When you use Queryable Encryption, you define encrypted fields at the collection level using an encryption schema. Encrypting a field and enabling queries increases storage requirements and impacts query performance. You can configure an encrypted field for either equality or range queries, but not both. Configure fields for the expected query type.当您使用可查询加密时,您可以使用加密模式在集合级别定义加密字段。加密字段并启用查询会增加存储需求并影响查询性能。您可以为相等或范围查询配置加密字段,但不能同时配置。为预期的查询类型配置字段。
For instructions on creating an encryption schema and configuring querying, see Create an Encryption Schema.有关创建加密模式和配置查询的说明,请参阅创建加密模式。
Supported Query Types and Behavior支持的查询类型和行为
For a list of supported query operators and behavior with encrypted fields, see Supported Query Operators.有关支持的查询运算符和加密字段行为的列表,请参阅支持的查询运算符。
Schema Validation模式验证
Queryable Encryption requires a server-side encryption schema to enforce encryption of specific fields in a collection. Clients using automatic Queryable Encryption behave differently depending on the database connection configuration:可查询加密需要服务器端加密模式来强制加密集合中的特定字段。使用自动可查询加密的客户端的行为因数据库连接配置而异:
At minimum, local rules must encrypt the same fields as the remote schema on the server.至少,本地规则必须加密与服务器上的远程架构相同的字段。If the connection如果连接encryptedFieldsMapobject contains a key for the specified collection, the client uses that object to perform automatic Queryable Encryption, rather than using the remote schema.encryptedFieldsMap对象包含指定集合的键,则客户端将使用该对象执行自动可查询加密,而不是使用远程架构。If the connection如果连接encryptedFieldsMapobject doesn't contain a key for the specified collection, the client downloads the remote schema for the collection and uses it instead.encryptedFieldsMap对象不包含指定集合的键,则客户端会下载该集合的远程架构并使用它。Important
Remote Schema Behavior远程架构行为When using a remote schema:使用远程架构时:The client trusts that the server has a valid schema客户端相信服务器具有有效的架构The client uses the remote schema to perform automatic Queryable Encryption only. The client does not enforce any other validation rules specified in the schema.客户端使用远程模式仅执行自动可查询加密。客户端不强制执行架构中指定的任何其他验证规则。
Considerations when Enabling Querying启用查询时的注意事项
Decide which fields should be encrypted and/or queryable prior to creating your collection. Changing which fields are encrypted or queryable requires rebuilding the collection's encryption schema and re-creating the collection.在创建集合之前,确定哪些字段应该加密和/或可查询。更改哪些字段是加密的或可查询的,需要重建集合的加密模式并重新创建集合。
If you don't need to query an encrypted field, you may not need to enable querying on that field. You can still retrieve the document by querying other fields that are queryable or unencrypted.如果您不需要查询加密字段,则可能不需要在该字段上启用查询。您仍然可以通过查询其他可查询或未加密的字段来检索文档。
For every encrypted collection, MongoDB creates two metadata collections, increasing storage space. MongoDB creates an index for each encrypted field, which increases the duration of write operations on that field. When a write operation updates an indexed field, MongoDB updates the related index.对于每个加密集合,MongoDB都会创建两个元数据集合,从而增加存储空间。MongoDB为每个加密字段创建一个索引,这增加了对该字段的写入操作的持续时间。当写操作更新索引字段时,MongoDB会更新相关索引。
Configure Encrypted Fields for Optimal Search and Storage配置加密字段以实现最佳搜索和存储
MongoDB provides the following parameters to facilitate debugging and performance tuning:MongoDB提供以下参数以方便调试和性能调优:
min, maxQuery Type:查询类型:rangeType:类型:Must match the field's必须与字段的bsonType.bsonType匹配。Required if如果bsonTypeisdecimalordouble. Optional but highly recommended if it isint,long, ordate. Defaults to thebsonTypemin and max values.bsonType为decimal或double,则为必填项。可选,但强烈建议使用int、long或date。默认为bsonType最小值和最大值。Specify minimum and maximum (inclusive) queryable values for a field when possible, as smaller bounds improve query efficiency. If querying values outside of these bounds, MongoDB returns an error.尽可能为字段指定最小和最大(包括)可查询值,因为较小的边界可以提高查询效率。如果查询超出这些界限的值,MongoDB将返回错误。
Substring Parameters子环参数
Warning
Prefix, Suffix, and Substring Queries are in Public Preview前缀、后缀和子字符串查询处于公开预览状态
Queryable Encryption prefix, suffix, and substring queries are available in public preview in MongoDB 8.2. Do not enable these query types in production. Public preview functionality will be incompatible with the GA feature, and you will have to drop any collections that enable these queries.MongoDB 8.2的公共预览版中提供了可查询的加密前缀、后缀和子字符串查询。不要在生产环境中启用这些查询类型。公共预览功能将与GA功能不兼容,您必须删除启用这些查询的任何集合。
strMaxLengthQuery Type:查询类型:substringPreviewType:类型:Integer from 1-60, inclusive.1到60之间的整数,包括1和60。The maximum allowed length for a substring-indexed field. Attempting to insert a longer string returns an error.子字符串索引字段的最大允许长度。尝试插入较长的字符串会返回错误。Important
You can override the character limit by setting您可以通过设置fleDisableSubstringPreviewParameterLimits, but running substring queries against longer strings has a significant impact on performance.fleDisableSubstringPreviewParameterLimits来覆盖字符限制,但对较长字符串运行子字符串查询会对性能产生重大影响。
strMinQueryLengthQuery Type:查询类型:prefixPreview,suffixPreview,substringPreviewType:类型:Positive integer.正整数。Must be >= 1 for对于prefixPrevieworsuffixPreviewqueries.prefixPreview或suffixPreview查询,必须大于等于1。Must be >= 2 for对于substringPreviewqueries.substringPreview查询,必须大于等于2。
The minimum allowed prefix/suffix/substring length to query. Attempting to query a shorter string returns an error.允许查询的最小前缀/后缀/子字符串长度。尝试查询较短的字符串会返回错误。
strMaxQueryLengthQuery Type:查询类型:prefixPreview,suffixPreview,substringPreviewType:类型:Positive integer - Must be >=1 for正整数-对于prefixPrevieworsuffixPreviewqueries. - Must 2-10 inclusive forsubstringPreviewqueries.prefixPreview或suffixPreview查询,必须大于等于1。对于substratingPreview查询,必须处于2-10范围内。The maximum allowed prefix/suffix/substring length to query. Attempting to query a longer string returns an error.允许查询的最大前缀/后缀/子字符串长度。尝试查询较长的字符串会返回错误。Important
This setting strongly impacts query performance. Limit the maximum query length whenever possible.此设置强烈影响查询性能。尽可能限制最大查询长度。
caseSensitiveQuery Type:查询类型:prefixPreview,suffixPreview,substringPreviewType:类型:BooleanOptional.可选。Defaults totrue.Whether prefix/suffix/substring queries are case-sensitive. Set to前缀/后缀/子字符串查询是否区分大小写。设置为falsefor case-insensitive matching.false进行不区分大小写的匹配。
diacriticSensitiveQuery Type:查询类型:prefixPreview,suffixPreview,substringPreviewType:类型:BooleanOptional.可选。Defaults to默认为true.true。Whether prefix/suffix/substring queries must match diacritical marks. Set to前缀/后缀/子字符串查询是否必须与变音符号匹配。设置为falsefor diacritic-insensitive matching.false以进行不区分变音符号的匹配。
Advanced Query Parameters高级查询参数
Warning
These parameters are intended for advanced users only. The default values are suitable for the majority of use cases, and should only be modified if your use case requires it.这些参数仅供高级用户使用。默认值适用于大多数用例,只有在用例需要时才应进行修改。
