| blob | 9fdf8b1d9176330dd4a5d70a3a3ef0fd50d4932f |
1 <!-- doc/src/sgml/rules.sgml -->
8 </indexterm>
10 <para>
11 This chapter discusses the rule system in
13 are conceptually simple, but there are many subtle points
14 involved in actually using them.
15 </para>
17 <para>
18 Some other database systems define active database rules, which
19 are usually stored procedures and triggers. In
21 using functions and triggers as well.
22 </para>
24 <para>
25 The rule system (more precisely speaking, the query rewrite rule
26 system) is totally different from stored procedures and triggers.
27 It modifies queries to take rules into consideration, and then
28 passes the modified query to the query planner for planning and
29 execution. It is very powerful, and can be used for many things
30 such as query language procedures, views, and versions. The
31 theoretical foundations and the power of this rule system are
34 </para>
41 </indexterm>
43 <para>
44 To understand how the rule system works it is necessary to know
45 when it is invoked and what its input and results are.
46 </para>
48 <para>
49 The rule system is located between the parser and the planner.
50 It takes the output of the parser, one query tree, and the user-defined
51 rewrite rules, which are also
52 query trees with some extra information, and creates zero or more
53 query trees as result. So its input and output are always things
54 the parser itself could have produced and thus, anything it sees
56 </para>
58 <para>
59 Now what is a query tree? It is an internal representation of an
61 built from are stored separately. These query trees can be shown
62 in the server log if you set the configuration parameters
66 stored as query trees, in the system catalog
68 the log output, but they contain exactly the same information.
69 </para>
71 <para>
72 Reading a raw query tree requires some experience. But since
74 sufficient to understand the rule system, this chapter will not
75 teach how to read them.
76 </para>
78 <para>
80 query trees in this chapter it is necessary to be able to identify
81 the parts the statement is broken into when it is in the query tree
82 structure. The parts of a query tree are
84 <variablelist>
85 <varlistentry>
86 <term>
87 the command type
88 </term>
89 <listitem>
90 <para>
91 This is a simple value telling which command
94 the query tree.
95 </para>
96 </listitem>
97 </varlistentry>
99 <varlistentry>
100 <term>
101 the range table
103 </term>
104 <listitem>
105 <para>
106 The range table is a list of relations that are used in the query.
109 </para>
111 <para>
112 Every range table entry identifies a table or view and tells
113 by which name it is called in the other parts of the query.
114 In the query tree, the range table entries are referenced by
115 number rather than by name, so here it doesn't matter if there
117 statement. This can happen after the range tables of rules
118 have been merged in. The examples in this chapter will not have
119 this situation.
120 </para>
121 </listitem>
122 </varlistentry>
124 <varlistentry>
125 <term>
126 the result relation
127 </term>
128 <listitem>
129 <para>
130 This is an index into the range table that identifies the
131 relation where the results of the query go.
132 </para>
134 <para>
139 separately here.)
140 </para>
142 <para>
145 (or view!) where the changes are to take effect.
146 </para>
147 </listitem>
148 </varlistentry>
150 <varlistentry>
151 <term>
152 the target list
154 </term>
155 <listitem>
156 <para>
157 The target list is a list of expressions that define the
158 result of the query. In the case of a
160 build the final output of the query. They correspond to the
163 abbreviation for all the column names of a relation. It is
164 expanded by the parser into the individual columns, so the
165 rule system never sees it.)
166 </para>
168 <para>
170 because they don't produce any result. Instead, the planner
172 to allow the executor to find the row to be deleted.
174 table. If it is a view, a whole-row variable is added instead, by
176 </para>
178 <para>
180 the new rows that should go into the result relation. It consists of the
183 ... SELECT</literal>. The first step of the rewrite process adds
184 target list entries for any columns that were not assigned to by
185 the original command but have defaults. Any remaining columns (with
186 neither a given value nor a default) will be filled in by the
187 planner with a constant null expression.
188 </para>
190 <para>
192 describes the new rows that should replace the old ones. In the
193 rule system, it contains just the expressions from the <literal>SET
194 column = expression</literal> part of the command. The planner will
195 handle missing columns by inserting expressions that copy the values
198 the executor can identify the old row to be updated.
199 </para>
201 <para>
202 Every entry in the target list contains an expression that can
203 be a constant value, a variable pointing to a column of one
204 of the relations in the range table, a parameter, or an expression
205 tree made of function calls, constants, variables, operators, etc.
206 </para>
207 </listitem>
208 </varlistentry>
210 <varlistentry>
211 <term>
212 the qualification
213 </term>
214 <listitem>
215 <para>
216 The query's qualification is an expression much like one of
217 those contained in the target list entries. The result value of
218 this expression is a Boolean that tells whether the operation
221 final result row should be executed or not. It corresponds to the <literal>WHERE</literal> clause
223 </para>
224 </listitem>
225 </varlistentry>
227 <varlistentry>
228 <term>
229 the join tree
230 </term>
231 <listitem>
232 <para>
237 are used, we have to join in the order shown by the joins.
