OpenQuizz
Une application de gestion des contenus pédagogiques
AutoEncryptionOpts Class Reference
Inheritance diagram for AutoEncryptionOpts:
Collaboration diagram for AutoEncryptionOpts:

Public Member Functions

def __init__ (self, kms_providers, key_vault_namespace, key_vault_client=None, schema_map=None, bypass_auto_encryption=False, mongocryptd_uri='mongodb://localhost:27020', mongocryptd_bypass_spawn=False, mongocryptd_spawn_path='mongocryptd', mongocryptd_spawn_args=None)
 

Detailed Description

Options to configure automatic client-side field level encryption.

Constructor & Destructor Documentation

◆ __init__()

def __init__ (   self,
  kms_providers,
  key_vault_namespace,
  key_vault_client = None,
  schema_map = None,
  bypass_auto_encryption = False,
  mongocryptd_uri = 'mongodb://localhost:27020',
  mongocryptd_bypass_spawn = False,
  mongocryptd_spawn_path = 'mongocryptd',
  mongocryptd_spawn_args = None 
)
Options to configure automatic client-side field level encryption.

Automatic client-side field level encryption requires MongoDB 4.2
enterprise or a MongoDB 4.2 Atlas cluster. Automatic encryption is not
supported for operations on a database or view and will result in
error.

Although automatic encryption requires MongoDB 4.2 enterprise or a
MongoDB 4.2 Atlas cluster, automatic *decryption* is supported for all
users. To configure automatic *decryption* without automatic
*encryption* set ``bypass_auto_encryption=True``. Explicit
encryption and explicit decryption is also supported for all users
with the :class:`~pymongo.encryption.ClientEncryption` class.

See :ref:`automatic-client-side-encryption` for an example.

:Parameters:
  - `kms_providers`: Map of KMS provider options. Two KMS providers
    are supported: "aws" and "local". The kmsProviders map values
    differ by provider:

      - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings.
These are the AWS access key ID and AWS secret access key used
to generate KMS messages.
      - `azure`: Map with "tenantId", "clientId", and "clientSecret" as
strings. Additionally, "identityPlatformEndpoint" may also be
specified as a string (defaults to 'login.microsoftonline.com').
These are the Azure Active Directory credentials used to
generate Azure Key Vault messages.
      - `gcp`: Map with "email" as a string and "privateKey"
as `bytes` or a base64 encoded string (unicode on Python 2).
Additionally, "endpoint" may also be specified as a string
(defaults to 'oauth2.googleapis.com'). These are the
credentials used to generate Google Cloud KMS messages.
      - `local`: Map with "key" as `bytes` (96 bytes in length) or
a base64 encoded string (unicode on Python 2) which decodes
to 96 bytes. "key" is the master key used to encrypt/decrypt
data keys. This key should be generated and stored as securely
as possible.

  - `key_vault_namespace`: The namespace for the key vault collection.
    The key vault collection contains all data keys used for encryption
    and decryption. Data keys are stored as documents in this MongoDB
    collection. Data keys are protected with encryption by a KMS
    provider.
  - `key_vault_client` (optional): By default the key vault collection
    is assumed to reside in the same MongoDB cluster as the encrypted
    MongoClient. Use this option to route data key queries to a
    separate MongoDB cluster.
  - `schema_map` (optional): Map of collection namespace ("db.coll") to
    JSON Schema.  By default, a collection's JSONSchema is periodically
    polled with the listCollections command. But a JSONSchema may be
    specified locally with the schemaMap option.

    **Supplying a `schema_map` provides more security than relying on
    JSON Schemas obtained from the server. It protects against a
    malicious server advertising a false JSON Schema, which could trick
    the client into sending unencrypted data that should be
    encrypted.**

    Schemas supplied in the schemaMap only apply to configuring
    automatic encryption for client side encryption. Other validation
    rules in the JSON schema will not be enforced by the driver and
    will result in an error.
  - `bypass_auto_encryption` (optional): If ``True``, automatic
    encryption will be disabled but automatic decryption will still be
    enabled. Defaults to ``False``.
  - `mongocryptd_uri` (optional): The MongoDB URI used to connect
    to the *local* mongocryptd process. Defaults to
    ``'mongodb://localhost:27020'``.
  - `mongocryptd_bypass_spawn` (optional): If ``True``, the encrypted
    MongoClient will not attempt to spawn the mongocryptd process.
    Defaults to ``False``.
  - `mongocryptd_spawn_path` (optional): Used for spawning the
    mongocryptd process. Defaults to ``'mongocryptd'`` and spawns
    mongocryptd from the system path.
  - `mongocryptd_spawn_args` (optional): A list of string arguments to
    use when spawning the mongocryptd process. Defaults to
    ``['--idleShutdownTimeoutSecs=60']``. If the list does not include
    the ``idleShutdownTimeoutSecs`` option then
    ``'--idleShutdownTimeoutSecs=60'`` will be added.

.. versionadded:: 3.9

The documentation for this class was generated from the following file: