有现有的客户端字段级加密配置,则指定ClientSideFieldLevelEncryptionOptions将覆盖该配置。

For example, starting mongosh with client-side field level encryption command-line options enables client-side encryption for that connection. 例如,使用客户端字段级加密命令行选项启动mongosh可以为该连接启用客户端加密。New database connections created using Mongo() inherit the encryption settings unlessMongo() includes ClientSideFieldLevelEncryptionOptions.使用Mongo()创建的新数据库连接继承加密设置除非Mongo()包括ClientSideFieldLevelEncryptionOptions

The ClientSideFieldLevelEncryptionOptions document has the following syntax:ClientSideFieldLevelEncryptionOptions文档具有以下语法:

{
  "keyVaultClient" : <object>,
  "keyVaultNamespace" : "<string>",
  "kmsProviders" : <object>,
  "schemaMap" : <object>,
  "bypassAutoEncryption" : <boolean>
}

The ClientSideFieldLevelEncryptionOptions document takes the following parameters:ClientSideFieldLevelEncryptionOptions文档采用以下参数:

Parameter参数Type类型Description描述
keyVaultClientMongo() connection object.连接对象。

(Optional)可选。 The MongoDB cluster hosting the key vault collection.托管密钥库集合的MongoDB群集。

Specify a Mongo() connection object pointing to the cluster:指定指向群集的Mongo()连接对象:

var keyVaultClient = Mongo(<MongoDB URI>);
var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultClient" : keyVaultClient,
  "keyVaultNamespace" : "<database>.<collection>",
  "kmsProviders" : { ... }
}

If keyVaultClient is omitted, the host specified to the Mongo() object containing the ClientSideFieldLevelEncryptionOptions document is used as the key vault host.如果省略了keyVaultClient,则指定给包含ClientSideFieldLevelEncryptionOptions文档的Mongo()对象的host将用作密钥库主机。

keyVaultNamespacestring(Required)必需。 The full namespace of the key vault collection.密钥库集合的完整命名空间
kmsProvidersdocument

(Required)必需。 The Key Management Service (KMS) used by client-side field level encryption for managing a Customer Master Key (CMK). 客户端字段级加密用于管理客户主密钥(CMK)的密钥管理服务(KMS)Client-side field level encryption uses the CMK for encrypting and decrypting data encryption keys.客户端字段级加密使用CMK加密和解密数据加密密钥。

Client-side field level encryption supports the following KMS providers:客户端字段级加密支持以下KMS提供程序:

If possible, consider defining the credentials provided in kmsProviders as environment variables, and then passing them to mongosh using the --eval option. 如果可能,考虑将kmsProviders中提供的凭证定义为环境变量,然后使用--eval选项将它们传递给mongoshThis minimizes the chances of credentials leaking into logs. 这将凭据泄漏到日志中的可能性降至最低。See Create a Data Encryption Key for examples of this approach for each supported KMS.请参阅创建数据加密密钥,了解每个支持的KMS的这种方法示例。

Amazon Web Services KMS
Important重要

For AWS KMS support, use mongosh, or the MongoDB 4.2.2 or later legacy mongo shell. 对于AWS KMS支持,请使用mongosh或MongoDB 4.2.2或更高版本的传统mongo shell。The 4.2.0 and 4.2.1 legacy mongo shell do not support the AWS KMS service due to an unexpected change in the KMS response object. 由于KMS响应对象发生意外更改,4.2.0和4.2.1传统mongo shell不支持AWS KMS服务。See SERVER-44721 for more information.有关更多信息,请参阅服务器-44721

Specify the aws document to kmsProviders with the following fields:使用以下字段为kmsProviders指定aws文档:

"kmsProviders" : {
   "aws" : {
     "accessKeyId" : "AWSAccessKeyId",
     "secretAccessKey" : "AWSSecretAccessKey"
   }
 }

The specified accessKeyId must correspond to an IAM user with all List and Read permissions for the KMS service.指定的accessKeyId必须对应于具有KMS服务的所有ListRead权限的IAM用户。

Azure Key Vault

Specify the azure document to kmsProviders with the following fields:使用以下字段为kmsProviders指定azure文档:

"kmsProviders" : {
  "azure" : {
    "tenantId" : "AzureTenantId",
    "clientId" : "AzureClientId",
    "clientSecret" : "AzureClientSecret"
  }
}

New in version 5.0.在版本5.0中新增

Google Cloud KMS

Specify the gcp document to kmsProviders with the following fields:使用以下字段将gcp文档指定为kmsProviders

"kmsProviders" : {
  "gcp" : {
    "email" : "GCPEmail",
    "privateKey" : "GCPPrivateKey"
  }
}

New in version 5.0.在版本5.0中新增

Locally Managed Key本地管理密钥

Specify the local document to kmsProviders with the following field:使用以下字段为kmsProviders指定local文档:

"kmsProviders" : {
  "local" : {
     "key" : BinData(0, "<96 byte base-64 encoded key>")
  }
}

