AWS Lambda中的MongoDB字段级别加密

时间:2020-08-28 11:34:49

标签: mongodb aws-lambda

我尝试对Lambda使用MongoDB字段级加密。我使用lambda打包了用于Amazon Linux 2的二进制mongocrypted,并确保它存在于当前路径中。但是,连接到服务器不起作用。我收到以下错误"MongoServerSelectionError: connect ECONNREFUSED 127.0.0.1:27020"

在Amazon Linux 2的docker映像中运行处理程序的代码可以正常工作。在没有自动加密选项的情况下运行lambda也可以按预期工作。因此,基本上,lambda可以访问mongo集群。 我还尝试使用本地主密钥提供程序-无济于事。

更新: 在lambda const child = spawn(“ mongocryptd”,[])内手动生成mongocrypted进程会由于Lambda容器中缺少库(尽管存在于Amazon Linux 2 docker映像中)而导致错误。我添加了所有缺少的库,因此可以手动生成该过程。但是我仍然收到上面的错误。

这是我的lambda代码

const { Binary, MongoClient } = require("mongodb");
const connectionString = "mongodb+srv://OMMITED.mongodb.net/development?retryWrites=true&w=majority";
const keyVaultNamespace = "development.__keyVault";
const base64KeyId = "OMMITED";
const path = require("path");

// add mongocryptd to $PATH
process.env.PATH = `${process.env.PATH}:${path.resolve(__dirname, "bin")}`;

const kmsProviders = {
  aws: {
    accessKeyId: "OMMITED",
    secretAccessKey: "OMMITED",
  },
};

const createSchema = () => {
  return {
    "development.test": {
      bsonType: "object",
      encryptMetadata: {
        keyId: [new Binary(Buffer.from(base64KeyId, "base64"), 4)],
      },
      properties: {
        foo: {
          encrypt: {
            bsonType: "string",
            algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
          },
        },
      },
    },
  };
};

module.exports.hello = async (event) => {
  const secureClient = new MongoClient(connectionString, {
    useNewUrlParser: true,
    useUnifiedTopology: true,
    autoEncryption: {
      keyVaultNamespace,
      kmsProviders,
      schemaMap: createSchema(),
    },
  });

  try {
    await secureClient.connect();
    const collection = secureClient.db("development").collection("test");
    const resp = await collection.find({}).toArray();
    console.log("RESP", JSON.stringify(resp));
  } catch (error) {
    console.log(error);
  }

  return {
    statusCode: 200,
    body: JSON.stringify(resp),
  };
};

更新2 在lambda中手动生成mongocrypted进程,并记录stdout给我以下输出。第一个输出中似乎有问题。

START RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87 Version: $LATEST
2020-08-29T07:44:54.379Z    52efeae4-3da9-46d2-b04a-72ba18c92d87    INFO    {"t":{"$date":"2020-08-29T07:44:54.372+00:00"},"s":"I",  "c":"CONTROL",  "id":23103,   "ctx":"SignalHandler","msg":"Ignoring error from setting thread name","attr":{"error":"Operation not permitted"}}

2020-08-29T07:44:54.381Z    52efeae4-3da9-46d2-b04a-72ba18c92d87    INFO    {"t":{"$date":"2020-08-29T07:44:54.380+00:00"},"s":"I",  "c":"CONTROL",  "id":4615669, "ctx":"initandlisten","msg":"MongoCryptD starting","attr":{"pid":20,"port":27020,"socketFile":"/tmp/mongocryptd.sock","architecture":"64-bit","host":"169.254.13.13"}}

2020-08-29T07:44:54.381Z    52efeae4-3da9-46d2-b04a-72ba18c92d87    INFO    {"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I",  "c":"CONTROL",  "id":23403,   "ctx":"initandlisten","msg":"Build Info","attr":{"buildInfo":{"version":"4.4.0","gitVersion":"563487e100c4215e2dce98d0af2a6a5a2d67c5cf","openSSLVersion":"OpenSSL 1.0.2k-fips  26 Jan 2017","modules":["enterprise"],"allocator":"tcmalloc","environment":{"distmod":"amazon2","distarch":"x86_64","target_arch":"x86_64"}}}}
{"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I",  "c":"CONTROL",  "id":51765,   "ctx":"initandlisten","msg":"Operating System","attr":{"os":{"name":"Amazon Linux release 2 (Karoo)","version":"Kernel 4.14.177-104.253.amzn2.x86_64"}}}
{"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I",  "c":"CONTROL",  "id":21951,   "ctx":"initandlisten","msg":"Options set by command line","attr":{"options":{"processManagement":{"idleShutdownTimeoutSecs":60}}}}

2020-08-29T07:44:54.381Z    52efeae4-3da9-46d2-b04a-72ba18c92d87    INFO    {"t":{"$date":"2020-08-29T07:44:54.381+00:00"},"s":"I",  "c":"CONTROL",  "id":24225,   "ctx":"initandlisten","msg":"Using lock file","attr":{"file":"/var/task/mongocryptd.pid"}}
{"t":{"$date":"2020-08-29T07:44:54.380+00:00"},"s":"I",  "c":"CONTROL",  "id":23103,   "ctx":"SignalHandler","msg":"Ignoring error from setting thread name","attr":{"error":"Operation not permitted"}}

2020-08-29T07:44:54.382Z    52efeae4-3da9-46d2-b04a-72ba18c92d87    INFO    {"t":{"$date":"2020-08-29T07:44:54.382+00:00"},"s":"E",  "c":"CONTROL",  "id":24231,   "ctx":"initandlisten","msg":"Failed to open pid file, exiting","attr":{"error":{"code":98,"codeName":"DBPathInUse","errmsg":"Unable to create/open the lock file: /var/task/mongocryptd.pid (Read-only file system). Ensure the user executing mongod is the owner of the lock file and has the appropriate permissions. Also make sure that another mongod instance is not already running on the /var/task directory"}}}

END RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87
REPORT RequestId: 52efeae4-3da9-46d2-b04a-72ba18c92d87  Duration: 3014.10 ms    Billed Duration: 3100 ms    Memory Size: 1024 MB    Max Memory Used: 137 MB Init Duration: 360.02 ms

1 个答案:

答案 0 :(得分:0)

要求驱动程序使mongocrypted的输出静音,从而使调试产生问题变得困难。您可以:

  • 将--logpath参数传递给mongocryptd,如指定的here
  • 修补驱动程序以删除mongocrypted进程的stdout / stderr重定向
相关问题
最新问题