-
Notifications
You must be signed in to change notification settings - Fork 788
/
Copy pathconstruct.xml
1286 lines (1260 loc) · 49.9 KB
/
construct.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xml:id="mongodb-driver-manager.construct" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
<refnamediv>
<refname>MongoDB\Driver\Manager::__construct</refname>
<refpurpose>Create new MongoDB Manager</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<modifier>final</modifier> <modifier>public</modifier> <methodname>MongoDB\Driver\Manager::__construct</methodname>
<methodparam choice="opt"><type class="union"><type>string</type><type>null</type></type><parameter>uri</parameter><initializer>&null;</initializer></methodparam>
<methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>uriOptions</parameter><initializer>&null;</initializer></methodparam>
<methodparam choice="opt"><type class="union"><type>array</type><type>null</type></type><parameter>driverOptions</parameter><initializer>&null;</initializer></methodparam>
</methodsynopsis>
<para>
Constructs a new <classname>MongoDB\Driver\Manager</classname> object with the specified options.
</para>
<note>
<simpara>
Per the <link xlink:href="&url.mongodb.sdam;#single-threaded-client-construction">Server Discovery and Monitoring Specification</link>,
this constructor performs no I/O. Connections will be initialized on demand,
when the first operation is executed.
</simpara>
</note>
<note>
<simpara>
When specifying any SSL or TLS URI options via the connection string or
<parameter>uriOptions</parameter> parameter, the extension will implicitly
enable TLS for its connections. To avoid this, either explicitly disable the
<literal>tls</literal> option or don't specify any TLS options.
</simpara>
</note>
&mongodb.note.forking;
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<variablelist>
<varlistentry xml:id="mongodb-driver-manager.construct-uri">
<term><parameter>uri</parameter></term>
<listitem>
<para>
A <link xlink:href="&url.mongodb.docs;reference/connection-string/">mongodb://</link> connection URI:
<programlisting role="txt">
<![CDATA[
mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[defaultAuthDb][?options]]
]]>
</programlisting>
</para>
<para>
Defaults to <literal>"mongodb://127.0.0.1:27017"</literal> if unspecified.
</para>
<para>
For details on supported URI options, see
<link xlink:href="&url.mongodb.docs;reference/connection-string/#connections-connection-options">Connection String Options</link>
in the MongoDB manual.
<link xlink:href="&url.mongodb.docs;reference/connection-string/#connection-pool-options">Connection pool options</link>
are not supported, as the extension does not implement connection pools.
</para>
<para>
The <parameter>uri</parameter> is a URL, hence any special characters in
its components need to be URL encoded according to
<link xlink:href="&url.rfc;3986">RFC 3986</link>. This is particularly
relevant to the username and password, which can often include special
characters such as <literal>@</literal>, <literal>:</literal>, or
<literal>%</literal>. When connecting via a Unix domain socket, the socket
path may contain special characters such as slashes and must be encoded.
The <function>rawurlencode</function> function may be used to encode
constituent parts of the URI.
</para>
<para>
The <literal>defaultAuthDb</literal> component may be used to specify the
database name associated with the user's credentials; however the
<literal>authSource</literal> URI option will take priority if specified.
If neither <literal>defaultAuthDb</literal> nor
<literal>authSource</literal> are specified, the <literal>admin</literal>
database will be used by default. The <literal>defaultAuthDb</literal>
component has no effect in the absence of user credentials.
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="mongodb-driver-manager.construct-urioptions">
<term><parameter>uriOptions</parameter></term>
<listitem>
<para>
Additional
<link xlink:href="&url.mongodb.docs;reference/connection-string/#connections-connection-options">connection string options</link>,
which will overwrite any options with the same name in the
<parameter>uri</parameter> parameter.
</para>
<para>
<table>
<title>uriOptions</title>
<tgroup cols="3">
<thead>
<row>
<entry>Option</entry>
<entry>Type</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>appname</entry>
<entry><type>string</type></entry>
<entry>
<para>
MongoDB 3.4+ has the ability to annotate connections with metadata
provided by the connecting client. This metadata is included in the
server's logs upon establishing a connection and also recorded in
slow query logs when database profiling is enabled.
</para>
<para>
This option may be used to specify an application name, which will
be included in the metadata. The value cannot exceed 128 characters
in length.
</para>
</entry>
</row>
<row>
<entry>authMechanism</entry>
<entry><type>string</type></entry>
<entry>
<para>
The authentication mechanism that MongoDB will use to authenticate
the connection. For additional details and a list of supported
values, see
<link xlink:href="&url.mongodb.docs;reference/connection-string/#urioption.authMechanism">Authentication Options</link>
in the MongoDB manual.
</para>
</entry>
</row>
<row>
<entry>authMechanismProperties</entry>
<entry><type>array</type></entry>
<entry>
<para>
Properties for the selected authentication mechanism. For additional
details and a list of supported properties, see the
<link xlink:href="&url.mongodb.specs;/blob/master/source/auth/auth.rst#auth-related-options">Driver Authentication Specification</link>.
</para>
<note>
<simpara>
When not specified in the URI string, this option is expressed as
an array of key/value pairs. The keys and values in this array
should be strings.
</simpara>
</note>
</entry>
</row>
<row>
<entry>authSource</entry>
<entry><type>string</type></entry>
<entry>
<para>
The database name associated with the user's credentials. Defaults
to the database component of the connection URI, or the
<literal>admin</literal> database if both are unspecified.
</para>
<para>
For authentication mechanisms that delegate credential storage to
other services (e.g. GSSAPI), this should be
<literal>"$external"</literal>.
</para>
</entry>
</row>
<row>
<entry>compressors</entry>
<entry><type>string</type></entry>
<entry>
<para>
A prioritized, comma-delimited list of compressors that the client
wants to use. Messages are only compressed if the client and server
share any compressors in common, and the compressor used in each
direction will depend on the individual configuration of the server
or driver. See the
<link xlink:href="&url.mongodb.specs;/blob/master/source/compression/OP_COMPRESSED.rst#compressors">Driver Compression Specification</link>
for more information.
</para>
</entry>
</row>
<row xml:id="mongodb-driver-manager.construct-urioptions.connecttimeoutms">
<entry>connectTimeoutMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
The time in milliseconds to attempt a connection before timing out.
Defaults to 10,000 milliseconds.
</para>
</entry>
</row>
<row>
<entry>directConnection</entry>
<entry><type>bool</type></entry>
<entry>
<para>
This option can be used to control replica set discovery behavior
when only a single host is provided in the connection string. By
default, providing a single member in the connection string will
establish a direct connection or discover additional members
depending on whether the <literal>"replicaSet"</literal> URI option
is omitted or present, respectively. Specify &false; to force
discovery to occur (if <literal>"replicaSet"</literal> is omitted)
or specify &true; to force a direct connection (if
<literal>"replicaSet"</literal> is present).
</para>
</entry>
</row>
<row>
<entry>heartbeatFrequencyMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
Specifies the interval in milliseconds between the driver's checks
of the MongoDB topology, counted from the end of the previous check
until the beginning of the next one. Defaults to 60,000
milliseconds.
</para>
<para>
Per the
<link xlink:href="&url.mongodb.sdam;#heartbeatfrequencyms">Server Discovery and Monitoring Specification</link>,
this value cannot be less than 500 milliseconds.
</para>
</entry>
</row>
<row>
<entry>journal</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Corresponds to the default write concern's
<parameter>journal</parameter> parameter. If &true;, writes will
require acknowledgement from MongoDB that the operation has been
written to the journal. For details, see
<classname>MongoDB\Driver\WriteConcern</classname>.
</para>
</entry>
</row>
<row>
<entry>loadBalanced</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Specifies whether the driver is connecting to a MongoDB cluster
through a load balancer. If &true;, the driver may only connect to a
single host (specified by either the connection string or SRV
lookup), the <literal>"directConnection"</literal> URI option
cannot be &true;, and the <literal>"replicaSet"</literal> URI option
must be omitted. Defaults to &false;.
</para>
</entry>
</row>
<row>
<entry>localThresholdMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
The size in milliseconds of the latency window for selecting among
multiple suitable MongoDB instances while resolving a read
preference. Defaults to 15 milliseconds.
</para>
</entry>
</row>
<row>
<entry>maxStalenessSeconds</entry>
<entry><type>int</type></entry>
<entry>
<para>
Corresponds to the read preference's
<literal>"maxStalenessSeconds"</literal>. Specifies, in seconds, how
stale a secondary can be before the client stops using it for read
operations. By default, there is no maximum staleness and clients
will not consider a secondary’s lag when choosing where to direct a
read operation. For details, see
<classname>MongoDB\Driver\ReadPreference</classname>.
</para>
<para>
If specified, the max staleness must be a signed 32-bit integer
greater than or equal to
<constant>MongoDB\Driver\ReadPreference::SMALLEST_MAX_STALENESS_SECONDS</constant>
(i.e. 90 seconds).
</para>
</entry>
</row>
<row>
<entry>password</entry>
<entry><type>string</type></entry>
<entry>
The password for the user being authenticated. This option is useful
if the password contains special characters, which would otherwise
need to be URL encoded for the connection URI.
</entry>
</row>
<row>
<entry>readConcernLevel</entry>
<entry><type>string</type></entry>
<entry>
Corresponds to the read concern's <parameter>level</parameter>
parameter. Specifies the level of read isolation. For details, see
<classname>MongoDB\Driver\ReadConcern</classname>.
</entry>
</row>
<row>
<entry>readPreference</entry>
<entry><type>string</type></entry>
<entry>
<para>
Corresponds to the read preference's <parameter>mode</parameter>
parameter. Defaults to <literal>"primary"</literal>. For details,
see <classname>MongoDB\Driver\ReadPreference</classname>.
</para>
</entry>
</row>
<row>
<entry>readPreferenceTags</entry>
<entry><type>array</type></entry>
<entry>
<para>
Corresponds to the read preference's <parameter>tagSets</parameter>
parameter. Tag sets allow you to target read operations to specific
members of a replica set. For details, see
<classname>MongoDB\Driver\ReadPreference</classname>.
</para>
<note>
<simpara>
When not specified in the URI string, this option is expressed as
an array consistent with the format expected by
<function>MongoDB\Driver\ReadPreference::__construct</function>.
</simpara>
</note>
</entry>
</row>
<row>
<entry>replicaSet</entry>
<entry><type>string</type></entry>
<entry>
<para>
Specifies the name of the replica set.
</para>
</entry>
</row>
<row>
<entry>retryReads</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Specifies whether or not the driver should automatically retry
certain read operations that fail due to transient network errors
or replica set elections. This functionality requires MongoDB 3.6+.
Defaults to &true;.
</para>
<para>
See the
<link xlink:href="&url.mongodb.specs;/blob/master/source/retryable-reads/retryable-reads.rst">Retryable Reads Specification</link>
for more information.
</para>
</entry>
</row>
<row>
<entry>retryWrites</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Specifies whether or not the driver should automatically retry
certain write operations that fail due to transient network errors
or replica set elections. This functionality requires MongoDB 3.6+.
Defaults to &true;.
</para>
<para>
See
<link xlink:href="&url.mongodb.docs;core/retryable-writes/">Retryable Writes</link>
in the MongoDB manual for more information.
</para>
</entry>
</row>
<row xml:id="mongodb-driver-manager.construct-urioptions.serverselectiontimeoutms">
<entry>serverSelectionTimeoutMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
Specifies how long in milliseconds to block for server selection
before throwing an exception. Defaults to 30,000 milliseconds.
</para>
</entry>
</row>
<row>
<entry>serverSelectionTryOnce</entry>
<entry><type>bool</type></entry>
<entry>
<para>
When &true;, instructs the driver to scan the MongoDB deployment
exactly once after server selection fails and then either select a
server or raise an error. When &false;, the driver blocks and
searches for a server up to the
<literal>"serverSelectionTimeoutMS"</literal> value. Defaults to
&true;.
</para>
</entry>
</row>
<row>
<entry>socketCheckIntervalMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
If a socket has not been used recently, the driver must check it via
a <literal>hello</literal> command before using it for any
operation. Defaults to 5,000 milliseconds.
</para>
</entry>
</row>
<row>
<entry>socketTimeoutMS</entry>
<entry><type>int</type></entry>
<entry>
<para>
The time in milliseconds to attempt a send or receive on a socket
before timing out. Defaults to 300,000 milliseconds (i.e. five
minutes).
</para>
</entry>
</row>
<row>
<entry>srvMaxHosts</entry>
<entry><type>int</type></entry>
<entry>
<para>
The maximum number of SRV results to randomly select when initially
populating the seedlist or, during SRV polling, adding new hosts to
the topology. Defaults to <literal>0</literal> (i.e. no maximum).
</para>
</entry>
</row>
<row>
<entry>srvServiceName</entry>
<entry><type>string</type></entry>
<entry>
<para>
The service name to use for SRV lookup in initial DNS seedlist
discovery and SRV polling. Defaults to <literal>"mongodb"</literal>.
</para>
</entry>
</row>
<row>
<entry>tls</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Initiates the connection with TLS/SSL if &true;. Defaults to
&false;.
</para>
</entry>
</row>
<row>
<entry>tlsAllowInvalidCertificates</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Specifies whether or not the driver should error when the server's
TLS certificate is invalid. Defaults to &false;.
</para>
<warning>
<simpara>
Disabling certificate validation creates a vulnerability.
</simpara>
</warning>
</entry>
</row>
<row>
<entry>tlsAllowInvalidHostnames</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Specifies whether or not the driver should error when there is a
mismatch between the server's hostname and the hostname specified by
the TLS certificate. Defaults to &false;.
</para>
<warning>
<simpara>
Disabling certificate validation creates a vulnerability. Allowing
invalid hostnames may expose the driver to a
<link xlink:href="&url.mongodb.wiki.mitm;">man-in-the-middle attack</link>.
</simpara>
</warning>
</entry>
</row>
<row>
<entry>tlsCAFile</entry>
<entry><type>string</type></entry>
<entry>
<para>
Path to file with either a single or bundle of certificate
authorities to be considered trusted when making a TLS connection.
The system certificate store will be used by default.
</para>
</entry>
</row>
<row>
<entry>tlsCertificateKeyFile</entry>
<entry><type>string</type></entry>
<entry>
<para>
Path to the client certificate file or the client private key file;
in the case that they both are needed, the files should be
concatenated.
</para>
</entry>
</row>
<row>
<entry>tlsCertificateKeyFilePassword</entry>
<entry><type>string</type></entry>
<entry>
<para>
Password to decrypt the client private key (i.e.
<literal>"tlsCertificateKeyFile"</literal> URI option) to be used
for TLS connections.
</para>
</entry>
</row>
<row>
<entry>tlsDisableCertificateRevocationCheck</entry>
<entry><type>bool</type></entry>
<entry>
<para>
If &true;, the driver will not attempt to check certificate
revocation status (e.g. OCSP, CRL). Defaults to &false;.
</para>
</entry>
</row>
<row>
<entry>tlsDisableOCSPEndpointCheck</entry>
<entry><type>bool</type></entry>
<entry>
<para>
If &true;, the driver will not attempt to contact an OCSP responder
endpoint if needed (i.e. an OCSP response is not stapled). Defaults
to &false;.
</para>
</entry>
</row>
<row>
<entry>tlsInsecure</entry>
<entry><type>bool</type></entry>
<entry>
<para>
Relax TLS constraints as much as possible. Specifying &true; for
this option has the same effect as specifying &true; for both the
<literal>"tlsAllowInvalidCertificates"</literal> and
<literal>"tlsAllowInvalidHostnames"</literal> URI options. Defaults
to &false;.
</para>
<warning>
<simpara>
Disabling certificate validation creates a vulnerability. Allowing
invalid hostnames may expose the driver to a
<link xlink:href="&url.mongodb.wiki.mitm;">man-in-the-middle attack</link>.
</simpara>
</warning>
</entry>
</row>
<row>
<entry>username</entry>
<entry><type>string</type></entry>
<entry>
The username for the user being authenticated. This option is useful
if the username contains special characters, which would otherwise
need to be URL encoded for the connection URI.
</entry>
</row>
<row>
<entry>w</entry>
<entry><type class="union"><type>int</type><type>string</type></type></entry>
<entry>
<para>
Corresponds to the default write concern's <parameter>w</parameter>
parameter. For details, see
<classname>MongoDB\Driver\WriteConcern</classname>.
</para>
</entry>
</row>
<row>
<entry>wTimeoutMS</entry>
<entry><type class="union"><type>int</type><type>string</type></type></entry>
<entry>
<para>
Corresponds to the default write concern's
<parameter>wtimeout</parameter> parameter. Specifies a time limit,
in milliseconds, for the write concern. For details, see
<classname>MongoDB\Driver\WriteConcern</classname>.
</para>
<para>
If specified, <literal>wTimeoutMS</literal> must be a signed 32-bit
integer greater than or equal to zero.
