Mongo()
On this page
Description
Mongo(host, ClientSideFieldLevelEncryptionOptions, api)
JavaScript constructor to instantiate a database connection from
mongosh
or from a JavaScript file.The
Mongo()
method has the following parameters:ParameterTypeDescriptionhost
stringOptional. The host, either in the form of
<host>
or<host><:port>
.If omitted,
Mongo()
instantiates a connection to the localhost interface on the default port27017
.ClientSideFieldLevelEncryptionOptions
documentOptional. Configuration parameters for enabling Client-Side Field Level Encryption.
ClientSideFieldLevelEncryptionOptions
overrides the existing client-side field level encryption configuration of the database connection. If omitted,Mongo()
inherits the client-side field level encryption configuration of the current database connection.See
ClientSideFieldLevelEncryptionOptions
for usage and syntax details.api
documentOptional. Configuration options for enabling the Stable API.
See
api
for usage and syntax details.
ClientSideFieldLevelEncryptionOptions
The ClientSideFieldLevelEncryptionOptions
document specifies
configuration options for Client-Side Field Level Encryption.
If the database connection has an existing client-side field level
encryption configuration, specifying
ClientSideFieldLevelEncryptionOptions
overrides that configuration.
For example, starting mongosh
with client-side field level encryption command-line options enables
client-side encryption for that connection. New database connections
created using Mongo()
inherit the encryption settings unless
Mongo()
includes ClientSideFieldLevelEncryptionOptions
.
The ClientSideFieldLevelEncryptionOptions
document has the following
syntax:
{ "keyVaultClient" : <object>, "keyVaultNamespace" : "<string>", "kmsProviders" : <object>, "schemaMap" : <object>, "bypassAutoEncryption" : <boolean> }
The ClientSideFieldLevelEncryptionOptions
document takes the
following parameters:
Parameter | Type | Description | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
keyVaultClient | Mongo() connection object. | (Optional) The MongoDB cluster hosting the key vault collection. Specify a
If | ||||||||||||||||||||||||
keyVaultNamespace | string | (Required) The full namespace of the key vault
collection. | ||||||||||||||||||||||||
kmsProviders | document | (Required) The Key Management Service (KMS) used by client-side field level encryption for managing a Customer Master Key (CMK). Client-side field level encryption uses the CMK for encrypting and decrypting data encryption keys. Client-side field level encryption supports the following KMS providers: If possible, consider defining the credentials provided in
| ||||||||||||||||||||||||
schemaMap | document | (Optional) The automatic client-side field level encryption rules specified using the JSON schema Draft 4 standard syntax and encryption-specific keywords. For complete documentation, see Automatic Encryption Rules. | ||||||||||||||||||||||||
bypassAutoEncryption | boolean | (Optional) Specify true to bypass automatic client-side field
level encryption rules and perform explicit (manual) per-field
encryption. |
api
The api
parameter specifies configuration options for the
Stable API. You can enable or disable optional
behavior using the following options:
Option | Type | Description |
---|---|---|
version | string | Specifies the API Version. "1" is
currently the only supported version. |
strict | boolean |
If you specify If not specified, defaults to |
deprecationErrors | boolean | If If not specified, defaults to |
The api
parameter has the following syntax:
{ api: { version: <string>, strict: <boolean>, deprecationErrors: <boolean> } }
Examples
Connect to a MongoDB Cluster
The following operation creates a new connection object from within a
mongosh
session:
cluster = Mongo("mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster")
Issue operations against the cluster
object to interact with the
mymongo.example.net:27017
cluster:
myDB = cluster.getDB("myDB"); //returns the database object myColl = myDB.getCollection("myColl"); // returns the collection object
Connect to a Cluster with Client-Side Encryption Enabled
Configuring client-side field level encryption for a locally
managed key requires specifying a
base64-encoded 96-byte string with no line breaks. The following
operation generates a key that meets the stated requirements and loads
it into mongosh
:
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')") mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
The following operation creates a new connection object from within a
mongosh
session. The
ClientSideFieldLevelEncryptionOptions
option specifies
the required options for enabling client-side field level encryption
using a locally managed key:
var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0, TEST_LOCAL_KEY) } } } cluster = Mongo( "mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster", ClientSideFieldLevelEncryptionOptions )
Issue operations against the cluster
object to interact with the
mymongo.example.net:27017
cluster and perform explicit encryption:
// returns the database object myDB = cluster.getDB("myDB"); // returns the collection object myColl = myDB.getCollection("myColl"); // returns object for managing data encryption keys keyVault = cluster.getKeyVault(); // returns object for explicit encryption/decryption clientEncryption = cluster.getClientEncryption();
See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.
Connect to a Cluster with Automatic Client-Side Encryption Enabled
Configuring client-side field level encryption for a locally
managed key requires specifying a
base64-encoded 96-byte string with no line breaks. The following
operation generates a key that meets the stated requirements and loads
it into mongosh
:
TEST_LOCAL_KEY=$(echo "$(head -c 96 /dev/urandom | base64 | tr -d '\n')") mongosh --nodb --shell --eval "var TEST_LOCAL_KEY='$TEST_LOCAL_KEY'"
The following operation creates a new connection object from within a
mongosh
session. The
ClientSideFieldLevelEncryptionOptions
option specifies
the required options for enabling automatic client-side encryption on the hr.employees
collection:
var ClientSideFieldLevelEncryptionOptions = { "keyVaultNamespace" : "encryption.dataKeys", "kmsProviders" : { "local" : { "key" : BinData(0,"BASE64-ENCODED-96-BYTE-LOCAL-KEY") } }, schemaMap : { "hr.employees" : { "bsonType": "object", "properties" : { "taxid" : { "encrypt" : { "keyId" : [UUID("bffb361b-30d3-42c0-b7a4-d24a272b72e3")], "bsonType" : "string", "algorithm" : "AEAD_AES_256_CBC_HMAC_SHA_512-Random" } }, "taxid-short": { "encrypt": { "keyId": [UUID("33408ee9-e499-43f9-89fe-5f8533870617")], "algorithm": "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", "bsonType": "string" } } } } } } cluster = Mongo( "mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster", ClientSideFieldLevelEncryptionOptions )
Issue operations against the cluster
object to interact with the
mymongo.example.net:27017
cluster and utilize automatic encryption:
// returns the database object myDB = cluster.getDB("myDB"); // returns the collection object myColl = myDB.getCollection("myColl"); myColl.insertOne( { "name" : "J Doe", "taxid" : "123-45-6789", "taxid-short" : "6789" } )
The specified automatic encryption rules encrypt the taxid
and
taxid-short
fields using the specified data encryption key and
algorithm. Only clients configured for the correct KMS and access to
the specified data encryption key can decrypt the field.
See Client-Side Field Level Encryption Methods for a complete list of client-side field level encryption methods.
Connect to a Cluster with the Stable API Enabled
The following operation creates a new connection object from within a
mongosh
session. The api
option
enables Stable API V1 and specifies that you cannot
run deprecated command or commands outside of the Stable API.
cluster = Mongo( "mongodb://mymongo.example.net:27017/?replicaSet=myMongoCluster", null, { api: { version: "1", strict: true, deprecationErrors: true } } )
To interact with the mymongo.example.net:27017
cluster, issue
operations against the cluster
object. For a full list of Stable API
commands, see Stable API Commands.