快速入门PostgreSQL应用开发与管理 - 5 数据定义
背景
本章大纲
1. 数据类型
2. 数据操作
3. 表管理
4. 视图
5. 约束
6. RLS(行安全策略)
第三章:数据定义
1. 数据类型
https://www.postgresql.org/docs/9.6/static/datatype.html
1、数值
| Name | Storage Size | Description | Range |
|---|---|---|---|
| smallint | 2 bytes | small-range integer | -32768 to +32767 |
| integer | 4 bytes | typical choice for integer | -2147483648 to +2147483647 |
| bigint | 8 bytes | large-range integer | -9223372036854775808 to +9223372036854775807 |
| decimal | variable | user-specified precision, exact | up to 131072 digits before the decimal point; up to 16383 digits after the decimal point |
| numeric | variable | user-specified precision, exact | up to 131072 digits before the decimal point; up to 16383 digits after the decimal point |
| real | 4 bytes | variable-precision, inexact | 6 decimal digits precision |
| double precision | 8 bytes | variable-precision, inexact | 15 decimal digits precision |
| smallserial | 2 bytes | small autoincrementing integer | 1 to 32767 |
| serial | 4 bytes | autoincrementing integer | 1 to 2147483647 |
| bigserial | 8 bytes | large autoincrementing integer | 1 to 9223372036854775807 |
NUMERIC(precision, scale)
精度够用时,建议float8,性能比numeric更好。
扩展浮点精度
postgres=# set extra_float_digits=3;
SET
2、货币(float8剪切的domain)
| Name | Storage Size | Description | Range |
|---|---|---|---|
| money | 8 bytes | currency amount | -92233720368547758.08 to +92233720368547758.07 |
3、字符串
| Name | Description |
|---|---|
| character varying(n), varchar(n) | variable-length with limit |
| character(n), char(n) | fixed-length, blank padded |
| text | variable unlimited length |
长度定义为字符长度,并非字节长度。
4、字节流
| Name | Storage Size | Description |
|---|---|---|
| bytea | 1 or 4 bytes plus the actual binary string | variable-length binary string |
输入格式
| Decimal Octet Value | Description | Escaped Input Representation | Example | Output Representation |
|---|---|---|---|---|
| 0 | zero octet | E'\\000' |
SELECT E'\\000'::bytea; |
\000 |
| 39 | single quote | '''' or E'\\047' |
SELECT E'\''::bytea; |
' |
| 92 | backslash | E'\\\\' or E'\\134' |
SELECT E'\\\\'::bytea; |
\\ |
| 0 to 31 and 127 to 255 | “non-printable” octets | E'\\xxx' (octal value) |
SELECT E'\\001'::bytea; |
\001 |
输出格式
| Decimal | Octet Value | Description | Escaped Output Representation | Example Output Result |
|---|---|---|---|---|
| 92 | backslash | \\ |
SELECT E'\\134'::bytea; |
\\ |
| 0 to 31 and 127 to 255 | “non-printable” octets | \xxx (octal value) |
SELECT E'\\001'::bytea; |
\001 |
| 32 to 126 | “printable” octets | client character set representation |
SELECT E'\\176'::bytea; |
~ |
5、日期、时间
| Name | Storage Size | Description | Low Value | High Value | Resolution |
|---|---|---|---|---|---|
| timestamp [ (p) ] [ without time zone ] | 8 bytes | both date and time (no time zone) | 4713 BC | 294276 AD | 1 microsecond / 14 digits |
| timestamp [ (p) ] with time zone | 8 bytes | both date and time, with time zone | 4713 BC | 294276 AD | 1 microsecond / 14 digits |
| date | 4 bytes | date (no time of day) | 4713 BC | 5874897 AD | 1 day |
| time [ (p) ] [ without time zone ] | 8 bytes | time of day (no date) | 00:00:00 |
24:00:00 |
1 microsecond / 14 digits |
| time [ (p) ] with time zone | 12 bytes | times of day only, with time zone | 00:00:00+1459 |
24:00:00-1459 |
1 microsecond / 14 digits |
| interval [ fields ] [ (p) ] | 16 bytes | time interval | -178000000 years | 178000000 years | 1 microsecond / 14 digits |
6、布尔
| Name | Storage Size | Description |
|---|---|---|
| boolean | 1 byte | state of true or false |
7、枚举
CREATE TYPE mood AS ENUM ('sad', 'ok', 'happy');
CREATE TABLE person (
name text,
current_mood mood
);
INSERT INTO person VALUES ('Moe', 'happy');
SELECT * FROM person WHERE current_mood = 'happy';
name | current_mood
------+--------------
Moe | happy
(1 row)
枚举顺序,与插入顺序一致
8、几何
| Name | Storage Size | Description | Representation |
|---|---|---|---|
| point | 16 bytes | Point on a plane | (x,y) |
| line | 32 bytes | Infinite line | {A,B,C} |
| lseg | 32 bytes | Finite line segment | ((x1,y1),(x2,y2)) |
| box | 32 bytes | Rectangular box | ((x1,y1),(x2,y2)) |
| path | 16+16n bytes | Closed path (similar to polygon) | ((x1,y1),…) |
| path | 16+16n bytes | Open path | [(x1,y1),…] |
| polygon | 40+16n bytes | Polygon (similar to closed path) | ((x1,y1),…) |
| circle | 24 bytes | Circle | <(x,y),r> (center point and radius) |
9、网络
| Name | Storage Size | Description |
|---|---|---|
| cidr | 7 or 19 bytes | IPv4 and IPv6 networks |
| inet | 7 or 19 bytes | IPv4 and IPv6 hosts and networks |
| macaddr | 6 bytes | MAC addresses |
10、比特流
CREATE TABLE test (a BIT(3), b BIT VARYING(5));
INSERT INTO test VALUES (B'101', B'00');
INSERT INTO test VALUES (B'10', B'101');
ERROR: bit string length 2 does not match type bit(3)
INSERT INTO test VALUES (B'10'::bit(3), B'101');
SELECT * FROM test;
a | b
-----+-----
101 | 00
100 | 101
11、全文检索
tsvector
SELECT 'a fat cat sat on a mat and ate a fat rat'::tsvector;
tsvector
----------------------------------------------------
'a' 'and' 'ate' 'cat' 'fat' 'mat' 'on' 'rat' 'sat'
tsquery
SELECT 'fat & rat'::tsquery;
tsquery
---------------
'fat' & 'rat'
SELECT 'fat & (rat | cat)'::tsquery;
tsquery
---------------------------
'fat' & ( 'rat' | 'cat' )
SELECT 'fat & rat & ! cat'::tsquery;
tsquery
------------------------
'fat' & 'rat' & !'cat'
全文检索例子
SELECT to_tsvector( 'postgraduate' ) @@ to_tsquery( 'postgres:*' );
?column?
