Database Manual / Security / Encryption / In-Use Encryption / Queryable Encryption / Reference

Supported Operations for Queryable Encryption支持的可查询加密操作

Queryable Encryption equality and range queries are fully supported in production. Prefix, suffix, and substring queries are only available in public preview in MongoDB 8.2. Do not enable these query types in production. GA functionality of prefix, suffix and substring query types will be incompatible with the preview feature.可查询的加密相等性和范围查询在生产环境中得到了完全支持。前缀、后缀和子字符串查询仅在MongoDB 8.2的公共预览中可用。不要在生产环境中启用这些查询类型。前缀、后缀和子字符串查询类型的GA功能将与预览功能不兼容。

This page documents the specific data types, commands, query operators, update operators, aggregation stages, and aggregation expressions supported for Queryable Encryption compatible drivers. It outlines the behavior for operations using automatic encryption, and operations using explicit encryption.此页面记录了兼容可查询加密的驱动程序支持的特定数据类型、命令、查询运算符、更新运算符、聚合阶段和聚合表达式。它概述了使用自动加密的操作和使用显式加密的操作的行为。

Note

Enterprise Feature企业特性

~~Automatic encryption is available in MongoDB Enterprise and MongoDB Atlas~~MongoDB Enterprise和MongoDB Atlas提供自动加密功能

Operations Using `BinData`使用`BinData`的操作

~~MongoDB stores Queryable Encryption encrypted fields as a BinData blob.~~ MongoDB将可查询加密字段存储为BinData blob。~~Read and write operations issued against the encrypted BinData value may have unexpected or incorrect behavior as compared to issuing that same operation against the decrypted value.~~ 与对解密值发出相同的操作相比，对加密的BinData值发出的读写操作可能具有意外或不正确的行为。~~Certain operations have strict BSON type support where issuing them against a BinData value returns an error.~~某些操作具有严格的BSON类型支持，对BinData值发出这些操作会返回错误。

~~Official drivers compatible with Queryable Encryption parse read and write operations for operators or expressions that don't support BinData values.~~与Queryable Encryption兼容的官方驱动程序解析不支持BinData值的运算符或表达式的读写操作。

Supported and Unsupported BSON Types支持和不支持的BSON类型

~~Queryable Encryption supports equality queries against all BSON types except for the following:~~可查询加密支持对所有BSON类型的相等性查询，但以下类型除外：

double
decimal128
object
array

~~Queryable Encryption supports range queries against the following BSON types:~~可查询加密支持对以下BSON类型的范围查询：

int~~: 32-bit integer~~：32位整数
long~~: 64-bit integer~~：64位整数
double~~: Double (IEEE 754 Binary64)~~：双精度（IEEE 754 Binary64）
decimal~~: Decimal (IEEE 754 Decimal128)~~：十进制（IEEE 754十进制128）
date~~: UTC DateTime (Int64)~~：UTC日期时间（Int64）

CRUD

~~Queryable Encryption doesn't support multi-document update or delete operations.~~ 可查询加密不支持多文档更新或删除操作。db.collection.updateMany() and db.collection.bulkWrite() with more than one update or delete operation aren't supported.
Queryable Encryption limits db.collection.findAndModify() arguments.
- fields is not allowed
- new must be false
When performing an upsert operation, any encrypted fields in the filter are excluded from the insert.

Supported Read and Write Commands

Queryable Encryption compatible drivers support automatic encryption with the following commands:

For any supported command, the drivers return an error if the command uses an unsupported operator, aggregation stage, or aggregation expression. For a complete list of the supported operators, stages, and expressions, see the following sections:

Supported Query Operators
Supported Update Operators
Supported Aggregation Stages
Supported Aggregation Expressions

The following commands do not require automatic encryption. Official drivers configured for automatic encryption pass these commands directly to the mongod:

Issuing any other command through a compatible driver configured for automatic encryption returns an error.

[1]

While automatic encryption does not encrypt the getMore command, the response to the command may contain encrypted field values.

