Limitations局限性

~~Queryable Encryption with equality queries is generally available (GA) in MongoDB 7.0 and later.~~ 具有相等查询的可查询加密在MongoDB 7.0及更高版本中通常可用（GA）。~~The Queryable Encryption Public Preview, released in version 6.0, is no longer supported. Data encrypted using the Public Preview is incompatible with the feature release.~~ 不再支持6.0版本中发布的“可查询加密预览”。使用公共预览加密的数据与功能版本不兼容。~~For more information, see Compatibility Changes in MongoDB 7.0.~~有关更多信息，请参阅MongoDB 7.0中的兼容性更改。

Overview概述

~~Consider these limitations and restrictions before enabling Queryable Encryption. Some operations are unsupported, and others behave differently.~~在启用可查询加密之前，请考虑这些限制和限制。有些操作不受支持，而另一些操作则表现不同。

Atlas Search

~~Queryable Encryption is incompatible with MongoDB Atlas Search.~~可查询加密与MongoDB Atlas Search不兼容。

MongoDB Support LimitationsMongoDB支持限制

~~Enabling Queryable Encryption on a collection redacts fields from some diagnostic commands and omits some operations from the query log.~~ 对集合启用可查询加密会编辑某些诊断命令中的字段，并省略查询日志中的一些操作。This limits the data available to MongoDB support engineers, especially when analyzing query performance. To measure the impact of operations against encrypted collections, use a third party application performance monitoring tool to collect metrics.这限制了MongoDB支持工程师可用的数据，尤其是在分析查询性能时。要衡量针对加密集合的操作的影响，请使用第三方应用程序性能监控工具来集合度量。

~~For details, see the Redaction section.~~有关详细信息，请参阅Redaction部分。

Contention Factor竞争因素

~~Contention factor is a setting that helps tune performance based on the number of concurrent connections.~~争用系数是一种设置，它有助于根据并发连接的数量来调整性能。

You can set the contention factor only when specifying a field for encryption. Once you specify a field for encryption, the contention factor is immutable. If you don't specify the contention factor, it uses the default value of 4.只有在指定要加密的字段时，才能设置争用系数。一旦指定了要加密的字段，争用因子就不可变了。如果您没有指定争用因子，它将使用默认值4。

Manual Compaction手动压实

~~Manually run index compaction when your metadata collections exceed 1 GB. Compaction decreases the size of the metadata collections associated with encrypted fields, and improves performance.~~当元数据集合超过1 GB时，手动运行索引压缩。压缩减少了与加密字段相关联的元数据集合的大小，并提高了性能。

encryptedFieldsMap Modification`encryptedFieldsMap`修改

~~Do not modify the encryptedFieldsMap passed to your MongoClient. Doing so can result in unexpected and incorrect behavior when querying.~~不要修改传递给MongoClient的encryptedFieldsMap。这样做可能会导致查询时出现意外和不正确的行为。

Read and Write Operation Support读写操作支持

The mongod only stores encrypted BinData and applies any aggregation expression or query operator specifying an encrypted field against the BinData value. While the expression or operator may support BinData fields, the resulting value may be incorrect or unexpected when compared to issuing that same expression or operator against the decrypted value. mongod只存储加密的BinData，并根据BinData值应用任何聚合表达式或指定加密字段的查询运算符。虽然表达式或运算符可能支持BinData字段，但与针对解密值发布相同的表达式或运算符相比，结果值可能不正确或出乎意料。~~The mongod throws an error if the expression or operator does not support BinData values.~~如果表达式或运算符不支持BinData值，mongod将抛出错误。

Redaction修改

To improve security, Queryable Encryption redacts fields from some diagnostic commands on encrypted collections, and omits certain operations from the query log. An encrypted collection is any collection with the encryptedFields option.为了提高安全性，可查询加密对加密集合上的一些诊断命令中的字段进行了编辑，并省略了查询日志中的某些操作。加密集合是指具有encryptedFields选项的任何集合。

Query Log and Database Profiler Redaction查询日志和数据库档案器修改

~~The CRUD operations below are omitted from the slow operations query log and the Database Profiler system.profile collection when you run them on an encrypted collection.~~在加密集合上运行以下CRUD操作时，它们将从慢速操作查询日志和数据库档案器system.profile集合中省略。

aggregate
count
delete
find
findAndModify
insert
update
db.collection.bulkWrite()
~~The~~ compactStructuredEncryptionData ~~command~~命令
~~The~~ cleanupStructuredEncryptionData ~~command~~命令

Command and Aggregation Stage Output Redaction命令和聚合阶段输出修改

~~The collStats command and $collStats aggregation stage:~~collStats命令和$collStats聚合阶段：