239 restrictions associated with particular <literal>JOIN</literal> clauses (from <literal>ON</literal> or
241 to those join-tree nodes. It turns out to be convenient to store
243 top-level join-tree item, too. So really the join tree represents
244 both the <literal>FROM</literal> and <literal>WHERE</literal> clauses of a <command>SELECT</command>.
245 </para>
246 </listitem>
247 </varlistentry>
249 <varlistentry>
250 <term>
251 the others
252 </term>
253 <listitem>
254 <para>
256 clause aren't of interest here. The rule system
257 substitutes some entries there while applying rules, but that
258 doesn't have much to do with the fundamentals of the rule
259 system.
260 </para>
261 </listitem>
262 </varlistentry>
264 </variablelist>
265 </para>
266 </sect1>
274 </indexterm>
279 </indexterm>
281 <para>
283 using the rule system. A view is basically an empty table (having no
286 So a view like
288 <programlisting>
289 CREATE VIEW myview AS SELECT * FROM mytab;
290 </programlisting>
292 is very nearly the same thing as
294 <programlisting>
296 CREATE RULE "_RETURN" AS ON SELECT TO myview DO INSTEAD
297 SELECT * FROM mytab;
298 </programlisting>
300 although you can't actually write that, because tables are not
302 </para>
304 <para>
308 despite its lack of underlying storage.
309 This is discussed further below, in
311 </para>
319 </indexterm>
321 <para>
325 have different semantics from rules on the other command types in that they modify the
326 query tree in place instead of creating a new one. So
328 </para>
330 <para>
332 be an unconditional <command>SELECT</command> action that is <literal>INSTEAD</literal>. This restriction was
333 required to make rules safe enough to open them for ordinary users, and
335 </para>
337 <para>
338 The examples for this chapter are two join views that do some
339 calculations and some more views using them in turn. One of the
340 two first views is customized later by adding rules for
343 be a view that behaves like a real table with some magic
344 functionality. This is not such a simple example to start from and
345 this makes things harder to get into. But it's better to have one
346 example that covers all the points discussed step by step rather
347 than having many different ones that might mix up in mind.
348 </para>
350 <para>
351 The real tables we need in the first two rule system descriptions
352 are these:
354 <programlisting>
355 CREATE TABLE shoe_data (
356 shoename text, -- primary key
357 sh_avail integer, -- available number of pairs
358 slcolor text, -- preferred shoelace color
359 slminlen real, -- minimum shoelace length
360 slmaxlen real, -- maximum shoelace length
361 slunit text -- length unit
362 );
364 CREATE TABLE shoelace_data (
365 sl_name text, -- primary key
366 sl_avail integer, -- available number of pairs
367 sl_color text, -- shoelace color
368 sl_len real, -- shoelace length
369 sl_unit text -- length unit
370 );
372 CREATE TABLE unit (
373 un_name text, -- primary key
374 un_fact real -- factor to transform to cm
375 );
376 </programlisting>
378 As you can see, they represent shoe-store data.
379 </para>
381 <para>
382 The views are created as:
384 <programlisting>
385 CREATE VIEW shoe AS
386 SELECT sh.shoename,
387 sh.sh_avail,
388 sh.slcolor,
389 sh.slminlen,
390 sh.slminlen * un.un_fact AS slminlen_cm,
391 sh.slmaxlen,
392 sh.slmaxlen * un.un_fact AS slmaxlen_cm,
393 sh.slunit
394 FROM shoe_data sh, unit un
395 WHERE sh.slunit = un.un_name;
397 CREATE VIEW shoelace AS
398 SELECT s.sl_name,
399 s.sl_avail,
400 s.sl_color,
401 s.sl_len,
402 s.sl_unit,
403 s.sl_len * u.un_fact AS sl_len_cm
404 FROM shoelace_data s, unit u
405 WHERE s.sl_unit = u.un_name;
407 CREATE VIEW shoe_ready AS
408 SELECT rsh.shoename,
409 rsh.sh_avail,
410 rsl.sl_name,
411 rsl.sl_avail,
412 least(rsh.sh_avail, rsl.sl_avail) AS total_avail
413 FROM shoe rsh, shoelace rsl
414 WHERE rsl.sl_color = rsh.slcolor
415 AND rsl.sl_len_cm >= rsh.slminlen_cm
416 AND rsl.sl_len_cm <= rsh.slmaxlen_cm;
417 </programlisting>
424 is referenced in a query's range table. The rule has no rule
426 <command>SELECT</command> rules currently cannot have them) and it is <literal>INSTEAD</literal>. Note
427 that rule qualifications are not the same as query qualifications.