----------
t
中文全文检索
https://github.com/jaiminpan/pg_jieba
postgres=# select to_tsvector('jiebacfg','中华人民共和国万岁,如何加快PostgreSQL结巴分词加载速度');
to_tsvector
------------------------------------------------------------------------------------------
'postgresql':6 '万岁':2 '中华人民共和国':1 '分词':8 '加快':5 '加载':9 '结巴':7 '速度':10
(1 row)
Time: 0.522 ms
postgres=# select 8*1000000/14.175527;
?column?
---------------------
564352.916120860974
(1 row)
Time: 0.743 ms
12、UUID
create extension "uuid-ossp";
| Function | Description |
|---|---|
| uuid_generate_v1() | This function generates a version 1 UUID. This involves the MAC address of the computer and a time stamp. Note that UUIDs of this kind reveal the identity of the computer that created the identifier and the time at which it did so, which might make it unsuitable for certain security-sensitive applications. |
| uuid_generate_v1mc() | This function generates a version 1 UUID but uses a random multicast MAC address instead of the real MAC address of the computer. |
| uuid_generate_v3(namespace uuid, name text) | This function generates a version 3 UUID in the given namespace using the specified input name. The namespace should be one of the special constants produced by the uuid_ns_*() functions shown in Table F-34. (It could be any UUID in theory.) The name is an identifier in the selected namespace. For example: SELECT uuid_generate_v3(uuid_ns_url(), ‘http://www.postgresql.org’); The name parameter will be MD5-hashed, so the cleartext cannot be derived from the generated UUID. The generation of UUIDs by this method has no random or environment-dependent element and is therefore reproducible. |
| uuid_generate_v4() | This function generates a version 4 UUID, which is derived entirely from random numbers. |
| uuid_generate_v5(namespace uuid, name text) | This function generates a version 5 UUID, which works like a version 3 UUID except that SHA-1 is used as a hashing method. Version 5 should be preferred over version 3 because SHA-1 is thought to be more secure than MD5. |
13、XML
To produce a value of type xml from character data, use the function xmlparse:
XMLPARSE ( { DOCUMENT | CONTENT } value)
Examples:
XMLPARSE (DOCUMENT '<?xml version="1.0"?><book><title>Manual</title><chapter>...</chapter></book>')
XMLPARSE (CONTENT 'abc<foo>bar</foo><bar>foo</bar>')
14、JSON
json内部支持的类型
| JSON primitive type | PostgreSQL type | Notes |
|---|---|---|
| string | text | \u0000 is disallowed, as are non-ASCII Unicode escapes if database encoding is not UTF8 |
| number | numeric | NaN and infinity values are disallowed |
| boolean | boolean | Only lowercase true and false spellings are accepted |
| null | (none) | SQL NULL is a different concept |
json和jsonb例子
SELECT '{"bar": "baz", "balance": 7.77, "active":false}'::json;
json
-------------------------------------------------
{"bar": "baz", "balance": 7.77, "active":false}
(1 row)
SELECT '{"bar": "baz", "balance": 7.77, "active":false}'::jsonb;
jsonb
--------------------------------------------------
{"bar": "baz", "active": false, "balance": 7.77}
(1 row)
SELECT '{"reading": 1.230e-5}'::json, '{"reading": 1.230e-5}'::jsonb;
json | jsonb
-----------------------+-------------------------
{"reading": 1.230e-5} | {"reading": 0.00001230}
(1 row)
15、数组
postgres=# select array(select generate_series(1,10));
array
------------------------
{1,2,3,4,5,6,7,8,9,10}
(1 row)
postgres=# select array['a','b','c'];
array
---------
{a,b,c}
(1 row)
postgres=# select array['a','b','c'] @> array['a'];
?column?