Applications configured with the correct Queryable Encryption options automatically decrypt those values.
Applications without the correct encryption options see the encrypted values.

Supported Query Operators支持的查询运算符

Drivers configured for automatic encryption support a limited set of query operators when issued against an encrypted queryable field.

Querying non-encrypted fields or encrypted fields with a supported query type returns encrypted data that is then decrypted at the client.

~~Queryable Encryption currently supports the following query types:~~可查询加密目前支持以下查询类型：

none
equality
range
prefix
suffix
substring

If the query type is unspecified, it defaults to none. If the query type is none, MongoDB encrypts the field, and clients can't query it.

Important

Comparison Support

~~Comparison of an encrypted field to a plaintext value is supported.~~支持将加密字段与明文值进行比较。

{$expr: {$eq: ["$encrypted1", "plaintext_value"]}}

Comparison of one encrypted field to another encrypted field will fail.

{$expr: {$eq: ["$encrypted1", "$encrypted2"]}}

Fields configured for queryType: "equality" support the following expressions:

Fields configured for queryType: "range" support the following expressions:

Queries specifying any other query operator against an encrypted field return an error.

Unsupported Queries

Queries that compare an encrypted field to null or a regular expression always throw an error, even if using a supported query operator.

When using a MongoClient configured for Queryable Encryption, the following query operators throw an error, even if issued against an unencrypted field:

Supported Update Operators

Drivers configured for automatic encryption support the following update operators when issued against encrypted fields:

Updates specifying any other update operator against an encrypted field return an error.

Update operations with the following behavior throw an error, even if using a supported operator:

The update operation produces an array inside of an encrypted path.
The update operation uses aggregation expression syntax.

For update operations specifying a query filter on encrypted fields, the query filter must use only supported operators on those fields.

Replacement-style Updates

Replacement-style updates are supported, however, if the replacement document contains a Timestamp(0,0) inside a top-level encrypted field, Queryable Encryption will error. The (0,0) value indicates that the mongod should generate the Timestamp. mongod cannot generate encrypted fields.

Unsupported Insert Operations

Compatible drivers configured for automatic encryption do not support insert commands with the following behavior:

Inserting a document with Timestamp(0,0) associated to an encrypted field. The (0,0) value indicates that the mongod should generate the Timestamp. Since the mongod cannot generate encrypted fields, the resulting timestamp would be unencrypted.

Unsupported Aggregation Stages

Automatic encryption will not support aggregation stages that read from or write to additional collections. These stages are:

Supported Aggregation Stages

Compatible drivers configured for automatic encryption support the following aggregation pipeline stages:

$addFields
$bucket
$bucketAuto
$collStats
$count
$geoNear
$graphLookup (For usage requirements, see $lookup and $graphLookup Behavior)
$group on unencrypted fields
$indexStats
$limit
$lookup (For usage requirements, see $lookup and $graphLookup Behavior)
$match
$project
$redact
$replaceRoot
$sample
$skip
$sort
$sortByCount
$unwind

Aggregation pipelines operating on collections configured for automatic encryption that specify any other stage return an error.

For each supported pipeline stage, MongoDB tracks fields that must be encrypted as they pass through the supported pipelines and marks them for encryption.

Each supported stage must specify only supported query operators and aggregation expressions.

`$lookup` and `$graphLookup` Behavior

Starting in MongoDB 8.1, you can reference multiple encrypted collections in a $lookup stage. However, $lookup does not support:

Using an encrypted field as the join field in the localField or foreignField.
Using any field in an encrypted array. An array is considered as encrypted if it contains any encrypted elements.
- For example, you can't use any field within the resulting as array of the $lookup operation.

Automatic encryption supports $graphLookup only if the from collection matches the collection the aggregation runs against. $graphLookup stages that reference a different from collection return an error.