~~Omit~~ 省略"queryExecStats"
~~Omit~~ 省略"latencyStats"
~~Redact "WiredTiger", if present, to include only the url field.~~Redact"WiredTiger"（如果存在），仅包括url字段。

~~The currentOp command and $currentOp aggregation stage:~~currentOp命令和$currentOp聚合阶段：

~~Omit all fields after "command".~~省略"command"后面的所有字段。
~~Redact "command" to include only the first element, $comment, and $db.~~修改"command"以仅包括第一个元素$comment和$db。

~~The top command only returns the collection name of encrypted collections.~~top命令只返回加密集合的集合名称。

~~The $planCacheStats aggregation stage omits operations against encrypted collections, even though the operations are cached as normal.~~$planCacheStats聚合阶段省略了针对加密集合的操作，即使这些操作是正常缓存的。

Topology Support拓扑支持

~~Replica sets and sharded clusters are supported~~支持副本集和分片集群
~~Standalone deployments are not supported~~不支持独立部署
~~Secondary reads are not supported~~不支持辅助读取

Sharding分片

~~Metadata collections must not be sharded~~元数据集合不得进行分片
~~Shard keys must not be encrypted fields~~分片键不能是加密字段
~~For sharded cluster transactions that use Queryable Encryption, you must set readConcern to snapshot.~~对于使用可查询加密的分片集群事务，必须将readConcern设置为snapshot。

CRUD

~~Queryable Encryption does not support batch operations. The following operations are not supported:~~可查询加密不支持批处理操作。不支持以下操作：
- db.collection.updateMany()
- db.collection.deleteMany()
~~Queryable Encryption limits db.collection.findAndModify() arguments.~~可查询加密限制db.collection.findAndModify()参数。
- ~~fields is not allowed~~fields是不允许的
- new ~~must be false~~必须为false
~~When performing an upsert operation, any encrypted fields in the filter are excluded from the insert.~~执行追加启动操作时，筛选器中的任何加密字段都将从插入中排除。

Collections集合

~~You cannot use Client-Side Field Level Encryption with Queryable Encryption on the same collection.~~不能在同一集合上使用客户端字段级加密和可查询加密。
- ~~Queryable Encryption does not support migration from collections encrypted with Client-Side Field Level Encryption. You must decrypt your documents and insert them one-by-one.~~可查询加密不支持从使用客户端字段级加密加密的集合迁移。您必须解密您的文档，然后将它们逐一插入。
- ~~Queryable Encryption does not support automatic migration from an unencrypted collection. You must insert the documents one-by-one.~~可查询加密不支持从未加密的集合自动迁移。您必须一个接一个地插入文档。
~~Queryable Encryption supports new collections only. You cannot add or remove Queryable Encryption to existing collections.~~可查询加密仅支持新集合。无法向现有集合添加或删除可查询加密。
~~You cannot rename a collection with encrypted fields.~~不能重命名具有加密字段的集合。
~~You cannot specify jsonSchema to db.createCollection() when creating a Queryable Encryption collection if the jsonSchema contains the encrypt keyword.~~如果jsonSchema包含encrypt键，则在创建可查询加密集合时，不能将jsonSchema指定为db.createCollection()。
- ~~You can specify both encryptedFields and jsonSchema to db.createCollection() as long as your jsonSchema does not contain validation for encrypted fields.~~只要jsonSchema不包含加密字段的验证，就可以将encryptedFields和jsonSchema都指定给db.createCollection()。
~~Queryable Encryption does not support Views, Time Series Collections, or capped collection.~~可查询加密不支持视图、时间序列集合或封顶集合。
~~Queryable Encryption does not support TTL Indexes or Unique Indexes.~~可查询加密不支持TTL索引或唯一索引。
~~You cannot disable jsonSchema validation.~~不能禁用jsonSchema验证。
~~When a collection uses the encryptedFields option:~~当集合使用encryptedFields选项时：
- ~~You cannot set validationLevel to none.~~不能将validationLevel设置为none。
- ~~You cannot set validationAction to warn.~~不能将validationAction设置为warn。

Drop Collection删除集合

Dropping collections from a MongoClient that is not configured for Queryable Encryption doesn't drop the associated metadata collections. mongod logs a warning if you drop a collection with encrypted fields before dropping the metadata collections.从未配置为可查询加密的MongoClient中删除集合不会删除关联的元数据集合。如果在删除元数据集合之前删除包含加密字段的集合，mongod会记录一条警告。

Tip

~~When dropping a collection with a MongoClient configured for Queryable Encryption, QE compatible drivers drop the associated metadata collections as well.~~当使用配置为可查询加密的MongoClient删除集合时，QE兼容的驱动程序也会删除关联的元数据集合。

Create Collection创建集合

~~Always explicitly create any collections that use Queryable Encryption. Implicit collection creation doesn't create the necessary indexes and metadata collections, resulting in poor query performance.~~始终显式创建任何使用可查询加密的集合。隐式集合创建不会创建必要的索引和元数据集合，导致查询性能较差。