----------
t
(1 row)
数组操作
List of functions
Schema | Name | Result data type | Argument data types | Type
------------+-------------------------+------------------+-----------------------------------------------------------+--------
pg_catalog | array_agg | anyarray | anyarray | agg
pg_catalog | array_agg | anyarray | anynonarray | agg
pg_catalog | array_agg_array_finalfn | anyarray | internal, anyarray | normal
pg_catalog | array_agg_array_transfn | internal | internal, anyarray | normal
pg_catalog | array_agg_finalfn | anyarray | internal, anynonarray | normal
pg_catalog | array_agg_transfn | internal | internal, anynonarray | normal
pg_catalog | array_append | anyarray | anyarray, anyelement | normal
pg_catalog | array_cat | anyarray | anyarray, anyarray | normal
pg_catalog | array_dims | text | anyarray | normal
pg_catalog | array_eq | boolean | anyarray, anyarray | normal
pg_catalog | array_fill | anyarray | anyelement, integer[] | normal
pg_catalog | array_fill | anyarray | anyelement, integer[], integer[] | normal
pg_catalog | array_ge | boolean | anyarray, anyarray | normal
pg_catalog | array_gt | boolean | anyarray, anyarray | normal
pg_catalog | array_in | anyarray | cstring, oid, integer | normal
pg_catalog | array_larger | anyarray | anyarray, anyarray | normal
pg_catalog | array_le | boolean | anyarray, anyarray | normal
pg_catalog | array_length | integer | anyarray, integer | normal
pg_catalog | array_lower | integer | anyarray, integer | normal
pg_catalog | array_lt | boolean | anyarray, anyarray | normal
pg_catalog | array_ndims | integer | anyarray | normal
pg_catalog | array_ne | boolean | anyarray, anyarray | normal
pg_catalog | array_out | cstring | anyarray | normal
pg_catalog | array_position | integer | anyarray, anyelement | normal
pg_catalog | array_position | integer | anyarray, anyelement, integer | normal
pg_catalog | array_positions | integer[] | anyarray, anyelement | normal
pg_catalog | array_prepend | anyarray | anyelement, anyarray | normal
pg_catalog | array_recv | anyarray | internal, oid, integer | normal
pg_catalog | array_remove | anyarray | anyarray, anyelement | normal
pg_catalog | array_replace | anyarray | anyarray, anyelement, anyelement | normal
pg_catalog | array_send | bytea | anyarray | normal
pg_catalog | array_smaller | anyarray | anyarray, anyarray | normal
pg_catalog | array_to_json | json | anyarray | normal
pg_catalog | array_to_json | json | anyarray, boolean | normal
pg_catalog | array_to_string | text | anyarray, text | normal
pg_catalog | array_to_string | text | anyarray, text, text | normal
pg_catalog | array_to_tsvector | tsvector | text[] | normal
pg_catalog | array_typanalyze | boolean | internal | normal
pg_catalog | array_upper | integer | anyarray, integer | normal
pg_catalog | arraycontained | boolean | anyarray, anyarray | normal
pg_catalog | arraycontains | boolean | anyarray, anyarray | normal
pg_catalog | arraycontjoinsel | double precision | internal, oid, internal, smallint, internal | normal
pg_catalog | arraycontsel | double precision | internal, oid, internal, integer | normal
pg_catalog | arrayoverlap | boolean | anyarray, anyarray | normal
16、复合类型
CREATE TYPE complex AS (
r double precision,
i double precision
);
CREATE TYPE inventory_item AS (
name text,
supplier_id integer,
price numeric
);
构造复合类型值
'("fuzzy dice",42,1.99)'
which would be a valid value of the inventory_item type defined above. To make a field be NULL, write no characters at all in its position in the list.
'("fuzzy dice",42,)'
If you want an empty string rather than NULL, write double quotes:
'("",42,)'
访问复合类型内的元素
SELECT item.name FROM on_hand WHERE item.price > 9.99;
SELECT (on_hand.item).name FROM on_hand WHERE (on_hand.item).price > 9.99;
SELECT (item).name FROM on_hand WHERE (item).price > 9.99;
SELECT (myfunc(x)).* FROM some_table;
SELECT (myfunc(x)).a, (myfunc(x)).b, (myfunc(x)).c FROM some_table;
插入、修改复合类型的值
INSERT INTO mytab (complex_col) VALUES((1.1,2.2));
UPDATE mytab SET complex_col = ROW(1.1,2.2) WHERE ...;
UPDATE mytab SET complex_col.r = (complex_col).r + 1 WHERE ...;
INSERT INTO mytab (complex_col.r, complex_col.i) VALUES(1.1, 2.2);
17、范围类型
目前支持的范围类型(用户可以自定义范围类型)
int4range — Range of integer
int8range — Range of bigint
numrange — Range of numeric
tsrange — Range of timestamp without time zone
tstzrange — Range of timestamp with time zone
daterange — Range of date
例子
-- includes 3, does not include 7, and does include all points in between
SELECT '[3,7)'::int4range;
-- does not include either 3 or 7, but includes all points in between
SELECT '(3,7)'::int4range;
-- includes only the single point 4
SELECT '[4,4]'::int4range;
-- includes no points (and will be normalized to 'empty')
SELECT '[4,4)'::int4range;
范围类型索引
CREATE INDEX reservation_idx ON reservation USING GIST (during);
范围类型约束1
CREATE TABLE reservation (
during tsrange,
EXCLUDE USING GIST (during WITH &&)
);
INSERT INTO reservation VALUES
('[2010-01-01 11:30, 2010-01-01 15:00)');
INSERT 0 1
INSERT INTO reservation VALUES
('[2010-01-01 14:45, 2010-01-01 15:45)');
ERROR: conflicting key value violates exclusion constraint "reservation_during_excl"
DETAIL: Key (during)=(["2010-01-01 14:45:00","2010-01-01 15:45:00")) conflicts
with existing key (during)=(["2010-01-01 11:30:00","2010-01-01 15:00:00")).
