From dd2f36e2c39851ac57f8484271d8cd4cdc96fe37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Tamarelle?= Date: Wed, 2 Jul 2025 10:25:44 +0200 Subject: [PATCH] Extract MongoDB autoEncryption options into a distinct table for readability --- .../mongodb/driver/manager/construct.xml | 272 +++++++++--------- 1 file changed, 135 insertions(+), 137 deletions(-) diff --git a/reference/mongodb/mongodb/driver/manager/construct.xml b/reference/mongodb/mongodb/driver/manager/construct.xml index a6104a2250ca..7a7a4095115c 100644 --- a/reference/mongodb/mongodb/driver/manager/construct.xml +++ b/reference/mongodb/mongodb/driver/manager/construct.xml @@ -636,7 +636,7 @@ mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][ Provides options to enable automatic client-side field level - encryption. + encryption. The list of options is described in the table below. @@ -659,142 +659,6 @@ mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][ bypassAutoEncryption is &true;. - - The following options are supported: - - - Options for automatic encryption - - - - Option - Type - Description - - - - &mongodb.option.encryption.keyVaultClient; - &mongodb.option.encryption.keyVaultNamespace; - &mongodb.option.encryption.kmsProviders; - &mongodb.option.encryption.tlsOptions; - - schemaMap - arrayobject - - - Map of collection namespaces to a local JSON schema. This is - used to configure automatic encryption. See - Automatic Encryption Rules - in the MongoDB manual for more information. It is an error to - specify a collection in both schemaMap and - encryptedFieldsMap. - - - - Supplying a schemaMap provides more - security than relying on JSON schemas obtained from the - server. It protects against a malicious server advertising a - false JSON schema, which could trick the client into sending - unencrypted data that should be encrypted. - - - - - Schemas supplied in the schemaMap only - apply to configuring automatic encryption for client side - encryption. Other validation rules in the JSON schema will - not be enforced by the driver and will result in an error. - - - - - - bypassAutoEncryption - bool - - If &true;, mongocryptd will not be spawned - automatically. This is used to disable automatic encryption. - Defaults to &false;. - - - - bypassQueryAnalysis - bool - - - If &true;, automatic analysis of outgoing commands will be - disabled and mongocryptd will not be - spawned automatically. This enables the use case of explicit - encryption for querying indexed fields without requiring the - enterprise licensed crypt_shared library or - mongocryptd process. Defaults to &false;. - - - - - encryptedFieldsMap - arrayobject - - - Map of collection namespaces to an - encryptedFields document. This is used to - configure queryable encryption. See - Field Encryption and Queryability - in the MongoDB manual for more information. It is an error to - specify a collection in both - encryptedFieldsMap and - schemaMap. - - - - Supplying an encryptedFieldsMap provides - more security than relying on an - encryptedFields obtained from the server. - It protects against a malicious server advertising a false - encryptedFields. - - - - - - extraOptions - array - - - The extraOptions relate to the - mongocryptd process. The following options - are supported: - - - mongocryptdURI (string): URI to connect to an existing mongocryptd process. Defaults to "mongodb://localhost:27020". - mongocryptdBypassSpawn (bool): If &true;, prevent the driver from spawning mongocryptd. Defaults to &false;. - mongocryptdSpawnPath (string): Absolute path to search for mongocryptd binary. Defaults to empty string and consults system paths. - mongocryptdSpawnArgs (array): Array of string arguments to pass to mongocryptd when spawning. Defaults to ["--idleShutdownTimeoutSecs=60"]. - cryptSharedLibPath (string): Absolute path to crypt_shared shared library. Defaults to empty string and consults system paths. - cryptSharedLibRequired (bool): If &true;, require the driver to load crypt_shared. Defaults to &false;. - - - See the Client-Side Encryption Specification for more information. - - - - - -
- - - - - Automatic encryption is an enterprise only feature that only - applies to operations on a collection. Automatic encryption is not - supported for operations on a database or view, and operations that - are not bypassed will result in error. To bypass automatic - encryption for all operations, set bypassAutoEncryption=true - in autoEncryption. For more information on - allowed operations, see the - Client-Side Encryption Specification. - - @@ -865,6 +729,140 @@ mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][ + + Options supported by automatic encryption: + + autoEncryption + + + + Option + Type + Description + + + + &mongodb.option.encryption.keyVaultClient; + &mongodb.option.encryption.keyVaultNamespace; + &mongodb.option.encryption.kmsProviders; + &mongodb.option.encryption.tlsOptions; + + schemaMap + arrayobject + + + Map of collection namespaces to a local JSON schema. This is + used to configure automatic encryption. See + Automatic Encryption Rules + in the MongoDB manual for more information. It is an error to + specify a collection in both schemaMap and + encryptedFieldsMap. + + + + Supplying a schemaMap provides more + security than relying on JSON schemas obtained from the + server. It protects against a malicious server advertising a + false JSON schema, which could trick the client into sending + unencrypted data that should be encrypted. + + + + + Schemas supplied in the schemaMap only + apply to configuring automatic encryption for client side + encryption. Other validation rules in the JSON schema will + not be enforced by the driver and will result in an error. + + + + + + bypassAutoEncryption + bool + + If &true;, mongocryptd will not be spawned + automatically. This is used to disable automatic encryption. + Defaults to &false;. + + + + bypassQueryAnalysis + bool + + + If &true;, automatic analysis of outgoing commands will be + disabled and mongocryptd will not be + spawned automatically. This enables the use case of explicit + encryption for querying indexed fields without requiring the + enterprise licensed crypt_shared library or + mongocryptd process. Defaults to &false;. + + + + + encryptedFieldsMap + arrayobject + + + Map of collection namespaces to an + encryptedFields document. This is used to + configure queryable encryption. See + Field Encryption and Queryability + in the MongoDB manual for more information. It is an error to + specify a collection in both + encryptedFieldsMap and + schemaMap. + + + + Supplying an encryptedFieldsMap provides + more security than relying on an + encryptedFields obtained from the server. + It protects against a malicious server advertising a false + encryptedFields. + + + + + + extraOptions + array + + + The extraOptions relate to the + mongocryptd process. The following options + are supported: + + + mongocryptdURI (string): URI to connect to an existing mongocryptd process. Defaults to "mongodb://localhost:27020". + mongocryptdBypassSpawn (bool): If &true;, prevent the driver from spawning mongocryptd. Defaults to &false;. + mongocryptdSpawnPath (string): Absolute path to search for mongocryptd binary. Defaults to empty string and consults system paths. + mongocryptdSpawnArgs (array): Array of string arguments to pass to mongocryptd when spawning. Defaults to ["--idleShutdownTimeoutSecs=60"]. + cryptSharedLibPath (string): Absolute path to crypt_shared shared library. Defaults to empty string and consults system paths. + cryptSharedLibRequired (bool): If &true;, require the driver to load crypt_shared. Defaults to &false;. + + + See the Client-Side Encryption Specification for more information. + + + + + +
+ + + Automatic encryption is an enterprise only feature that only + applies to operations on a collection. Automatic encryption is not + supported for operations on a database or view, and operations that + are not bypassed will result in error. To bypass automatic + encryption for all operations, set bypassAutoEncryption=true + in autoEncryption. For more information on + allowed operations, see the + Client-Side Encryption Specification. + + +