428 The action of our rule has a query qualification.
429 The action of the rule is one query tree that is a copy of the
431 </para>
433 <note>
434 <para>
435 The two extra range
439 </para>
440 </note>
442 <para>
446 <programlisting>
447 INSERT INTO unit VALUES ('cm', 1.0);
448 INSERT INTO unit VALUES ('m', 100.0);
449 INSERT INTO unit VALUES ('inch', 2.54);
465 SELECT * FROM shoelace;
467 sl_name | sl_avail | sl_color | sl_len | sl_unit | sl_len_cm
468 -----------+----------+----------+--------+---------+-----------
477 (8 rows)
478 </programlisting>
479 </para>
481 <para>
483 views, so we take this opportunity to explain the basics of view
485 interpreted by the parser and produced the query tree:
487 <programlisting>
488 SELECT shoelace.sl_name, shoelace.sl_avail,
489 shoelace.sl_color, shoelace.sl_len,
490 shoelace.sl_unit, shoelace.sl_len_cm
491 FROM shoelace shoelace;
492 </programlisting>
494 and this is given to the rule system. The rule system walks through the
495 range table and checks if there are rules
496 for any relation. When processing the range table entry for
500 <programlisting>
501 SELECT s.sl_name, s.sl_avail,
502 s.sl_color, s.sl_len, s.sl_unit,
503 s.sl_len * u.un_fact AS sl_len_cm
504 FROM shoelace old, shoelace new,
505 shoelace_data s, unit u
506 WHERE s.sl_unit = u.un_name;
507 </programlisting>
508 </para>
510 <para>
511 To expand the view, the rewriter simply creates a subquery range-table
512 entry containing the rule's action query tree, and substitutes this
513 range table entry for the original one that referenced the view. The
514 resulting rewritten query tree is almost the same as if you had typed:
516 <programlisting>
517 SELECT shoelace.sl_name, shoelace.sl_avail,
518 shoelace.sl_color, shoelace.sl_len,
519 shoelace.sl_unit, shoelace.sl_len_cm
520 FROM (SELECT s.sl_name,
521 s.sl_avail,
522 s.sl_color,
523 s.sl_len,
524 s.sl_unit,
525 s.sl_len * u.un_fact AS sl_len_cm
526 FROM shoelace_data s, unit u
527 WHERE s.sl_unit = u.un_name) shoelace;
528 </programlisting>
530 There is one difference however: the subquery's range table has two
531 extra entries <literal>shoelace old</literal> and <literal>shoelace new</literal>. These entries don't
532 participate directly in the query, since they aren't referenced by
533 the subquery's join tree or target list. The rewriter uses them
534 to store the access privilege check information that was originally present
535 in the range-table entry that referenced the view. In this way, the
536 executor will still check that the user has proper privileges to access
537 the view, even though there's no direct use of the view in the rewritten
538 query.
539 </para>
541 <para>
542 That was the first rule applied. The rule system will continue checking
543 the remaining range-table entries in the top query (in this example there
544 are no more), and it will recursively check the range-table entries in
545 the added subquery to see if any of them reference views. (But it
546 won't expand <literal>old</literal> or <literal>new</literal> — otherwise we'd have infinite recursion!)
547 In this example, there are no rewrite rules for <literal>shoelace_data</literal> or <literal>unit</literal>,
548 so rewriting is complete and the above is the final result given to
549 the planner.
550 </para>
552 <para>
553 Now we want to write a query that finds out for which shoes currently in the store
554 we have the matching shoelaces (color and length) and where the
555 total number of exactly matching pairs is greater than or equal to two.
557 <programlisting>
560 shoename | sh_avail | sl_name | sl_avail | total_avail
561 ----------+----------+---------+----------+-------------
564 (2 rows)
565 </programlisting>
566 </para>
568 <para>
569 The output of the parser this time is the query tree:
571 <programlisting>
572 SELECT shoe_ready.shoename, shoe_ready.sh_avail,
573 shoe_ready.sl_name, shoe_ready.sl_avail,
574 shoe_ready.total_avail
575 FROM shoe_ready shoe_ready
577 </programlisting>
579 The first rule applied will be the one for the
581 query tree:
583 <programlisting>
584 SELECT shoe_ready.shoename, shoe_ready.sh_avail,
585 shoe_ready.sl_name, shoe_ready.sl_avail,
586 shoe_ready.total_avail
587 FROM (SELECT rsh.shoename,
588 rsh.sh_avail,
589 rsl.sl_name,
590 rsl.sl_avail,
591 least(rsh.sh_avail, rsl.sl_avail) AS total_avail
592 FROM shoe rsh, shoelace rsl
593 WHERE rsl.sl_color = rsh.slcolor
594 AND rsl.sl_len_cm >= rsh.slminlen_cm
595 AND rsl.sl_len_cm <= rsh.slmaxlen_cm) shoe_ready
597 </programlisting>
601 the subquery, leading to a three-level final query tree:
603 <programlisting>
604 SELECT shoe_ready.shoename, shoe_ready.sh_avail,
605 shoe_ready.sl_name, shoe_ready.sl_avail,
606 shoe_ready.total_avail
607 FROM (SELECT rsh.shoename,
608 rsh.sh_avail,
609 rsl.sl_name,
610 rsl.sl_avail,
611 least(rsh.sh_avail, rsl.sl_avail) AS total_avail
612 FROM (SELECT sh.shoename,
613 sh.sh_avail,
614 sh.slcolor,
615 sh.slminlen,
616 sh.slminlen * un.un_fact AS slminlen_cm,
617 sh.slmaxlen,
618 sh.slmaxlen * un.un_fact AS slmaxlen_cm,
619 sh.slunit
620 FROM shoe_data sh, unit un
621 WHERE sh.slunit = un.un_name) rsh,
622 (SELECT s.sl_name,
623 s.sl_avail,
624 s.sl_color,
625 s.sl_len,
626 s.sl_unit,
627 s.sl_len * u.un_fact AS sl_len_cm
628 FROM shoelace_data s, unit u
629 WHERE s.sl_unit = u.un_name) rsl
630 WHERE rsl.sl_color = rsh.slcolor
631 AND rsl.sl_len_cm >= rsh.slminlen_cm
632 AND rsl.sl_len_cm <= rsh.slmaxlen_cm) shoe_ready
634 </programlisting>
635 </para>
637 <para>
638 This might look inefficient, but the planner will collapse this into a
640 and then it will plan the joins just as if we'd written them out
641 manually. So collapsing the query tree is an optimization that the
642 rewrite system doesn't have to concern itself with.