范围类型约束2 (room相等 并且during相交时,排他)
CREATE EXTENSION btree_gist;
CREATE TABLE room_reservation (
room text,
during tsrange,
EXCLUDE USING GIST (room WITH =, during WITH &&)
);
INSERT INTO room_reservation VALUES
('123A', '[2010-01-01 14:00, 2010-01-01 15:00)');
INSERT 0 1
INSERT INTO room_reservation VALUES
('123A', '[2010-01-01 14:30, 2010-01-01 15:30)');
ERROR: conflicting key value violates exclusion constraint "room_reservation_room_during_excl"
DETAIL: Key (room, during)=(123A, ["2010-01-01 14:30:00","2010-01-01 15:30:00")) conflicts
with existing key (room, during)=(123A, ["2010-01-01 14:00:00","2010-01-01 15:00:00")).
INSERT INTO room_reservation VALUES
('123B', '[2010-01-01 14:30, 2010-01-01 15:30)');
INSERT 0 1
18、对象ID
数据库系统表,大多数使用OID关联
| Name | References | Description | Value Example |
|---|---|---|---|
| oid | any | numeric object identifier | 564182 |
| regproc | pg_proc | function name | sum |
| regprocedure | pg_proc | function with argument types | sum(int4) |
| regoper | pg_operator | operator name | + |
| regoperator | pg_operator | operator with argument types | *(integer,integer) or -(NONE,integer) |
| regclass | pg_class | relation name | pg_type |
| regtype | pg_type | data type name | integer |
| regrole | pg_authid | role name | smithee |
| regnamespace | pg_namespace | namespace name | pg_catalog |
| regconfig | pg_ts_config | text search configuration | english |
| regdictionary | pg_ts_dict | text search dictionary | simple |
例子
postgres=# select oid::regclass from pg_class limit 10;
oid
--------------------------------
pg_type
pg_toast.pg_toast_187550
new_type
pg_toast.pg_toast_187550_index
test
pg_toast.pg_toast_187556
pg_toast.pg_toast_187556_index
tblaccount4
pg_toast.pg_toast_187783
pg_toast.pg_toast_187783_index
(10 rows)
19、PG_LSN(WAL日志地址类型)
wal是PostgreSQL数据库的重做日志, pg_lsn是wal的地址编码类型
postgres=# select pg_current_xlog_insert_location();
pg_current_xlog_insert_location
---------------------------------
43/15D45F48
(1 row)
20、虚拟类型(any*)
虚拟类型,比如任意类型,任意数组,任意元素等。编写适合任意类型的动态函数时很有用。
还有一些是用于特殊用途的虚拟类型(触发器,handler等)
| Name | Description |
|---|---|
| any | Indicates that a function accepts any input data type. |
| anyelement | Indicates that a function accepts any data type (see Section 36.2.5). |
| anyarray | Indicates that a function accepts any array data type (see Section 36.2.5). |
| anynonarray | Indicates that a function accepts any non-array data type (see Section 36.2.5). |
| anyenum | Indicates that a function accepts any enum data type (see Section 36.2.5 and Section 8.7). |
| anyrange | Indicates that a function accepts any range data type (see Section 36.2.5 and Section 8.17). |
| cstring | Indicates that a function accepts or returns a null-terminated C string. |
| internal | Indicates that a function accepts or returns a server-internal data type. |
| language_handler | A procedural language call handler is declared to return language_handler. |
| fdw_handler | A foreign-data wrapper handler is declared to return fdw_handler. |
| index_am_handler | An index access method handler is declared to return index_am_handler. |
| tsm_handler | A tablesample method handler is declared to return tsm_handler. |
| record | Identifies a function taking or returning an unspecified row type. |
| trigger | A trigger function is declared to return trigger. |
| event_trigger | An event trigger function is declared to return event_trigger. |
| pg_ddl_command | Identifies a representation of DDL commands that is available to event triggers. |
| void | Indicates that a function returns no value. |
| opaque | An obsolete type name that formerly served all the above purposes. |
例子
postgres=# create or replace function f_test(anyarray) returns anyarray as $$
select $1;
$$ language sql strict;
CREATE FUNCTION
postgres=# select f_test(array[1,2,3]);
f_test
---------
{1,2,3}
(1 row)
postgres=# select f_test(array['a','b']);
f_test
--------
{a,b}
(1 row)
2. 数据操作
https://www.postgresql.org/docs/9.6/static/functions.html
1、函数
每一种类型,都有大量的函数,支持这种类型的计算。
在PostgreSQL中,所有的操作符,索引接口,都是基于函数的,底层都有函数的支撑。
2、操作符
每一种类型,都有大量的操作符,支持这种类型的计算。
每一个操作符,都是通过函数来实现计算的。
如何创建操作符
postgres=# \h create operator
Command: CREATE OPERATOR
Description: define a new operator
Syntax:
CREATE OPERATOR name (
PROCEDURE = function_name
[, LEFTARG = left_type ] [, RIGHTARG = right_type ]
[, COMMUTATOR = com_op ] [, NEGATOR = neg_op ]
[, RESTRICT = res_proc ] [, JOIN = join_proc ]
[, HASHES ] [, MERGES ]
)
如何查看操作符对应的函数
操作数1 , OP , 操作数2 , 结果 , 函数
postgres=# select oprleft::regtype,oprname,oprright::regtype,oprresult::regtype,oprcode::regproc from pg_operator ;
oprleft | oprname | oprright | oprresult | oprcode
-----------------------------+---------+-----------------------------+-----------------------------+------------------------------------
integer | = | bigint | boolean | int48eq
integer | <> | bigint | boolean | int48ne
integer | < | bigint | boolean | int48lt
integer | > | bigint | boolean | int48gt
integer | <= | bigint | boolean | int48le
integer | >= | bigint | boolean | int48ge
boolean | < | boolean | boolean | boollt
......
