Supported Operations for Queryable Encryption可查询加密支持的操作
On this page本页内容
Operations Using使用BinDataBinData的操作Supported Read and Write Commands支持的读写命令Supported Query Operators支持的查询运算符Supported Update Operators支持的更新运算符Replacement-style Updates替换样式更新Unsupported Insert Operations不支持的插入操作Unsupported Aggregation Stages不支持的聚合阶段Supported Aggregation Stages支持的聚合阶段$groupBehavior行为$lookupand和$graphLookupBehavior行为Supported Aggregation Expressions支持的聚合表达式Unsupported Field Types不支持的字段类型
This page documents the specific commands, query operators, update operators, aggregation stages, and aggregation expressions supported for Queryable Encryption compatible drivers.本页记录了可查询加密兼容驱动程序支持的特定命令、查询运算符、更新运算符、聚合阶段和聚合表达式。
Enterprise Feature企业功能
Automatic encryption is available in MongoDB Enterprise and MongoDB AtlasMongoDB Enterprise和MongoDB Atlas中提供了自动加密功能
Operations Using BinData使用BinData的操作
BinDataMongoDB stores Queryable Encryption encrypted fields as a MongoDB将可查询加密加密字段存储为BinData blob. Read and write operations issued against the encrypted BinData value may have unexpected or incorrect behavior as compared to issuing that same operation against the decrypted value. BinDatablob。与针对解密的值发出相同的操作相比,针对加密的BinData值发出的读取和写入操作可能具有意外或不正确的行为。Certain operations have strict BSON type support where issuing them against a 某些操作具有严格的BSON类型支持,根据BinData value returns an error. BinData值发出这些操作会返回错误。Official drivers compatible with Queryable Encryption parse read and write operations for operators or expressions that do not support 与可查询加密兼容的官方驱动程序解析不支持BinData values or that have abnormal behavior when issued against BinData values.BinData值或在针对BinData值发出时具有异常行为的运算符或表达式的读写操作。
Applications using explicit encryption may use this page as guidance for issuing read and write operations against encrypted fields.使用显式加密的应用程序可以使用此页面作为针对加密字段发布读写操作的指南。
Supported Read and Write Commands支持的读写命令
Queryable Encryption compatible drivers support automatic encryption with the following commands:兼容可查询加密的驱动程序支持使用以下命令进行自动加密:
For any supported command, the drivers return an error if the command uses an unsupported operator, aggregation stage, or aggregation expression. For a complete list of the supported operators, stages, and expressions, see the following sections:对于任何受支持的命令,如果该命令使用了不受支持的运算符、聚合阶段或聚合表达式,则驱动程序将返回错误。有关支持的运算符、阶段和表达式的完整列表,请参阅以下部分:
Supported Query Operators支持的查询运算符Supported Update Operators支持的更新运算符Supported Aggregation Stages支持的聚合阶段Supported Aggregation Expressions支持的聚合表达式
The following commands do not require automatic encryption. Official drivers configured for Automatic Encryption pass these commands directly to the 以下命令不需要自动加密。配置为自动加密的官方驱动程序将这些命令直接传递给mongod:mongod:
getMore[1]authenticatehellologoutabortTransactioncommitTransactionendSessionsstartSessioncreatecreateIndexesdropdropDatabasedropIndexeskillCursorslistCollectionslistDatabaseslistIndexesrenameCollectionping
Issuing any other command through a compatible driver configured for automatic encryption returns an error.通过配置为自动加密的兼容驱动程序发出任何其他命令都会返回错误。
| [1] |
|
For sharded cluster transactions that use Queryable Encryption, you must set readConcern to 对于使用可查询加密的分片集群事务,必须将snapshot.readConcern设置为snapshot。
Supported Query Operators支持的查询运算符
Drivers configured for automatic encryption support the following query operators when issued against an encrypted queryable field:配置为自动加密的驱动程序在针对加密的可查询字段发出时支持以下查询运算符:
Comparison Support比较支持
Comparison of one encrypted field to another encrypted field will fail.将一个加密字段与另一个加密的字段进行比较将失败。
{$expr: {$eq: ["$encrypted1", "$encrypted2"]}}
Comparison of an encrypted field to a plaintext value is supported.支持将加密字段与明文值进行比较。
{$expr: {$eq: ["$encrypted1", "plaintext_value"]}}
Queries that compare an encrypted field to 将加密字段与null or a regular expression always throw an error, even if using a supported query operator.null或正则表达式进行比较的查询始终是会抛出错误,即使使用了支持的查询运算符也是如此。
The $exists operator has normal behavior when issued against encrypted fields.$exists运算符在针对加密字段发出时具有正常行为。
Queries specifying any other query operator against an encrypted field return an error. The following query operators throw an error even if not issued against an encrypted field when using a MongoClient configured for Queryable Encryption:针对加密字段指定任何其他查询运算符的查询都会返回错误。当使用配置为可查询加密的MongoClient时,即使没有针对加密字段发出,以下查询运算符也会抛出错误:
Supported Update Operators支持的更新运算符
Drivers configured for automatic encryption support the following update operators when issued against encrypted fields:配置为自动加密的驱动程序在针对加密字段发布时支持以下更新运算符:
Updates specifying any other update operator against an encrypted field return an error.针对加密字段指定任何其他更新运算符的更新将返回错误。
Update operations with the following behavior throw an error even if using a supported operator:即使使用支持的运算符,具有以下行为的更新操作也会引发错误:
The update operation produces an array inside of an encrypted path.更新操作在加密路径内部生成一个数组。The update operation uses aggregation expression syntax.更新操作使用聚合表达式语法。
For update operations specifying a query filter on encrypted fields, the query filter must use only supported operators on those fields.对于在加密字段上指定查询筛选器的更新操作,查询筛选器必须仅在这些字段上使用支持的运算符。
Replacement-style Updates替换样式更新
Replacement-style updates are supported, however, if the replacement document contains a 支持替换样式的更新,但是,如果替换文档在顶级加密字段中包含Timestamp(0,0) inside a top-level encrypted field, Queryable Encryption will error. Timestamp(0,0),则可查询加密将出错。The (0,0) value indicates that the mongod should generate the Timestamp. (0,0)值表示mongod应该生成时间戳。mongod cannot generate encrypted fields.无法生成加密字段。
Unsupported Insert Operations不支持的插入操作
Compatible drivers configured for automatic encryption do not support insert commands with the following behavior:为自动加密配置的兼容驱动程序不支持具有以下行为的插入命令:
Inserting a document with插入Timestamp(0,0)associated to an encrypted field.Timestamp(0,0)与加密字段关联的文档。The(0,0)value indicates that themongodshould generate the Timestamp.(0,0)值表示mongod应该生成时间戳。Since the由于mongodcannot generate encrypted fields, the resulting timestamp would be unencrypted.mongod无法生成加密字段,因此生成的时间戳将是未加密的。Inserting a document without an encrypted如果配置的自动模式指定了加密_idif the configured automatic schema specifies an encrypted_idfield._id字段,则插入没有加密_id的文档。Since the由于mongodautogenerates an unencrypted ObjectId, omitting_idfrom documents results in documents that do not conform to the automatic encryption rules.mongod自动生成未加密的ObjectId,因此从文档中省略_id会导致文档不符合自动加密规则。
Unsupported Aggregation Stages不支持的聚合阶段
Automatic encryption will not support aggregation stages that read from or write to additional collections. These stages are:自动加密将不支持从其他集合读取或写入的聚合阶段。这些阶段是:
Supported Aggregation Stages支持的聚合阶段
Compatible drivers configured for automatic encryption support the following aggregation pipeline stages:为自动加密配置的兼容驱动程序支持以下聚合管道阶段:
$addFields$bucket$bucketAuto$collStats$count$geoNear$group(For usage requirements, see(有关使用要求,请参阅$groupBehavior)$group行为)$indexStats$limit$lookupand$graphLookup(For usage requirements, see(有关使用要求,请参阅$lookupand$graphLookupBehavior)$lookup和$graphLookup行为)$match$project$redact$replaceRoot$sample$skip$sort$sortByCount$unwind
Aggregation pipelines operating on collections configured for automatic encryption that specify any other stage return an error.在为指定任何其他阶段的自动加密配置的集合上操作的聚合管道返回错误。
For each supported pipeline stage, MongoDB tracks fields that must be encrypted as they pass through the supported pipelines and marks them for encryption.对于每个受支持的管道阶段,MongoDB都会跟踪在通过受支持管道时必须加密的字段,并将其标记为加密字段。
Each supported stage must specify only supported query operators and aggregation expressions.每个受支持的阶段必须仅指定受支持的查询运算符和聚合表达式。
$group Behavior行为
$group has the following behaviors specific to Queryable Encryption.具有以下特定于可查询加密的行为。
$group supports:支持:
Grouping on encrypted fields.对加密字段进行分组。Using在加密字段上使用$addToSetand$pushaccumulators on encrypted fields.$addToSet和$push累加器。
$group does not support:不支持:
Matching on the array returned by对$addToSetand$pushaccumulators.$addToSet和$push累加器返回的数组进行匹配。Arithmetic accumulators on encrypted fields.加密字段上的算术累加器。
$lookup and 和$graphLookup Behavior行为
Automatic encryption supports the 只有当$lookup and $graphLookup only if the from collection matches the collection the aggregation runs against. from集合与聚合所针对的集合匹配时,自动加密才支持$lookup和$graphLookup。$lookup and $graphLookup stages that reference a different from collection return an error.$lookup和$graphLookup阶段返回错误。
Automatic encryption does not support “connectionless” aggregation metadata sources, which read metadata that doesn't pertain to a particular collection, such as:自动加密不支持“无连接”聚合元数据源,后者读取不属于特定集合的元数据,例如:
$currentOpChange Streams for watching a database or the whole cluster用于监视数据库或整个集群的更改流$listSessions$listLocalSessions
Automatic Encryption does not support the 自动加密不支持$planCacheStats stage as the result may contain sensitive information.$planCacheStats阶段,因为结果可能包含敏感信息。
You cannot perform a 您不能在未加密的集合上从启用了可查询加密的$lookup from a Queryable Encryption-enabled MongoClient on unencrypted collections.MongoClient执行$lookup。
Supported Aggregation Expressions支持的聚合表达式
Compatible drivers configured for automatic encryption support the following expressions against any equality query type encrypted fields:为自动加密配置的兼容驱动程序支持针对任何相等查询类型加密字段的以下表达式:
All other aggregation expressions return an error if issued against encrypted fields.如果针对加密字段发出聚合表达式,则所有其他聚合表达式都会返回错误。
Aggregation stages with the following behavior return an error even if using a supported aggregation expression:具有以下行为的聚合阶段即使使用支持的聚合表达式也会返回错误:
$cond$switch |
$addFields : {
| |
$eq$ne |
{
| |
$eq$ne |
{ $eq : [ "$prefixOfEncryptedField" , "value"] }
| |
$eq$ne |
{
| |
$let | $$CURRENT.$$CURRENT。 |
{
|
$in |
|
{
|
Unsupported Field Types不支持的字段类型
Drivers configured for automatic encryption do not support any read or write operation that requires encrypting the following value types:为自动加密配置的驱动程序不支持任何需要加密以下值类型的读或写操作:
Queryable Encryption does not adequately hide the type information for these values.可查询加密无法充分隐藏这些值的类型信息。
Queryable Encryption does not support read or write operations on an encrypted field where the operation compares the encrypted field to the following value types:可查询加密不支持对加密字段执行读取或写入操作,该操作将加密字段与以下值类型进行比较:
arraydecimal128doubleobjectjavascriptWithScope(Deprecated in MongoDB 4.4在MongoDB 4.4中弃用)