sparsityQuery Type:查询类型:rangeType:类型:Integer from 1-4.1-4之间的整数。Optional.可选。Defaults to 2.默认为2。Affects how thoroughly MongoDB indexes range values. Low sparsity (dense indexing) improves query performance, but stores more documents in the encrypted metadata collections for each insert or update operation, causing greater storage overhead. High sparsity does the opposite.影响MongoDB索引范围值的彻底程度。低稀疏性(密集索引)提高了查询性能,但每次插入或更新操作都会在加密元数据集合中存储更多文档,从而导致更大的存储开销。高稀疏度则相反。
precisionQuery Type:查询类型:rangeType:类型:Integer.整数。Optional.可选。Allowed only if仅当bsonTypeisdoubleordecimal. If unset, MongoDB uses the same maximum precision as thebsonType, eitherdoubleordecimal.bsonType为double或decimal时才允许。如果未设置,MongoDB将使用与bsonType相同的最大精度,无论是double还是decimal。Limits how many digits after the decimal point are taken into account when querying a限制在查询doubleordecimalfield.double或decimal字段时考虑小数点后的位数。Additional digits are dropped, not rounded.其他数字会被删除,而不是四舍五入。For example, a例如,对于查询,precisionof 1 treats10.18as10.1for queries. The encrypted value is still stored as10.18.precision(精度)为1时将10.18视为10.1。加密值仍存储为10.18。Specify指定precisionand limit it when possible. Every digit increases storage overhead and has a high impact on searchable range and index generation.precision,并在可能的情况下限制精度。每个数字都会增加存储开销,并对可搜索范围和索引生成产生很大影响。
trimFactorQuery Type:查询类型:rangeType:类型:Integer.整数。Optional.可选。Defaults to 6.默认为6。ThetrimFactorcontrols the throughput of concurrent inserts and updates. A highertrimFactorincreases the throughput of concurrent insert and updates at the cost of slowing down some range read operations. A lowertrimFactordoes the opposite.trimFactor控制并发插入和更新的吞吐量。较高的trimFactor增加了并发插入和更新的吞吐量,但代价是减缓了一些范围读取操作。较低的trimFactor则相反。
contentionQuery Type:查询类型:equality,range,prefixPreview,suffixPreview,substringPreviewType:类型:Integer.整数。Optional.可选。Defaults to 8.默认为8。Concurrent write operations, such as inserting the same field/value pair into multiple documents in close succession, can cause contention: conflicts that delay operations.并发写操作,例如将相同的字段/值对连续插入多个文档中,可能会导致争用:延迟操作的冲突。With Queryable Encryption, MongoDB tracks the occurrences of each field/value pair in an encrypted collection using an internal counter.使用可查询加密,MongoDB使用内部计数器跟踪加密集合中每个字段/值对的出现情况。The contention factor partitions this counter, similar to an array. This minimizes issues with incrementing the counter when using争用因子对这个计数器进行分区,类似于数组。这最大限度地减少了在使用insert,update, orfindAndModifyto add or modify an encrypted field with the same field/value pair in close succession.contention = 0creates an array with one element at index 0.insert、update或findAndModify连续添加或修改具有相同字段/值对的加密字段时递增计数器的问题。competition=0创建了一个数组,其中一个元素位于索引0处。contention = 4creates an array with 5 elements at indexes 0-4. MongoDB increments a random array element during insert.在索引0-4处创建一个包含5个元素的数组。MongoDB在插入过程中递增随机数组元素。When unset,未设置时,contentiondefaults to8, which provides high performance for most workloads. Higher contention improves the performance of insert and update operations on low cardinality fields, but decreases find performance.contention(争用)默认为8,这为大多数工作负载提供了高性能。更高的争用率提高了低基数字段上插入和更新操作的性能,但降低了查找性能。You can optionally include您可以选择在可查询字段上包含contentionon queryable fields to change the value from its default of 8.contention(争用),以更改其默认值8。For more thorough information on contention factor and its cryptographic implications, see "Section 9: Guidelines" in MongoDB's Queryable Encryption Technical Paper.有关争用因素及其加密含义的更详细信息,请参阅MongoDB可查询加密技术论文中的“第9节:指南”。