643 </para>
644 </sect2>
649 <para>
650 Two details of the query tree aren't touched in the description of
651 view rules above. These are the command type and the result relation.
652 In fact, the command type is not needed by view rules, but the result
653 relation may affect the way in which the query rewriter works, because
654 special care needs to be taken if the result relation is a view.
655 </para>
657 <para>
658 There are only a few differences between a query tree for a
660 command. Obviously, they have a different command type and for a
662 relation points to the range-table entry where the result should
663 go. Everything else is absolutely the same. So having two tables
667 <programlisting>
668 SELECT t2.b FROM t1, t2 WHERE t1.a = t2.a;
670 UPDATE t1 SET b = t2.b FROM t2 WHERE t1.a = t2.a;
671 </programlisting>
673 are nearly identical. In particular:
675 <itemizedlist>
676 <listitem>
677 <para>
678 The range tables contain entries for the tables <literal>t1</literal> and <literal>t2</literal>.
679 </para>
680 </listitem>
682 <listitem>
683 <para>
684 The target lists contain one variable that points to column
686 </para>
687 </listitem>
689 <listitem>
690 <para>
692 range-table entries for equality.
693 </para>
694 </listitem>
696 <listitem>
697 <para>
699 </para>
700 </listitem>
701 </itemizedlist>
702 </para>
704 <para>
705 The consequence is, that both query trees result in similar
706 execution plans: They are both joins over the two tables. For the
708 the target list by the planner and the final query tree will read
709 as:
711 <programlisting>
712 UPDATE t1 SET a = t1.a, b = t2.b FROM t2 WHERE t1.a = t2.a;
713 </programlisting>
715 and thus the executor run over the join will produce exactly the
716 same result set as:
718 <programlisting>
719 SELECT t1.a, t2.b FROM t1, t2 WHERE t1.a = t2.a;
720 </programlisting>
722 But there is a little problem in
724 the join does not care what the results from the join are
725 meant for. It just produces a result set of rows. The fact that
730 that are there has to be replaced by the new row?
731 </para>
733 <para>
734 To resolve this problem, another entry is added to the target list
738 This is a system column containing the
739 file block number and position in the block for the row. Knowing
744 <programlisting>
745 SELECT t1.a, t2.b, t1.ctid FROM t1, t2 WHERE t1.a = t2.a;
746 </programlisting>
749 the stage. Old table rows aren't overwritten, and this
751 the new result row is inserted into the table (after stripping the
755 and current transaction ID. Thus the old row is hidden, and after
756 the transaction commits the vacuum cleaner can eventually remove
757 the dead row.
758 </para>
760 <para>
761 Knowing all that, we can simply apply view rules in absolutely
762 the same way to any command. There is no difference.
763 </para>
764 </sect2>
769 <para>
770 The above demonstrates how the rule system incorporates view
771 definitions into the original query tree. In the second example, a
774 different names).
775 </para>
777 <para>
778 The benefit of implementing views with the rule system is
779 that the planner has all
780 the information about which tables have to be scanned plus the
781 relationships between these tables plus the restrictive
782 qualifications from the views plus the qualifications from
783 the original query
784 in one single query tree. And this is still the situation
785 when the original query is already a join over views.
786 The planner has to decide which is
787 the best path to execute the query, and the more information
788 the planner has, the better this decision can be. And
790 ensures that this is all information available about the query
791 up to that point.