</para>
</entry>
</row>
<row>
<entry>zlibCompressionLevel</entry>
<entry><type>int</type></entry>
<entry>
<para>
Specifies the compression level to use for the zlib compressor. This
option has no effect if <literal>zlib</literal> is not included in
the <literal>"compressors"</literal> URI option. See the
<link xlink:href="&url.mongodb.specs;/blob/master/source/compression/OP_COMPRESSED.rst#zlibcompressionlevel">Driver Compression Specification</link>
for more information.
</para>
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</listitem>
</varlistentry>
<varlistentry xml:id="mongodb-driver-manager.construct-driveroptions">
<term><parameter>driverOptions</parameter></term>
<listitem>
<para>
<table>
<title>driverOptions</title>
<tgroup cols="3">
<thead>
<row>
<entry>Option</entry>
<entry>Type</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>autoEncryption</entry>
<entry><type>array</type></entry>
<entry>
<para>
Provides options to enable automatic client-side field level
encryption.
</para>
<note>
<para>
Automatic encryption is an enterprise-only feature that only
applies to operations on a collection. Automatic encryption is not
supported for operations on a database or view, and operations that
are not bypassed will result in error (see
<link xlink:href="&url.mongodb.libmongocrypt.allow.list;">libmongocrypt: Auto Encryption Allow-List</link>). To bypass automatic encryption
for all operations, set <literal>bypassAutoEncryption</literal> to
&true;.
</para>
<para>
Automatic encryption requires the authenticated user to have the
<link xlink:href="&url.mongodb.docs;reference/command/listCollections/#required-access">listCollections</link>
privilege action.
</para>
<para>
Explicit encryption/decryption and automatic decryption is a
community feature. The driver can still automatically decrypt when
<literal>bypassAutoEncryption</literal> is &true;.
</para>
</note>
<para>
The following options are supported:
<table>
<title>Options for automatic encryption</title>
<tgroup cols="3">
<thead>
<row>
<entry>Option</entry>
<entry>Type</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
&mongodb.option.encryption.keyVaultClient;
&mongodb.option.encryption.keyVaultNamespace;
&mongodb.option.encryption.kmsProviders;
&mongodb.option.encryption.tlsOptions;
<row>
<entry>schemaMap</entry>
<entry><type class="union"><type>array</type><type>object</type></type></entry>
<entry>
<para>
Map of collection namespaces to a local JSON schema. This is
used to configure automatic encryption. See
<link xlink:href="&url.mongodb.docs;reference/security-client-side-automatic-json-schema/">Automatic Encryption Rules</link>
in the MongoDB manual for more information. It is an error to
specify a collection in both <literal>schemaMap</literal> and
<literal>encryptedFieldsMap</literal>.
</para>
<note>
<simpara>
Supplying a <literal>schemaMap</literal> provides more
security than relying on JSON schemas obtained from the
server. It protects against a malicious server advertising a
false JSON schema, which could trick the client into sending
unencrypted data that should be encrypted.
</simpara>
</note>
<note>
<simpara>
Schemas supplied in the <literal>schemaMap</literal> only
apply to configuring automatic encryption for client side
encryption. Other validation rules in the JSON schema will
not be enforced by the driver and will result in an error.
</simpara>
</note>
</entry>
</row>
<row>
<entry>bypassAutoEncryption</entry>
<entry><type>bool</type></entry>
<entry>
If &true;, <literal>mongocryptd</literal> will not be spawned
automatically. This is used to disable automatic encryption.
Defaults to &false;.
</entry>
</row>
<row>
<entry>bypassQueryAnalysis</entry>
<entry><type>bool</type></entry>
<entry>
<para>
If &true;, automatic analysis of outgoing commands will be
disabled and <literal>mongocryptd</literal> will not be
spawned automatically. This enables the use case of explicit
encryption for querying indexed fields without requiring the
enterprise licensed <literal>crypt_shared</literal> library or
<literal>mongocryptd</literal> process. Defaults to &false;.
</para>
</entry>
</row>
<row>
<entry>encryptedFieldsMap</entry>
<entry><type class="union"><type>array</type><type>object</type></type></entry>
<entry>
<para>
Map of collection namespaces to an
<literal>encryptedFields</literal> document. This is used to
configure queryable encryption. See
<link xlink:href="&url.mongodb.docs;core/queryable-encryption/fundamentals/encrypt-and-query/">Field Encryption and Queryability</link>
in the MongoDB manual for more information. It is an error to
specify a collection in both
<literal>encryptedFieldsMap</literal> and
<literal>schemaMap</literal>.
