From 180baae184f16c26070b4a84d98d86ef164bdfc5 Mon Sep 17 00:00:00 2001 From: Mark Benvenuto Date: Sat, 9 Apr 2022 11:08:41 -0400 Subject: SERVER-59261 Enable Feature flag for PM-2466 --- src/mongo/crypto/encryption_fields.idl | 3 ++- src/mongo/crypto/fle_crypto.cpp | 1 + src/mongo/db/catalog/collection_options_validation.cpp | 4 ---- src/mongo/db/commands/create_indexes.cpp | 4 +++- src/mongo/db/commands/fle2_compact_cmd.cpp | 5 ++++- .../set_feature_compatibility_version_command.cpp | 16 ++++++++++++++++ src/mongo/db/fle_crud.cpp | 12 +++++++----- src/mongo/db/fle_crud.h | 11 +++++++++-- src/mongo/db/fle_crud_mongod.cpp | 16 ++++++++++++++++ src/mongo/db/s/shard_key_util.cpp | 3 ++- ...ardsvr_compact_structured_encryption_data_command.cpp | 5 +++-- src/mongo/shell/servers_misc.js | 2 -- 12 files changed, 63 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/mongo/crypto/encryption_fields.idl b/src/mongo/crypto/encryption_fields.idl index 0f298d7de76..1a1090ab59d 100644 --- a/src/mongo/crypto/encryption_fields.idl +++ b/src/mongo/crypto/encryption_fields.idl @@ -42,7 +42,8 @@ feature_flags: featureFlagFLE2: description: "Enable FLE2 support" cpp_varname: gFeatureFlagFLE2 - default: false + default: true + version: 6.0 structs: diff --git a/src/mongo/crypto/fle_crypto.cpp b/src/mongo/crypto/fle_crypto.cpp index 8523fc9b2cb..b9e50672e4e 100644 --- a/src/mongo/crypto/fle_crypto.cpp +++ b/src/mongo/crypto/fle_crypto.cpp @@ -969,6 +969,7 @@ void parseAndVerifyInsertUpdatePayload(std::vector* pField void collectEDCServerInfo(std::vector* pFields, ConstDataRange cdr, + StringData fieldPath) { // TODO - validate field is actually indexed in the schema? diff --git a/src/mongo/db/catalog/collection_options_validation.cpp b/src/mongo/db/catalog/collection_options_validation.cpp index 1d64bce454a..e6d2a2682e4 100644 --- a/src/mongo/db/catalog/collection_options_validation.cpp +++ b/src/mongo/db/catalog/collection_options_validation.cpp @@ -58,10 +58,6 @@ Status validateStorageEngineOptions(const BSONObj& storageEngine) { EncryptedFieldConfig processAndValidateEncryptedFields(EncryptedFieldConfig config) { - if (!gFeatureFlagFLE2.isEnabledAndIgnoreFCV()) { - uasserted(6338408, "Feature flag FLE2 is not enabled"); - } - stdx::unordered_set keys(config.getFields().size()); std::vector fieldPaths; fieldPaths.reserve(config.getFields().size()); diff --git a/src/mongo/db/commands/create_indexes.cpp b/src/mongo/db/commands/create_indexes.cpp index df1fd7a3342..c85c7cf6743 100644 --- a/src/mongo/db/commands/create_indexes.cpp +++ b/src/mongo/db/commands/create_indexes.cpp @@ -199,7 +199,9 @@ void validateTTLOptions(OperationContext* opCtx, void checkEncryptedFieldIndexRestrictions(OperationContext* opCtx, const NamespaceString& ns, const CreateIndexesCommand& cmd) { - if (!gFeatureFlagFLE2.isEnabledAndIgnoreFCV()) { + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + if (serverGlobalParams.featureCompatibility.isVersionInitialized() && + !gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)) { return; } diff --git a/src/mongo/db/commands/fle2_compact_cmd.cpp b/src/mongo/db/commands/fle2_compact_cmd.cpp index 0cd2dabf61b..d96e9b28dac 100644 --- a/src/mongo/db/commands/fle2_compact_cmd.cpp +++ b/src/mongo/db/commands/fle2_compact_cmd.cpp @@ -72,7 +72,10 @@ CompactStats compactEncryptedCompactionCollection(OperationContext* opCtx, str::stream() << "Collection '" << edcNss << "' does not exist"); } - uassert(6319903, "Feature flag FLE2 is not enabled", gFeatureFlagFLE2.isEnabledAndIgnoreFCV()); + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + uassert(6319903, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); uassert(6346807, "Target