792 </para>
793 </sect2>
798 <para>
799 What happens if a view is named as the target relation for an
802 substitutions described above would give a query tree in which the result
803 relation points at a subquery range-table entry, which will not
805 can support the appearance of updating a view, however.
806 In order of user-experienced complexity those are: automatically substitute
807 in the underlying table for the view, execute a user-defined trigger,
808 or rewrite the query per a user-defined rule.
809 These options are discussed below.
810 </para>
812 <para>
813 If the subquery selects from a single base relation and is simple
814 enough, the rewriter can automatically replace the subquery with the
820 information on the kinds of view that can be automatically updated, see
822 </para>
824 <para>
825 Alternatively, the operation may be handled by a user-provided
828 Rewriting works slightly differently
830 nothing at all with the view, leaving it as the result relation
834 attempt to update, delete, or merge. So the view is expanded as normal,
835 but another unexpanded range-table entry is added to the query
836 to represent the view in its capacity as the result relation.
837 </para>
839 <para>
840 The problem that now arises is how to identify the rows to be
841 updated in the view. Recall that when the result relation
843 list to identify the physical locations of the rows to be updated.
844 This does not work if the result relation is a view, because a view
849 which expands to include all columns from the view. The executor uses this
852 out what to update based on the old and new row values.
853 </para>
855 <para>
859 a view. These rules will rewrite the command, typically into a command
860 that updates one or more tables, rather than views. That is the topic
864 </para>
866 <para>
867 Note that rules are evaluated first, rewriting the original query
868 before it is planned and executed. Therefore, if a view has
871 evaluated first, and depending on the result, the triggers may not be
872 used at all.
873 </para>
875 <para>
879 simple view is always tried last. Therefore, if a view has rules or
880 triggers, they will override the default behavior of automatically
881 updatable views.
882 </para>
884 <para>
886 triggers for the view, and the rewriter cannot automatically rewrite
887 the query as an update on the underlying base relation, an error will
888 be thrown because the executor cannot update a view as such.
889 </para>
891 </sect2>
893 </sect1>
901 </indexterm>
906 </indexterm>
911 </indexterm>
913 <para>
915 rule system like views do, but persist the results in a table-like form.
916 The main differences between:
918 <programlisting>
919 CREATE MATERIALIZED VIEW mymatview AS SELECT * FROM mytab;
920 </programlisting>
922 and:
924 <programlisting>
925 CREATE TABLE mymatview AS SELECT * FROM mytab;
926 </programlisting>
928 are that the materialized view cannot subsequently be directly updated
929 and that the query used to create the materialized view is stored in
930 exactly the same way that a view's query is stored, so that fresh data
931 can be generated for the materialized view with:
933 <programlisting>
934 REFRESH MATERIALIZED VIEW mymatview;
935 </programlisting>
937 The information about a materialized view in the
939 the same as it is for a table or view. So for the parser, a
940 materialized view is a relation, just like a table or a view. When
941 a materialized view is referenced in a query, the data is returned
942 directly from the materialized view, like from a table; the rule is
943 only used for populating the materialized view.
944 </para>
946 <para>
947 While access to the data stored in a materialized view is often much
948 faster than accessing the underlying tables directly or through a view,
949 the data is not always current; yet sometimes current data is not needed.
950 Consider a table which records sales:
952 <programlisting>
953 CREATE TABLE invoice (
954 invoice_no integer PRIMARY KEY,
955 seller_no integer, -- ID of salesperson
956 invoice_date date, -- date of sale
958 );
959 </programlisting>
961 If people want to be able to quickly graph historical sales data, they
962 might want to summarize, and they may not care about the incomplete data
963 for the current date:
965 <programlisting>
966 CREATE MATERIALIZED VIEW sales_summary AS
967 SELECT
968 seller_no,
969 invoice_date,
971 FROM invoice
972 WHERE invoice_date < CURRENT_DATE
973 GROUP BY
974 seller_no,
975 invoice_date;
977 CREATE UNIQUE INDEX sales_summary_seller
978 ON sales_summary (seller_no, invoice_date);
979 </programlisting>
981 This materialized view might be useful for displaying a graph in the
982 dashboard created for salespeople. A job could be scheduled to update
983 the statistics each night using this SQL statement:
985 <programlisting>
986 REFRESH MATERIALIZED VIEW sales_summary;
987 </programlisting>
988 </para>
990 <para>
991 Another use for a materialized view is to allow faster access to data
992 brought across from a remote system through a foreign data wrapper.
994 but since this is using cache on the local system the performance
995 difference compared to access to a remote system would usually be greater
996 than shown here. Notice we are also exploiting the ability to put an
998 not support indexes; this advantage might not apply for other sorts of
999 foreign data access.