一元、二元操作符,指操作数的个数
如何查找参数中包含某个特定类型的函数
select proname,proallargtypes::regtype[],proargnames from pg_proc where proallargtypes @> array['integer'::regtype::oid];
如何查找操作数或结果中包含某个特定类型的操作符
select oprleft::regtype,oprname,oprright::regtype,oprresult::regtype,oprcode::regproc from pg_operator where oprleft='integer'::regtype or oprright='integer'::regtype or oprresult='integer'::regtype;
oprleft | oprname | oprright | oprresult | oprcode
----------+---------+----------+-----------+--------------------------
integer | = | bigint | boolean | int48eq
integer | <> | bigint | boolean | int48ne
integer | < | bigint | boolean | int48lt
integer | > | bigint | boolean | int48gt
integer | <= | bigint | boolean | int48le
integer | >= | bigint | boolean | int48ge
integer | = | integer | boolean | int4eq
integer | < | integer | boolean | int4lt
xid | = | integer | boolean | xideqint4
xid | <> | integer | boolean | xidneqint4
......
3. 表管理
建表
postgres=# \h create table
Command: CREATE TABLE
Description: define a new table
Syntax:
CREATE [ [ GLOBAL | LOCAL ] { TEMPORARY | TEMP } | UNLOGGED ] TABLE [ IF NOT EXISTS ] table_name ( [
{ column_name data_type [ COLLATE collation ] [ column_constraint [ ... ] ]
| table_constraint
| LIKE source_table [ like_option ... ] }
[, ... ]
] )
[ INHERITS ( parent_table [, ... ] ) ]
[ WITH ( storage_parameter [= value] [, ... ] ) | WITH OIDS | WITHOUT OIDS ]
[ ON COMMIT { PRESERVE ROWS | DELETE ROWS | DROP } ]
[ TABLESPACE tablespace_name ]
权限管理
设置某个用户,在某个SCHEMA下的所有对象的默认权限
postgres=# \h alter defau
Command: ALTER DEFAULT PRIVILEGES
Description: define default access privileges
Syntax:
ALTER DEFAULT PRIVILEGES
[ FOR { ROLE | USER } target_role [, ...] ]
[ IN SCHEMA schema_name [, ...] ]
abbreviated_grant_or_revoke
where abbreviated_grant_or_revoke is one of:
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON TABLES
TO { [ GROUP ] role_name | PUBLIC } [, ...] [ WITH GRANT OPTION ]
将postgres在public里面建立的表,默认赋予select给所有人(PUBLIC)
postgres=# alter default privileges for role postgres in schema public grant select on tables to public;
ALTER DEFAULT PRIVILEGES
postgres=# select * from pg_default_acl ;
defaclrole | defaclnamespace | defaclobjtype | defaclacl
------------+-----------------+---------------+---------------
10 | 181693 | r | {=r/postgres}
(1 row)
将某个schema下的所有表的某个权限赋予给某个用户
postgres=# \h grant
Command: GRANT
Description: define access privileges
Syntax:
GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
TO role_specification [, ...] [ WITH GRANT OPTION ]
将schema public里面的所有表的select权限赋予给所有人(PUBLIC)
postgres=# grant select on all tables in schema public to public;
GRANT
4. 视图
创建
postgres=# \h create view
Command: CREATE VIEW
Description: define a new view
Syntax:
CREATE [ OR REPLACE ] [ TEMP | TEMPORARY ] [ RECURSIVE ] VIEW name [ ( column_name [, ...] ) ]
[ WITH ( view_option_name [= view_option_value] [, ... ] ) ]
AS query
[ WITH [ CASCADED | LOCAL ] CHECK OPTION ]
修改
postgres=# \h alter view
Command: ALTER VIEW
Description: change the definition of a view
Syntax:
ALTER VIEW [ IF EXISTS ] name ALTER [ COLUMN ] column_name SET DEFAULT expression
ALTER VIEW [ IF EXISTS ] name ALTER [ COLUMN ] column_name DROP DEFAULT
ALTER VIEW [ IF EXISTS ] name OWNER TO { new_owner | CURRENT_USER | SESSION_USER }
ALTER VIEW [ IF EXISTS ] name RENAME TO new_name
ALTER VIEW [ IF EXISTS ] name SET SCHEMA new_schema
ALTER VIEW [ IF EXISTS ] name SET ( view_option_name [= view_option_value] [, ... ] )
ALTER VIEW [ IF EXISTS ] name RESET ( view_option_name [, ... ] )
普通视图只是QUERY结构,并没有数据,查询时会执行视图中的QUERY。
如果使用视图来隐藏数据,建议对视图使用security_barrier选项,防止使用优化器攻击视图。
digoal=# create table userinfo(id int, groupid int, username text, age int, addr text, email text, phone text);
CREATE TABLE
digoal=# insert into userinfo values (1, 1, 'digoal', 1000, '杭州西湖区', 'digoal@126.com', '13999999999');
INSERT 0 1
digoal=# insert into userinfo values (2, 1, 'test', 1000, '火星', 'digoal@126.com', '11999999999');
INSERT 0 1
digoal=# insert into userinfo values (3, 1, 'test', 1000, '月球', 'digoal@126.com', '11999999999');
INSERT 0 1
digoal=# insert into userinfo values (4, 2, 'test', 1000, '土星', 'digoal@126.com', '11999999999');
INSERT 0 1
digoal=# create view v_userinfo as select * from userinfo where groupid =2;
CREATE VIEW
digoal=# \c digoal digoal
You are now connected to database "digoal" as user "digoal".