The specified key must be a base64-encoded 96-byte string with no newline characters.指定的key必须是不带换行符的base64编码96字节字符串。

schemaMapdocument

(Optional)可选。 The automatic client-side field level encryption rules specified using the JSON schema Draft 4 standard syntax and encryption-specific keywords.使用JSON模式草案4标准语法和加密特定关键字指定的自动客户端字段级加密规则。

For complete documentation, see Automatic Encryption Rules.有关完整文档,请参阅自动加密规则

bypassAutoEncryptionboolean(Optional)可选。 Specify true to bypass automatic client-side field level encryption rules and perform explicit (manual) per-field encryption.指定true以绕过自动客户端字段级加密规则,并执行显式(手动)每个字段加密。

Example示例

Connect to a MongoDB Cluster连接到MongoDB集群

The following operation creates a new connection object from within a mongosh session:以下操作在mongosh会话中创建一个新的连接对象:

cluster = Mongo("mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster")

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster:cluster对象发出操作以与mymongo.example.net:27017群集交互:

myDB = cluster.getDB("myDB"); //returns the database object
myColl = myDB.getCollection("myColl"); // returns the collection object

Connect to a MongoDB Cluster with Client-Side Encryption Enabled连接到启用客户端加密的MongoDB群集

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. 本地托管密钥配置客户端字段级加密需要指定不带换行符的base64编码96字节字符串。The following operation generates a key that meets the stated requirements and loads it into mongosh:以下操作生成满足所述要求的密钥,并将其加载到mongosh中:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

The following operation creates a new connection object from within a mongosh session. 以下操作将从mongosh会话中创建一个新的连接对象。The ClientSideFieldLevelEncryptionOptions option specifies the required options for enabling client-side field level encryption using a locally managed key:ClientSideFieldLevelEncryptionOptions选项指定使用本地管理密钥启用客户端字段级加密所需的选项:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0, TEST_LOCAL_KEY)
    }
  }
}
cluster = Mongo(
  "mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster and perform explicit encryption:cluster对象发出操作以与mymongo.example.net:27017群集交互并执行显式加密:

// returns the database object
myDB = cluster.getDB("myDB");
// returns the collection object
myColl = myDB.getCollection("myColl");
// returns object for managing data encryption keys
keyVault = cluster.getKeyVault();
// returns object for explicit encryption/decryption
clientEncryption = cluster.getClientEncryption();

See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.有关客户端字段级别加密方法的完整列表,请参阅客户端字段级别的加密方法

Connect to a MongoDB Cluster with Automatic Client-Side Encryption Enabled连接到启用自动客户端加密的MongoDB群集

Configuring client-side field level encryption for a locally managed key requires specifying a base64-encoded 96-byte string with no line breaks. 本地托管密钥配置客户端字段级加密需要指定不带换行符的base64编码96字节字符串。The following operation generates a key that meets the stated requirements and loads it into mongosh:以下操作生成满足所述要求的密钥,并将其加载到mongosh中:

TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')")
mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"

The following operation creates a new connection object from within a mongosh session. 以下操作将从mongosh会话中创建一个新的连接对象。The ClientSideFieldLevelEncryptionOptions option specifies the required options for enabling automatic client-side encryption on the hr.employees collection:ClientSideFieldLevelEncryptionOptions选项指定在hr.employees集合上启用自动客户端加密所需的选项:

var ClientSideFieldLevelEncryptionOptions = {
  "keyVaultNamespace" : "encryption.dataKeys",
  "kmsProviders" : {
    "local" : {
      "key" : BinData(0,"BASE64-ENCODED-96-BYTE-LOCAL-KEY")
    }
  },
  schemaMap : {
    "hr.employees" : {
      "bsonType": "object",
      "properties" : {
        "taxid" : {
          "encrypt" : {
            "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")],
            "bsonType" : "string",
            "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
          }
        },
        "taxid-short": {
          "encrypt": {
            "keyId": [UUID("33408ee9-e499-43f9-89fe-5f8533870617")],
            "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
            "bsonType": "string"
          }
        }
      }
    }
  }
}
cluster = Mongo(
  "mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster",
  ClientSideFieldLevelEncryptionOptions
)

Issue operations against the cluster object to interact with the mymongo.example.net:27017 cluster and utilize automatic encryption:cluster对象发出操作以与mymongo.example.net:27017群集交互,并使用自动加密:

// returns the database object
myDB = cluster.getDB("myDB");
// returns the collection object
myColl = myDB.getCollection("myColl");
myColl.insertOne(
  {
    "name" : "J Doe",
    "taxid" : "123-45-6789",
    "taxid-short" : "6789"
  }
)

The specified automatic encryption rules encrypt the taxid and taxid-short fields using the specified data encryption key and algorithm. 指定的自动加密规则使用指定的数据加密密钥和算法对taxidtaxid-short字段进行加密。Only clients configured for the correct KMS and access to the specified data encryption key can decrypt the field.只有为正确的KMS配置并访问指定数据加密密钥的客户端才能解密该字段。

See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.有关客户端字段级别加密方法的完整列表,请参阅客户端字段级别的加密方法。

←  connect()Mongo.getDB() →