1000 </para>
1002 <para>
1003 Setup:
1005 <programlisting>
1006 CREATE EXTENSION file_fdw;
1007 CREATE SERVER local_file FOREIGN DATA WRAPPER file_fdw;
1008 CREATE FOREIGN TABLE words (word text NOT NULL)
1009 SERVER local_file
1010 OPTIONS (filename '/usr/share/dict/words');
1011 CREATE MATERIALIZED VIEW wrd AS SELECT * FROM words;
1012 CREATE UNIQUE INDEX wrd_word ON wrd (word);
1013 CREATE EXTENSION pg_trgm;
1014 CREATE INDEX wrd_trgm ON wrd USING gist (word gist_trgm_ops);
1015 VACUUM ANALYZE wrd;
1016 </programlisting>
1020 <programlisting>
1021 SELECT count(*) FROM words WHERE word = 'caterpiler';
1023 count
1024 -------
1025 0
1026 (1 row)
1027 </programlisting>
1031 <programlisting>
1032 Aggregate (cost=21763.99..21764.00 rows=1 width=0) (actual time=188.180..188.181 rows=1 loops=1)
1033 -> Foreign Scan on words (cost=0.00..21761.41 rows=1032 width=0) (actual time=188.177..188.177 rows=0 loops=1)
1034 Filter: (word = 'caterpiler'::text)
1035 Rows Removed by Filter: 479829
1036 Foreign File: /usr/share/dict/words
1037 Foreign File Size: 4953699
1038 Planning time: 0.118 ms
1039 Execution time: 188.273 ms
1040 </programlisting>
1042 If the materialized view is used instead, the query is much faster:
1044 <programlisting>
1046 -> Index Only Scan using wrd_word on wrd (cost=0.42..4.44 rows=1 width=0) (actual time=0.039..0.039 rows=0 loops=1)
1047 Index Cond: (word = 'caterpiler'::text)
1048 Heap Fetches: 0
1049 Planning time: 0.164 ms
1050 Execution time: 0.117 ms
1051 </programlisting>
1053 Either way, the word is spelled wrong, so let's look for what we might
1057 <programlisting>
1060 word
1061 ---------------
1062 cater
1063 caterpillar
1064 Caterpillar
1065 caterpillars
1066 caterpillar's
1067 Caterpillar's
1068 caterer
1069 caterer's
1070 caters
1071 catered
1072 (10 rows)
1073 </programlisting>
1075 <programlisting>
1076 Limit (cost=11583.61..11583.64 rows=10 width=32) (actual time=1431.591..1431.594 rows=10 loops=1)
1077 -> Sort (cost=11583.61..11804.76 rows=88459 width=32) (actual time=1431.589..1431.591 rows=10 loops=1)
1079 Sort Method: top-N heapsort Memory: 25kB
1080 -> Foreign Scan on words (cost=0.00..9672.05 rows=88459 width=32) (actual time=0.057..1286.455 rows=479829 loops=1)
1081 Foreign File: /usr/share/dict/words
1082 Foreign File Size: 4953699
1083 Planning time: 0.128 ms
1084 Execution time: 1431.679 ms
1085 </programlisting>
1087 Using the materialized view:
1089 <programlisting>
1091 -> Index Scan using wrd_trgm on wrd (cost=0.29..37020.87 rows=479829 width=10) (actual time=187.219..188.252 rows=10 loops=1)
1093 Planning time: 0.196 ms
1094 Execution time: 198.640 ms
1095 </programlisting>
1097 If you can tolerate periodic update of the remote data to the local
1098 database, the performance benefit can be substantial.
1099 </para>
1101 </sect1>
1104 <title>Rules on <command>INSERT</command>, <command>UPDATE</command>, and <command>DELETE</command></title>
1109 </indexterm>
1114 </indexterm>
1119 </indexterm>
1121 <para>
1124 described in the previous sections. First, their <command>CREATE
1125 RULE</command> command allows more:
1127 <itemizedlist>
1128 <listitem>
1129 <para>
1130 They are allowed to have no action.
1131 </para>
1132 </listitem>
1134 <listitem>
1135 <para>
1136 They can have multiple actions.
1137 </para>
1138 </listitem>
1140 <listitem>
1141 <para>
1143 </para>
1144 </listitem>
1146 <listitem>
1147 <para>
1149 </para>
1150 </listitem>
1152 <listitem>
1153 <para>
1154 They can have rule qualifications.
1155 </para>
1156 </listitem>
1157 </itemizedlist>
1159 Second, they don't modify the query tree in place. Instead they
1160 create zero or more new query trees and can throw away the
1161 original one.
1162 </para>
1164 <caution>
1165 <para>
1166 In many cases, tasks that could be performed by rules
1167 on <command>INSERT</command>/<command>UPDATE</command>/<command>DELETE</command> are better done
1168 with triggers. Triggers are notationally a bit more complicated, but their
1169 semantics are much simpler to understand. Rules tend to have surprising
1170 results when the original query contains volatile functions: volatile
1171 functions may get executed more times than expected in the process of
1172 carrying out the rules.
1173 </para>
1175 <para>
1176 Also, there are some cases that are not supported by these types of rules at
1180 into a rule query would result in multiple evaluations of the sub-query,
1181 contrary to the express intent of the query's author.