digoal=> select * from userinfo;
ERROR: permission denied for relation userinfo
digoal=> select * from v_userinfo;
ERROR: permission denied for relation v_userinfo
digoal=> \c digoal postgres
You are now connected to database "digoal" as user "postgres".
digoal=# grant select on v_userinfo to digoal;
GRANT
digoal=# \c digoal digoal
You are now connected to database "digoal" as user "digoal".
digoal=> select * from v_userinfo;
id | groupid | username | age | addr | email | phone
----+---------+----------+------+------+----------------+-------------
4 | 2 | test | 1000 | 土星 | digoal@126.com | 11999999999
(1 row)
digoal=> create or replace function attack(int,int,text,int,text,text,text) returns boolean as $$
digoal$> declare
digoal$> begin
digoal$> raise notice '%,%,%,%,%,%,%', $1,$2,$3,$4,$5,$6,$7;
digoal$> return true;
digoal$> end;
digoal$> $$ language plpgsql cost 0.00000000000000000000001;
CREATE FUNCTION
digoal=> select * from v_userinfo;
id | groupid | username | age | addr | email | phone
----+---------+----------+------+------+----------------+-------------
4 | 2 | test | 1000 | 土星 | digoal@126.com | 11999999999
(1 row)
digoal=> select * from v_userinfo where attack(id,groupid,username,age,addr,email,phone);
NOTICE: 1,1,digoal,1000,杭州西湖区,digoal@126.com,13999999999
NOTICE: 2,1,test,1000,火星,digoal@126.com,11999999999
NOTICE: 3,1,test,1000,月球,digoal@126.com,11999999999
NOTICE: 4,2,test,1000,土星,digoal@126.com,11999999999
id | groupid | username | age | addr | email | phone
----+---------+----------+------+------+----------------+-------------
4 | 2 | test | 1000 | 土星 | digoal@126.com | 11999999999
(1 row)
设置视图的安全栅栏属性 :
使用普通的函数就不能攻击他了.
digoal=> \c digoal postgres
You are now connected to database "digoal" as user "postgres".
digoal=# create view v_userinfo_1 with(security_barrier) as select * from userinfo where id=2;
CREATE VIEW
digoal=# grant select on v_userinfo_1 to digoal;
GRANT
digoal=# \c digoal digoal
You are now connected to database "digoal" as user "digoal".
digoal=> select * from v_userinfo_1 where attack(id,groupid,username,age,addr,email,phone);
NOTICE: 2,1,test,1000,火星,digoal@126.com,11999999999
id | groupid | username | age | addr | email | phone
----+---------+----------+------+------+----------------+-------------
2 | 1 | test | 1000 | 火星 | digoal@126.com | 11999999999
(1 row)
如果把函数设置为leakproof, 就可以被攻击了.(只有超级用户可以创建leakproof函数)
digoal=> \c digoal postgres
You are now connected to database "digoal" as user "postgres".
digoal=# alter function digoal.attack(int,int,text,int,text,text,text) leakproof;
ALTER FUNCTION
digoal=# \c digoal digoal
You are now connected to database "digoal" as user "digoal".
digoal=> select * from v_userinfo_1 where attack(id,groupid,username,age,addr,email,phone);
NOTICE: 1,1,digoal,1000,杭州西湖区,digoal@126.com,13999999999
NOTICE: 2,1,test,1000,火星,digoal@126.com,11999999999
NOTICE: 3,1,test,1000,月球,digoal@126.com,11999999999
NOTICE: 4,2,test,1000,土星,digoal@126.com,11999999999
id | groupid | username | age | addr | email | phone
----+---------+----------+------+------+----------------+-------------
2 | 1 | test | 1000 | 火星 | digoal@126.com | 11999999999
(1 row)
物化视图是带数据的视图。可以对其创建索引。
创建物化视图
postgres=# \h create materialized view
Command: CREATE MATERIALIZED VIEW
Description: define a new materialized view
Syntax:
CREATE MATERIALIZED VIEW [ IF NOT EXISTS ] table_name
[ (column_name [, ...] ) ]
[ WITH ( storage_parameter [= value] [, ... ] ) ]
[ TABLESPACE tablespace_name ]
AS query
[ WITH [ NO ] DATA ]
postgres=# create materialized view mv1 as select * from pg_class;
<p>SELECT 456</p>
刷新物化视图数据
postgres=# \h refresh
Command: REFRESH MATERIALIZED VIEW
Description: replace the contents of a materialized view
Syntax:
REFRESH MATERIALIZED VIEW [ CONCURRENTLY ] name
[ WITH [ NO ] DATA ]
必须有PK或者UK,才能增量刷新物化视图
postgres=# refresh materialized view concurrently mv1;
ERROR: cannot refresh materialized view "public.mv1" concurrently
HINT: Create a unique index with no WHERE clause on one or more columns of the materialized view.