Query Types查询类型

The query type you specify for a field when creating the collection in encryptedFieldsMap is immutable. You cannot add new query types to an existing field, and you cannot change the existing query type.在encryptedFieldsMap中创建集合时为字段指定的查询类型是不可变的。不能向现有字段添加新的查询类型，也不能更改现有的查询类型。

Encrypted Field Names加密字段名

~~Encrypted field names are immutable. For example, if you specify ssn as a field to encrypt, you cannot $rename the field name to taxPayerID.~~加密字段名是不可变的。例如，如果将ssn指定为要加密的字段，则不能将字段名称重命名为taxPayerID。

Views视图

~~Applications cannot rely on the automatic encryption validation to prevent unsupported queries against views on collections with encrypted fields.~~应用程序不能依靠自动加密验证来防止对具有加密字段的集合的视图进行不受支持的查询。

Queries against views on collections containing values encrypted with Queryable Encryption may return unexpected or incorrect results if either the underlying view aggregation pipeline or the query references encrypted fields. 如果基础视图聚合管道或查询引用了加密字段，则对包含使用可查询加密加密的值的集合上的视图的查询可能会返回意外或不正确的结果。~~If creating a view on a collection containing values encrypted with Queryable Encryption, avoid operating on encrypted fields to mitigate the risk of unexpected or incorrect results.~~如果在包含使用可查询加密加密的值的集合上创建视图，请避免对加密字段进行操作，以降低意外或错误结果的风险。

~~For more information on views, see views.~~有关视图的详细信息，请参阅视图。

Collation排序规则

Queryable Encryption ignores user-specified collations or collection default collations. Encryption obscures the field value and prevents normal collation behavior. Collation-sensitive queries against encrypted fields may return unexpected or incorrect results.可查询加密忽略用户指定的排序规则或集合默认排序规则。加密会模糊字段值并阻止正常的排序规则行为。针对加密字段的对排序规则敏感的查询可能会返回意外或不正确的结果。

~~For more information on collations, see Collation Document.~~有关排序规则的详细信息，请参阅排序规则文档。

Queryable Encryption-compatible drivers have a list of supported operations for automatic encryption. For unsupported read and write operations, the underlying support library cannot introspect the collection catalog to identify the default collation. 可查询加密兼容的驱动程序有一个支持自动加密的操作列表。对于不受支持的读写操作，底层支持库无法内省集合目录以标识默认排序规则。~~Applications therefore cannot rely on the Queryable Encryption validation to prevent querying on encrypted fields with collation defaults.~~因此，应用程序不能依赖可查询加密验证来阻止对具有排序规则默认值的加密字段进行查询。

Unique Indexes唯一索引

~~Unique indexes can't guarantee uniqueness if the index key specifies any encrypted fields.~~如果索引键指定任何加密字段，则唯一索引不能保证唯一性。

~~Queryable Encryption always outputs a different encrypted value, even for the same input.~~ 可查询加密始终输出不同的加密值，即使对于相同的输入也是如此。The server considers each encrypted value unique, even though the decrypted value may not be. This means that even if a collection uses an index-enforced unique constraint on fields, the collection can still contain multiple documents with duplicate plaintext values for that field.服务器认为每个加密的值都是唯一的，即使解密的值可能不是。这意味着，即使集合对字段使用索引强制的唯一约束，该集合仍然可以包含多个具有该字段重复明文值的文档。

~~Queryable Encryption compatible drivers configured for automatic encryption support some operations for automatic encryption.~~ 为自动加密配置的可查询加密兼容驱动程序支持一些自动加密操作。For unsupported read and write operations, the underlying library can't introspect the index catalog to identify a given field as unique. Applications can't rely on automatic encryption validation to prevent unique constraint violations on randomly-encrypted fields.对于不受支持的读写操作，底层库无法内省索引目录以将给定字段标识为唯一字段。应用程序不能依靠自动加密验证来防止对随机加密字段的唯一约束冲突。

The _id Field`_id`字段

~~You cannot configure Queryable Encryption to encrypt the _id field because it relies on the value auto-generated by MongoDB.~~您不能将可查询加密配置为加密_id字段，因为它依赖于MongoDB自动生成的值。

Read/Write Query Support读/写查询支持

Automatic encryption supports a subset of commands, query operators, update operators, aggregation stages, and aggregation expressions. For the list of supported operations, see Supported Operations for Automatic Encryption.自动加密支持命令、查询运算符、更新运算符、聚合阶段和聚合表达式的子集。有关支持的操作列表，请参阅支持的自动加密操作。

← Queryable Encryption Compatibility Supported Operations for Queryable Encryption →