</para>
<note>
<simpara>
Supplying an <literal>encryptedFieldsMap</literal> provides
more security than relying on an
<literal>encryptedFields</literal> obtained from the server.
It protects against a malicious server advertising a false
<literal>encryptedFields</literal>.
</simpara>
</note>
</entry>
</row>
<row>
<entry>extraOptions</entry>
<entry><type>array</type></entry>
<entry>
<para>
The <literal>extraOptions</literal> relate to the
<literal>mongocryptd</literal> process. The following options
are supported:
</para>
<simplelist>
<member><literal>mongocryptdURI</literal> (<type>string</type>): URI to connect to an existing <literal>mongocryptd</literal> process. Defaults to <literal>"mongodb://localhost:27020"</literal>.</member>
<member><literal>mongocryptdBypassSpawn</literal> (<type>bool</type>): If &true;, prevent the driver from spawning <literal>mongocryptd</literal>. Defaults to &false;.</member>
<member><literal>mongocryptdSpawnPath</literal> (<type>string</type>): Absolute path to search for <literal>mongocryptd</literal> binary. Defaults to empty string and consults system paths.</member>
<member><literal>mongocryptdSpawnArgs</literal> (<type>array</type>): Array of string arguments to pass to <literal>mongocryptd</literal> when spawning. Defaults to <literal>["--idleShutdownTimeoutSecs=60"]</literal>.</member>
<member><literal>cryptSharedLibPath</literal> (<type>string</type>): Absolute path to <literal>crypt_shared</literal> shared library. Defaults to empty string and consults system paths.</member>
<member><literal>cryptSharedLibRequired</literal> (<type>bool</type>): If &true;, require the driver to load <literal>crypt_shared</literal>. Defaults to &false;.</member>
</simplelist>
<para>
See the <link xlink:href="&url.mongodb.specs;/blob/master/source/client-side-encryption/client-side-encryption.rst#extraoptions">Client-Side Encryption Specification</link> for more information.
</para>
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<note>
<simpara>
Automatic encryption is an enterprise only feature that only
applies to operations on a collection. Automatic encryption is not
supported for operations on a database or view, and operations that
are not bypassed will result in error. To bypass automatic
encryption for all operations, set <literal>bypassAutoEncryption=true</literal>
in <literal>autoEncryption</literal>. For more information on
allowed operations, see the
<link xlink:href="&url.mongodb.specs;/blob/master/source/client-side-encryption/client-side-encryption.rst#libmongocrypt-auto-encryption-whitelist">Client-Side Encryption Specification</link>.
</simpara>
</note>
</entry>
</row>
<row>
<entry>ca_dir</entry>
<entry><type>string</type></entry>
<entry>
<para>
Path to a correctly hashed certificate directory. The system
certificate store will be used by default.
</para>
</entry>
</row>
<row>
<entry>crl_file</entry>
<entry><type>string</type></entry>
<entry>Path to a certificate revocation list file.</entry>
</row>
<row>
<entry>disableClientPersistence</entry>
<entry><type>bool</type></entry>
<entry>
<para>
If &true;, this Manager will use a new libmongoc client, which will
not be persisted or shared with other Manager objects. When this
Manager object is freed, its client will be destroyed and any
connections will be closed. Defaults to &false;.
</para>
<note>
<simpara>
Disabling client persistence is not generally recommended.
</simpara>
</note>
</entry>
</row>
<row>
<entry>driver</entry>
<entry><type>array</type></entry>
<entry>
<para>
Allows a higher level library to append its own metadata to the
server handshake. By default, the extension submits its own name,
version, and platform (i.e. PHP version) in the handshake. Strings
can be specified for the <literal>"name"</literal>,
<literal>"version"</literal>, and <literal>"platform"</literal> keys
of this array, and will be appended to the respective field(s) in
the handshake document.
</para>
<note>
<simpara>
Handshake information is limited to 512 bytes. The extension will
truncate handshake data to fit within this 512-byte string. Higher
level libraries are encouraged to keep their own metadata concise.
</simpara>
</note>
</entry>
</row>
<row>
<entry>serverApi</entry>
<entry><classname>MongoDB\Driver\ServerApi</classname></entry>
<entry>
<para>
This option is used to declare a server API version for the manager.
