MongoDB
Export Configuration#
Exporting a MongoDB server via a Tranquil Data peer extends the configuration object with the following fields:
| Field Name | Type | Required | Default |
|---|---|---|---|
| user | string | ||
| password | string | ||
| endpoint | string | defaultServiceHost:27017 |
|
| certificate | string |
The value of type must be mongodb.
The value of endpoint is of the form HOST:PORT, where the value for PORT is 27017 if absent.
The value of resolverGroup is the name of the group, from the model used by the domain where the datastore is exported, to resolve fields for category and/or context mapping. If no group is named then an export will use the default group from the domain's model.
If metadata is present then then each of the key-value pairs will be provided as default metadata attributes to any evaluation done through this exported interface. These values may be overridden (e.g.) by auth token assertions. For instance, if metadata contains the key request-type with value user-access then this exported endpoint will only support operations by users on their own data, unless a token is used that overrides this restriction.
Security Support#
Tranquil Data supports SCRAM-SHA-1 authentication, and SCRAM-SHA-256 authentication for version 4.0 and above. The value of user indicates the database user, and password indicates the password for that user. If user and password are not included, then no authentication is used.
The value of certificate is the PEM-encoded X.509 Public Key Certificate used to connect to the running MongoDB instance. If present, connections will be authenticated and run over TLS. If absent, then connections will be unsecured.
Context Interaction#
Tranquil Data supports MongoDB wire protocol version 3.6, or later. Context is formed from MongoDB JSON documents as normalized string representations. This means that the value of a complex type, such as the JSON array "groups" : ["admin", "users"] would be captured as the string: "[admin users]".
Tranquil Data supports the full MongoDB query protocol; however it will only form context and perform policy evaluation for the following subset of operations:
insertupdatefindAndModifydistinctfind
MongoDB's error reporting system only permits errors to be reported for writes. Any policy violations on write will be reported using the writeErrors response field. The response code will be ERR_OP_FAILED and the errmsg field will be set to a short summary string of the policy error.