postgres=# create unique index uk_mv1 on mv1(relname);
CREATE INDEX
postgres=# refresh materialized view concurrently mv1;
REFRESH MATERIALIZED VIEW
5. 约束
1、主外键、唯一约束
reference key必须是唯一约束字段或PK字段。
postgres=# create table rtbl(id int primary key, info text);
CREATE TABLE
postgres=# create table ftbl(id int, c1 int references rtbl(id), info text);
CREATE TABLE
postgres=# \d+ rtbl
Table "public.rtbl"
Column | Type | Modifiers | Storage | Stats target | Description
--------+---------+-----------+----------+--------------+-------------
id | integer | not null | plain | |
info | text | | extended | |
Indexes:
"rtbl_pkey" PRIMARY KEY, btree (id)
Referenced by:
TABLE "ftbl" CONSTRAINT "ftbl_c1_fkey" FOREIGN KEY (c1) REFERENCES rtbl(id)
postgres=# \d+ ftbl
Table "public.ftbl"
Column | Type | Modifiers | Storage | Stats target | Description
--------+---------+-----------+----------+--------------+-------------
id | integer | | plain | |
c1 | integer | | plain | |
info | text | | extended | |
Foreign-key constraints:
"ftbl_c1_fkey" FOREIGN KEY (c1) REFERENCES rtbl(id)
2、check约束
postgres=# create table cktbl(id int check (id>=100), info text);
CREATE TABLE
postgres=# insert into cktbl values (1,'test');;
ERROR: new row for relation "cktbl" violates check constraint "cktbl_id_check"
DETAIL: Failing row contains (1, test).
3、排他约束
CREATE TABLE reservation (
during tsrange,
EXCLUDE USING GIST (during WITH &&)
);
INSERT INTO reservation VALUES
('[2010-01-01 11:30, 2010-01-01 15:00)');
INSERT 0 1
INSERT INTO reservation VALUES
('[2010-01-01 14:45, 2010-01-01 15:45)');
ERROR: conflicting key value violates exclusion constraint "reservation_during_excl"
DETAIL: Key (during)=(["2010-01-01 14:45:00","2010-01-01 15:45:00")) conflicts
with existing key (during)=(["2010-01-01 11:30:00","2010-01-01 15:00:00")).
4、约束判定时机
https://www.postgresql.org/docs/9.6/static/sql-set-constraints.html
https://www.postgresql.org/docs/9.6/static/sql-createtable.html
约束定义层面的设置, 参考alter table, create table语法。
是否允许延迟判定约束:
DEFERRABLE
NOT DEFERRABLE
如果配置了允许延迟判定是否违反约束,那么什么时候判定?
INITIALLY IMMEDIATE -- 语句结束时判定
INITIALLY DEFERRED -- 事务结束时判定
事务中设置(覆盖约束的定义设置)
SET CONSTRAINTS { ALL | name [, ...] } { DEFERRED | IMMEDIATE }
6. RLS(行安全策略)
行安全策略有利于隔离控制共享表在多个用户之间的数据呈现和使用.
实现方法,
创建针对表和角色的策略, 不同的角色对表记录的查询, 插入, 更新, 删除 可以有不同的控制方法.
postgres=# \h create policy
Command: CREATE POLICY
Description: define a new row level security policy for a table
Syntax:
CREATE POLICY name ON table_name
[ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
[ TO { role_name | PUBLIC | CURRENT_USER | SESSION_USER } [, ...] ]
[ USING ( using_expression ) ]
[ WITH CHECK ( check_expression ) ]
using 针对已经存在的记录的校验. 可实施在select, update, delete, ALL上.
whth check 针对将要新增的记录的校验, 可实施在insert, update, ALL上.
需要注意的是, UPDATE因为涉及旧的记录和新的记录, 如果只写了using , 但是没有提供with check的话, using同时会当成with check来使用进行检查.
如果针对同样的命令创建了多个策略, 所有策略中任意一个为TRUE都通过.
例如ALL, SELECT个创建了一个策略for role r1, 执行select时任意一个为TRUE都通过.
例如SELECT个创建了多个策略for role r1, 执行select时任意一个为TRUE都通过.
例子
创建三个角色
postgres=# create role r1 login;
CREATE ROLE
postgres=# create role r2 login;
CREATE ROLE
postgres=# create role r3 login;
CREATE ROLE
创建测试表
postgres=# create table test(id int, r name);
CREATE TABLE
postgres=# insert into test values(1, 'r1');
INSERT 0 1
postgres=# insert into test values(2, 'r2');
INSERT 0 1
postgres=# insert into test values(3, 'r3');
INSERT 0 1
postgres=# grant all on table test to public;
GRANT
创建一个新增数据的策略(使用with check)
postgres=# create policy p on test for insert to r1 with check( r = current_user);
CREATE POLICY
默认情况下策略是disable状态的,
postgres=# \d+ test
Table "public.test"
Column | Type | Modifiers | Storage | Stats target | Description
--------+---------+-----------+---------+--------------+-------------
id | integer | | plain | |
r | name | | plain | |
Policies (Row Security Disabled):
POLICY "p" FOR INSERT
TO r1
WITH CHECK (r = "current_user"())
通过pg_policies视图可以查看已经创建的策略.