If omitted, no API version is declared.
</para>
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 role="errors">
&reftitle.errors;
<simplelist>
&mongodb.throws.argumentparsing;
<member>Throws <classname>MongoDB\Driver\Exception\RuntimeException</classname> if the <parameter>uri</parameter> format is invalid</member>
</simplelist>
</refsect1>
<refsect1 role="changelog">
&reftitle.changelog;
<para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>&Version;</entry>
<entry>&Description;</entry>
</row>
</thead>
<tbody>
<row>
<entry>PECL mongodb 2.0.0</entry>
<entry>
<para>
The <literal>"canonicalizeHostname"</literal> URI option was removed.
Use the <literal>"CANONICALIZE_HOST_NAME"</literal> property of the
<literal>"authMechanismProperties"</literal> URI option instead.
</para>
<para>
The <literal>"gssapiServiceName"</literal> URI option was removed.
Use the <literal>"SERVICE_NAME"</literal> property of the
<literal>"authMechanismProperties"</literal> URI option instead.
</para>
<para>
The <literal>"safe"</literal> URI option was removed. Use the
<literal>"w"</literal> and <literal>"wTimeoutMS"</literal> URI options
instead.
</para>
<para>
The <literal>"ssl"</literal> URI option was removed. Use the
<literal>"tls"</literal> URI option instead.
</para>
<para>
The <literal>"allow_invalid_hostname"</literal> driver option was
removed. Use the <literal>"tlsAllowInvalidHostnames"</literal> URI
option instead.
</para>
<para>
The <literal>"ca_file"</literal> driver option was removed. Use the
<literal>"tlsCAFile"</literal> URI option instead.
</para>
<para>
The <literal>"context"</literal> driver option was removed. All context
options were deprecated in favor of the various URI options related to
TLS.
</para>
<para>
The <literal>"pem_file"</literal> driver option was removed. Use the
<literal>"tlsCertificateKeyFile"</literal> URI option instead.
</para>
<para>
The <literal>"pem_pwd"</literal> driver option was removed. Use the
<literal>"tlsCertificateKeyFilePassword"</literal> URI option instead.
</para>
<para>
The <literal>"weak_cert_validation"</literal> driver option was removed.
Use the <literal>"tlsAllowInvalidCertificates"</literal> URI option
instead.
</para>
</entry>
</row>
<row>
<entry>PECL mongodb 1.16.0</entry>
<entry>
<para>
The AWS KMS provider for client-side encryption now accepts a
<literal>"sessionToken"</literal> option, which can be used to
authenticate with temporary AWS credentials.
</para>
<para>
Added <literal>"tlsDisableOCSPEndpointCheck"</literal> to the
<literal>"tlsOptions"</literal> field of the
<literal>"autoEncryption"</literal> driver option.
</para>
<para>
If an empty document is specified for the <literal>"azure"</literal> or
<literal>"gcp"</literal> KMS provider, the driver will attempt to
configure the provider using
<link xlink:href="&url.mongodb.specs;/blob/master/source/client-side-encryption/client-side-encryption.rst#automatic-credentials">Automatic Credentials</link>.
</para>
</entry>
</row>
<row>
<entry>PECL mongodb 1.15.0</entry>
<entry>
<para>
If an empty document is specified for the <literal>"aws"</literal> KMS
provider, the driver will attempt to configure the provider using
<link xlink:href="&url.mongodb.specs;/blob/master/source/client-side-encryption/client-side-encryption.rst#automatic-credentials">Automatic Credentials</link>.
</para>
</entry>
</row>
<row>
<entry>PECL mongodb 1.14.0</entry>
<entry>
<para>
Added the <literal>"bypassQueryAnalysis"</literal> and
<literal>"encryptedFieldsMap"</literal> auto encryption options.
Additional options pertaining to <literal>crypt_shared</literal> are
now supported in the <literal>"extraOptions"</literal> auto encryption
option.
</para>
</entry>
</row>
<row>
<entry>PECL mongodb 1.13.0</entry>
<entry>
<para>
Added the <literal>"srvMaxHosts"</literal> and
<literal>"srvServiceName"</literal> URI options.
</para>
</entry>
</row>
<row>
<entry>PECL mongodb 1.12.0</entry>
<entry>
<para>
KMIP is now supported as a KMS provider for client-side encryption and