1182 </para>
1183 </caution>
1188 <para>
1189 Keep the syntax:
1191 <programlisting>
1192 CREATE [ OR REPLACE ] RULE <replaceable class="parameter">name</replaceable> AS ON <replaceable class="parameter">event</replaceable>
1193 TO <replaceable class="parameter">table</replaceable> [ WHERE <replaceable class="parameter">condition</replaceable> ]
1194 DO [ ALSO | INSTEAD ] { NOTHING | <replaceable class="parameter">command</replaceable> | ( <replaceable class="parameter">command</replaceable> ; <replaceable class="parameter">command</replaceable> ... ) }
1195 </programlisting>
1197 in mind.
1200 </para>
1202 <para>
1203 Update rules get applied by the rule system when the result
1204 relation and the command type of a query tree are equal to the
1206 For update rules, the rule system creates a list of query trees.
1207 Initially the query-tree list is empty.
1209 To simplify, we will look at a rule with one action. This rule
1212 </para>
1214 <para>
1215 What is a rule qualification? It is a restriction that tells
1216 when the actions of the rule should be done and when not. This
1217 qualification can only reference the pseudorelations <literal>NEW</literal> and/or <literal>OLD</literal>,
1218 which basically represent the relation that was given as object (but with a
1219 special meaning).
1220 </para>
1222 <para>
1223 So we have three cases that produce the following query trees for
1224 a one-action rule.
1226 <variablelist>
1227 <varlistentry>
1230 <listitem>
1231 <para>
1232 the query tree from the rule action with the original query
1233 tree's qualification added
1234 </para>
1235 </listitem>
1236 </varlistentry>
1238 <varlistentry>
1240 <listitem>
1241 <para>
1242 the query tree from the rule action with the rule
1243 qualification and the original query tree's qualification
1244 added
1245 </para>
1246 </listitem>
1247 </varlistentry>
1249 <varlistentry>
1251 <listitem>
1252 <para>
1253 the query tree from the rule action with the rule
1254 qualification and the original query tree's qualification; and
1255 the original query tree with the negated rule qualification
1256 added
1257 </para>
1258 </listitem>
1259 </varlistentry>
1260 </variablelist>
1264 original query tree, we end up with either one or two output query trees
1265 for a rule with one action.
1266 </para>
1268 <para>
1269 For <literal>ON INSERT</literal> rules, the original query (if not suppressed by <literal>INSTEAD</literal>)
1270 is done before any actions added by rules. This allows the actions to
1272 DELETE</literal> rules, the original query is done after the actions added by rules.
1273 This ensures that the actions can see the to-be-updated or to-be-deleted
1274 rows; otherwise, the actions might do nothing because they find no rows
1275 matching their qualifications.
1276 </para>
1278 <para>
1279 The query trees generated from rule actions are thrown into the
1280 rewrite system again, and maybe more rules get applied resulting
1281 in additional or fewer query trees.
1282 So a rule's actions must have either a different
1283 command type or a different result relation than the rule itself is
1284 on, otherwise this recursive process will end up in an infinite loop.
1285 (Recursive expansion of a rule will be detected and reported as an
1286 error.)
1287 </para>
1289 <para>
1290 The query trees found in the actions of the
1292 templates. Since they can reference the range-table entries for
1293 <literal>NEW</literal> and <literal>OLD</literal>, some substitutions have to be made before they can be
1295 query is searched for a corresponding entry. If found, that
1299 replaced by a reference to the range-table entry that is the
1300 result relation.
1301 </para>
1303 <para>
1304 After the system is done applying update rules, it applies view rules to the
1305 produced query tree(s). Views cannot insert new update actions so
1306 there is no need to apply update rules to the output of view rewriting.
1307 </para>
1312 <para>
1315 and a rule that conditionally writes a log entry when an
1319 <programlisting>
1320 CREATE TABLE shoelace_log (
1321 sl_name text, -- shoelace changed
1322 sl_avail integer, -- new available value
1323 log_who text, -- who did it
1324 log_when timestamp -- when
1325 );
1327 CREATE RULE log_shoelace AS ON UPDATE TO shoelace_data
1328 WHERE NEW.sl_avail <> OLD.sl_avail
1329 DO INSERT INTO shoelace_log VALUES (
1330 NEW.sl_name,
1331 NEW.sl_avail,
1332 current_user,
1333 current_timestamp
1334 );
1335 </programlisting>
1336 </para>
1338 <para>
1339 Now someone does:
1341 <programlisting>
1342 UPDATE shoelace_data SET sl_avail = 6 WHERE sl_name = 'sl7';
1343 </programlisting>
1345 and we look at the log table:
1347 <programlisting>
1348 SELECT * FROM shoelace_log;
1350 sl_name | sl_avail | log_who | log_when
1351 ---------+----------+---------+----------------------------------
1353 (1 row)