postgres=# select * from pg_policies ;
schemaname | tablename | policyname | roles | cmd | qual | with_check
------------+-----------+------------+-------+--------+------+------------------------
public | test | p | {r1} | INSERT | | (r = "current_user"())
(1 row)
在策略enable前, 是无视策略的.
postgres=> insert into test values(4,'r1');
INSERT 0 1
postgres=> insert into test values(4,'r2');
INSERT 0 1
使策略生效
postgres=# alter table test enable row level security;
ALTER TABLE
postgres=> \d+ test
Table "public.test"
Column | Type | Modifiers | Storage | Stats target | Description
--------+---------+-----------+---------+--------------+-------------
id | integer | | plain | |
r | name | | plain | |
Policies:
POLICY "p" FOR INSERT
TO r1
WITH CHECK (r = "current_user"())
策略生效后, 再次插入, 你会看到只能插入和r1角色同名的r值.
postgres=# \c postgres r1
You are now connected to database "postgres" as user "r1".
postgres=> insert into test values(4,'r2');
ERROR: new row violates WITH CHECK OPTION for "test"
postgres=> insert into test values(4,'r1');
INSERT 0 1
再新增一个策略, 现在r1角色插入test表时, 允许r字段的值为’r1’,’r2’.
postgres=# create policy p1 on test for insert to r1 with check( r = 'r2');
CREATE POLICY
postgres=# \c postgres r1
You are now connected to database "postgres" as user "r1".
postgres=> insert into test values(4,'r2');
INSERT 0 1
postgres=> insert into test values(4,'r1');
INSERT 0 1
postgres=> insert into test values(4,'r3');
ERROR: new row violates WITH CHECK OPTION for "test"
创建旧值策略(using). 让r1用户只能查看到r=current_user的值.
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".\
postgres=# create policy p2 on test for select to r1 using ( r = current_user);
CREATE POLICY
postgres=# \c postgres r1
You are now connected to database "postgres" as user "r1".
postgres=> select * from test;
id | r
----+----
1 | r1
4 | r1
4 | r1
4 | r1
(4 rows)
创建一个针对所有用户的策略, 例如, 所有用户只能看到 r = current_user 的值.
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# create policy p3 on test for select to public using ( r = current_user);
CREATE POLICY
postgres=# \c postgres r2
You are now connected to database "postgres" as user "r2".
postgres=> select * from test;
id | r
----+----
2 | r2
4 | r2
4 | r2
(3 rows)
注意,这些策略只针对 非超级用户 以及 非table owner
postgres=> \c postgres postgres
You are now connected to database "postgres" as user "postgres".
postgres=# select * from test;
id | r
----+----
1 | r1
2 | r2
3 | r3
4 | r1
4 | r2
4 | r1
4 | r2
4 | r1
(8 rows)
把r1改为超级用户, 策略失效.
postgres=# alter role r1 superuser;
ALTER ROLE
postgres=# \c postgres r1
You are now connected to database "postgres" as user "r1".
postgres=# select * from test;
id | r
----+----
1 | r1
2 | r2
3 | r3
4 | r1
4 | r2
4 | r1
4 | r2
4 | r1
(8 rows)
对于update操作, 因为先需要查看数据, 然后才是插入数据, 所以先会执行using检查, 然后执行with check检查. 如果只有using, 那么with check还是需要检查的, 只不过会使用using策略.
如果只有with check则在查询数据时不检查, 但是插入时检查.
注意,一旦对用户创建了策略, 必须在所有命令(insert,update,delete,select)上创建, 否则默认采用拒绝方式.
例如, 现在有1个update的策略.
postgres=# \d test
Table "public.test"
Column | Type | Modifiers
--------+---------+-----------
id | integer |
r | name |
Policies:
POLICY "p4" FOR UPDATE
TO r3
USING (r = "current_user"())
postgres=# \c postgres r3
You are now connected to database "postgres" as user "r3".
因为针对r3角色创建了update策略, 但是没有创建其他命令的策略, 所以其他命令的策略默认为FALSE
postgres=> select * from test;
id | r
----+---
(0 rows)
更新操作应用了策略.
postgres=> update test set id=4 where r='r3';
UPDATE 1
postgres=> select * from test;
id | r
----+---
(0 rows)
现在创建SELECT的策略, 可以查询了
postgres=# create policy p1 on test for select to r3 using ( r = current_user);
CREATE POLICY
postgres=# \d+ test
Table "public.test"
Column | Type | Modifiers | Storage | Stats target | Description
--------+---------+-----------+---------+--------------+-------------
id | integer | | plain | |
r | name | | plain | |
Policies:
POLICY "p1" FOR SELECT
TO r3
USING (r = "current_user"())
POLICY "p4" FOR UPDATE
TO r3
USING (r = "current_user"())
postgres=# \c postgres r3
You are now connected to database "postgres" as user "r3".
postgres=> select * from test;
id | r
----+----
4 | r3
(1 row)
但是delete命令上还没有创建策略, 所以删除操作直接FALSE.
postgres=> delete from test ;
DELETE 0
在r1角色上, 没有创建任何策略, 所以操作是允许的.
postgres=> \c postgres r1
You are now connected to database "postgres" as user "r1".
postgres=# select * from test;
id | r
----+----
1 | r1
2 | r2
4 | r1
4 | r2
4 | r1
4 | r2
4 | r1
4 | r3
(8 rows)