namespace is not an encrypted collection", diff --git a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp index 2a540ffa88b..55b2a097a2e 100644 --- a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp +++ b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp @@ -820,6 +820,22 @@ private: deletionStatus.isOK() || deletionStatus.code() == ErrorCodes::NamespaceNotFound); } + + // Block downgrade for collections with encrypted fields + // TODO SERVER-65077: Remove once FCV 6.0 becomes last-lts. + for (const auto& tenantDbName : DatabaseHolder::get(opCtx)->getNames()) { + const auto& dbName = tenantDbName.dbName(); + Lock::DBLock dbLock(opCtx, dbName, MODE_IX); + catalog::forEachCollectionFromDb( + opCtx, tenantDbName, MODE_X, [&](const CollectionPtr& collection) { + uassert( + ErrorCodes::CannotDowngrade, + str::stream() << "Cannot downgrade the cluster as collection " + << collection->ns() << " has 'encryptedFields'", + !collection->getCollectionOptions().encryptedFieldConfig.has_value()); + return true; + }); + } } { diff --git a/src/mongo/db/fle_crud.cpp b/src/mongo/db/fle_crud.cpp index b52e0d3ba0b..626def45735 100644 --- a/src/mongo/db/fle_crud.cpp +++ b/src/mongo/db/fle_crud.cpp @@ -803,9 +803,10 @@ FLEBatchResult processFLEBatch(OperationContext* opCtx, BatchedCommandResponse* response, boost::optional targetEpoch) { - if (!gFeatureFlagFLE2.isEnabledAndIgnoreFCV()) { - uasserted(6371209, "Feature flag FLE2 is not enabled"); - } + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + uassert(6371209, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); if (request.getBatchType() == BatchedCommandRequest::BatchType_Insert) { auto insertRequest = request.getInsertRequest(); @@ -1058,8 +1059,9 @@ FLEBatchResult processFLEFindAndModify(OperationContext* opCtx, return FLEBatchResult::kNotProcessed; } - if (!gFeatureFlagFLE2.isEnabledAndIgnoreFCV()) { - uasserted(6371405, "Feature flag FLE2 is not enabled"); + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + if (!gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)) { + uasserted(6371405, "FLE 2 is only supported when FCV supports 6.0"); } // FLE2 Mongos CRUD operations loopback through MongoS with EncryptionInformation as diff --git a/src/mongo/db/fle_crud.h b/src/mongo/db/fle_crud.h index d1499ccb669..2bd2c0f8086 100644 --- a/src/mongo/db/fle_crud.h +++ b/src/mongo/db/fle_crud.h @@ -42,6 +42,7 @@ #include "mongo/db/ops/write_ops_gen.h" #include "mongo/db/pipeline/pipeline.h" #include "mongo/db/query/count_command_gen.h" +#include "mongo/db/server_options.h" #include "mongo/db/transaction_api.h" #include "mongo/s/write_ops/batch_write_exec.h" #include "mongo/s/write_ops/batched_command_response.h" @@ -213,12 +214,18 @@ std::unique_ptr processFLEPipelineD( */ template bool shouldDoFLERewrite(const std::unique_ptr& cmd) { - return gFeatureFlagFLE2.isEnabledAndIgnoreFCV() && cmd->getEncryptionInformation(); + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + return (!serverGlobalParams.featureCompatibility.isVersionInitialized() || + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)) && + cmd->getEncryptionInformation(); } template bool shouldDoFLERewrite(const T& cmd) { - return gFeatureFlagFLE2.isEnabledAndIgnoreFCV() && cmd.getEncryptionInformation(); + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + return (!serverGlobalParams.featureCompatibility.isVersionInitialized() || + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)) && + cmd.getEncryptionInformation(); } /** diff --git a/src/mongo/db/fle_crud_mongod.cpp b/src/mongo/db/fle_crud_mongod.cpp index 9253954457e..01b0628b7e8 