Automatic encryption does not support "connectionless" aggregation metadata sources, which read metadata that doesn't pertain to a particular collection, such as:

$currentOp
Change Streams for watching a database or the whole cluster
$listSessions
$listLocalSessions

Automatic encryption does not support the $planCacheStats stage as the result may contain sensitive information.

Supported Aggregation Expressions支持的聚合表达式

~~Compatible drivers configured for automatic encryption support the following expressions against encrypted fields configured for equality queries:~~为自动加密配置的兼容驱动程序支持针对为相等查询配置的加密字段的以下表达式：

~~Compatible drivers configured for automatic encryption support the following expressions against encrypted fields configured for prefix, suffix, or substring queries:~~针对为prefix、suffix或substring查询配置的加密字段，配置为自动加密的兼容驱动程序支持以下表达式：

~~All other aggregation expressions return an error if issued against encrypted fields.~~如果针对加密字段发出所有其他聚合表达式，则返回错误。

~~Aggregation stages with the following behavior return an error, even if using a supported aggregation expression:~~即使使用支持的聚合表达式，具有以下行为的聚合阶段也会返回错误：

~~Expressions~~表达	~~Rejected Behavior~~拒绝行为	~~Example~~示例
`$cond` `$switch`	~~The expression specifies a field whose encryption properties cannot be known until runtime and a subsequent aggregation stage includes an expression referencing that field.~~该表达式指定了一个字段，在运行时之前无法知道其加密属性，后续聚合阶段包括引用该字段的表达式。	`$addFields : { "valueWithUnknownEncryption" : { $cond : { if : { "$encryptedField" : "value" }, then : "$encryptedField", else: "unencryptedValue" } } }, { $match : { "valueWithUnknownEncryption" : "someNewValue" } }`
`$eq` `$ne`	~~The expression creates a new field that references an encrypted field and operates on that new field in the same expression.~~该表达式创建了一个引用加密字段的新字段，并在同一表达式中对该新字段进行操作。	`{ $eq : [ {"newField" : "$encryptedField"}, {"newField" : "value" ] }`
`$eq` `$ne`	~~The expression references the prefix of an encrypted field within the comparison expression.~~该表达式引用比较表达式中加密字段的前缀。	`{ $eq : [ "$prefixOfEncryptedField" , "value"] }`
`$eq` `$ne`	~~The result of the expression is compared to an encrypted field.~~将表达式的结果与加密字段进行比较。	`{ $eq : [ "$encryptedField" , { $ne : [ "field", "value" ] } ] }`
`$let`	~~The expression binds a variable to an encrypted field or attempts to rebind `$$CURRENT`.~~该表达式将变量绑定到加密字段或尝试重新绑定`$$CURRENT`。	`{ $let: { "vars" : { "newVariable" : "$encryptedField" } } }`
`$in`	The first argument to the expression is an encrypted field, and表达式的第一个参数是一个加密字段，以及 ~~The second argument to the expression is not an array literal~~表达式的第二个参数不是数组文字 -OR- ~~The second argument to the expression is an encrypted field.~~表达式的第二个参数是加密字段。	`{ $in : [ "$encryptedField" , "$otherEncryptedField" ] }`

Unsupported Field Types不支持的字段类型

~~Drivers configured for automatic encryption do not support any read or write operation that requires encrypting the following value types:~~为自动加密配置的驱动程序不支持任何需要加密以下值类型的读取或写入操作：

MaxKey
MinKey
null
undefined

~~Queryable Encryption does not adequately hide the type information for these values.~~可查询加密不能充分隐藏这些值的类型信息。

~~Queryable Encryption does not support automatic encryption on fields within an array of documents.~~可查询加密不支持对文档数组中的字段进行自动加密。

~~Queryable Encryption does not support read or write operations on an encrypted field where the operation compares the encrypted field to the following value types:~~可查询加密不支持对加密字段进行读取或写入操作，该操作将加密字段与以下值类型进行比较：

array
decimal128
double
object

Back

~~Reference~~参考

~~MongoClient Options~~MongoClient选项