100644 --- a/src/mongo/db/fle_crud_mongod.cpp +++ b/src/mongo/db/fle_crud_mongod.cpp @@ -175,6 +175,10 @@ FLEBatchResult processFLEInsert(OperationContext* opCtx, repl::ReplicationCoordinator::get(opCtx->getServiceContext())->getReplicationMode() == repl::ReplicationCoordinator::modeReplSet); + uassert(5926101, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); + auto [batchResult, insertReplyReturn] = processInsert(opCtx, insertRequest, &getTransactionWithRetriesForMongoD); @@ -197,6 +201,10 @@ write_ops::DeleteCommandReply processFLEDelete( repl::ReplicationCoordinator::get(opCtx->getServiceContext())->getReplicationMode() == repl::ReplicationCoordinator::modeReplSet); + uassert(5926102, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); + auto deleteReply = processDelete(opCtx, deleteRequest, &getTransactionWithRetriesForMongoD); setMongosFieldsInReply(opCtx, &deleteReply.getWriteCommandReplyBase()); @@ -212,6 +220,10 @@ write_ops::FindAndModifyCommandReply processFLEFindAndModify( repl::ReplicationCoordinator::get(opCtx->getServiceContext())->getReplicationMode() == repl::ReplicationCoordinator::modeReplSet); + uassert(5926103, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); + auto reply = processFindAndModifyRequest( opCtx, findAndModifyRequest, &getTransactionWithRetriesForMongoD); @@ -226,6 +238,10 @@ write_ops::UpdateCommandReply processFLEUpdate( repl::ReplicationCoordinator::get(opCtx->getServiceContext())->getReplicationMode() == repl::ReplicationCoordinator::modeReplSet); + uassert(5926104, + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); + auto updateReply = processUpdate(opCtx, updateRequest, &getTransactionWithRetriesForMongoD); setMongosFieldsInReply(opCtx, &updateReply.getWriteCommandReplyBase()); diff --git a/src/mongo/db/s/shard_key_util.cpp b/src/mongo/db/s/shard_key_util.cpp index 2a081555d0e..5a0acaeb2a4 100644 --- a/src/mongo/db/s/shard_key_util.cpp +++ b/src/mongo/db/s/shard_key_util.cpp @@ -213,7 +213,8 @@ bool validateShardKeyIndexExistsOrCreateIfPossible(OperationContext* opCtx, void validateShardKeyIsNotEncrypted(OperationContext* opCtx, const NamespaceString& nss, const ShardKeyPattern& shardKeyPattern) { - if (!gFeatureFlagFLE2.isEnabledAndIgnoreFCV()) { + // TODO (SERVER-65077): Remove FCV check once 6.0 is released + if (!gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)) { return; } diff --git a/src/mongo/db/s/shardsvr_compact_structured_encryption_data_command.cpp b/src/mongo/db/s/shardsvr_compact_structured_encryption_data_command.cpp index b4cd3882aff..b29e42a741e 100644 --- a/src/mongo/db/s/shardsvr_compact_structured_encryption_data_command.cpp +++ b/src/mongo/db/s/shardsvr_compact_structured_encryption_data_command.cpp @@ -74,9 +74,10 @@ public: using InvocationBase::InvocationBase; Reply typedRun(OperationContext* opCtx) { + // TODO (SERVER-65077): Remove FCV check once 6.0 is released uassert(6350499, - "Feature flag FLE2 is not enabled", - gFeatureFlagFLE2.isEnabledAndIgnoreFCV()); + "FLE 2 is only supported when FCV supports 6.0", + gFeatureFlagFLE2.isEnabled(serverGlobalParams.featureCompatibility)); auto compact = makeRequest(opCtx); if (!compact) { diff --git a/src/mongo/shell/servers_misc.js b/src/mongo/shell/servers_misc.js index 3b82705015b..87eb1192527 100644 --- a/src/mongo/shell/servers_misc.js +++ b/src/mongo/shell/servers_misc.js @@ -157,8 +157,6 @@ startParallelShell = function(jsCode, port, noConnect, ...optionArgs) { } args.push(...optionArgs); - args.push("--setShellParameter"); - args.push("featureFlagFLE2=true"); args.push("--eval", jsCode); var pid = startMongoProgramNoConnect.apply(null, args); -- cgit v1.2.1