1354 </programlisting>
1355 </para>
1357 <para>
1358 That's what we expected. What happened in the background is the following.
1359 The parser created the query tree:
1361 <programlisting>
1362 UPDATE shoelace_data SET sl_avail = 6
1363 FROM shoelace_data shoelace_data
1364 WHERE shoelace_data.sl_name = 'sl7';
1365 </programlisting>
1367 There is a rule <literal>log_shoelace</literal> that is <literal>ON UPDATE</literal> with the rule
1368 qualification expression:
1370 <programlisting>
1371 NEW.sl_avail <> OLD.sl_avail
1372 </programlisting>
1374 and the action:
1376 <programlisting>
1377 INSERT INTO shoelace_log VALUES (
1378 new.sl_name, new.sl_avail,
1379 current_user, current_timestamp )
1380 FROM shoelace_data new, shoelace_data old;
1381 </programlisting>
1383 (This looks a little strange since you cannot normally write
1385 clause here is just to indicate that there are range-table entries
1387 These are needed so that they can be referenced by variables in
1389 </para>
1391 <para>
1393 has to return two query trees: the modified rule action and the original
1394 query tree. In step 1, the range table of the original query is
1395 incorporated into the rule's action query tree. This results in:
1397 <programlisting>
1398 INSERT INTO shoelace_log VALUES (
1399 new.sl_name, new.sl_avail,
1400 current_user, current_timestamp )
1401 FROM shoelace_data new, shoelace_data old,
1403 </programlisting>
1405 In step 2, the rule qualification is added to it, so the result set
1408 <programlisting>
1409 INSERT INTO shoelace_log VALUES (
1410 new.sl_name, new.sl_avail,
1411 current_user, current_timestamp )
1412 FROM shoelace_data new, shoelace_data old,
1413 shoelace_data shoelace_data
1415 </programlisting>
1419 difficulty with it. They need to support this same functionality
1421 </para>
1423 <para>
1424 In step 3, the original query tree's qualification is added,
1425 restricting the result set further to only the rows that would have been touched
1426 by the original query:
1428 <programlisting>
1429 INSERT INTO shoelace_log VALUES (
1430 new.sl_name, new.sl_avail,
1431 current_user, current_timestamp )
1432 FROM shoelace_data new, shoelace_data old,
1433 shoelace_data shoelace_data
1434 WHERE new.sl_avail <> old.sl_avail
1436 </programlisting>
1437 </para>
1439 <para>
1441 original query tree or by the matching variable references
1442 from the result relation:
1444 <programlisting>
1445 INSERT INTO shoelace_log VALUES (
1447 current_user, current_timestamp )
1448 FROM shoelace_data new, shoelace_data old,
1449 shoelace_data shoelace_data
1451 AND shoelace_data.sl_name = 'sl7';
1452 </programlisting>
1454 </para>
1456 <para>
1459 <programlisting>
1460 INSERT INTO shoelace_log VALUES (
1461 shoelace_data.sl_name, 6,
1462 current_user, current_timestamp )
1463 FROM shoelace_data new, shoelace_data old,
1464 shoelace_data shoelace_data
1466 AND shoelace_data.sl_name = 'sl7';
1467 </programlisting>
1468 </para>
1470 <para>
1472 original query tree. In short, the output from the rule system
1473 is a list of two query trees that correspond to these statements:
1475 <programlisting>
1476 INSERT INTO shoelace_log VALUES (
1477 shoelace_data.sl_name, 6,
1478 current_user, current_timestamp )
1479 FROM shoelace_data
1481 AND shoelace_data.sl_name = 'sl7';
1483 UPDATE shoelace_data SET sl_avail = 6
1484 WHERE sl_name = 'sl7';
1485 </programlisting>
1487 These are executed in this order, and that is exactly what
1488 the rule was meant to do.
1489 </para>
1491 <para>
1492 The substitutions and the added qualifications
1493 ensure that, if the original query would be, say:
1495 <programlisting>
1496 UPDATE shoelace_data SET sl_color = 'green'
1497 WHERE sl_name = 'sl7';
1498 </programlisting>
1500 no log entry would get written. In that case, the original query
1501 tree does not contain a target list entry for
1504 command generated by the rule is:
1506 <programlisting>
1507 INSERT INTO shoelace_log VALUES (
1509 current_user, current_timestamp )
1510 FROM shoelace_data
1512 AND shoelace_data.sl_name = 'sl7';
1513 </programlisting>
1515 and that qualification will never be true.
1516 </para>
1518 <para>
1519 It will also work if the original query modifies multiple rows. So
1520 if someone issued the command:
1522 <programlisting>
1523 UPDATE shoelace_data SET sl_avail = 0
1524 WHERE sl_color = 'black';
1525 </programlisting>
1527 four rows in fact get updated (<literal>sl1</literal>, <literal>sl2</literal>, <literal>sl3</literal>, and <literal>sl4</literal>).
1528 But <literal>sl3</literal> already has <literal>sl_avail = 0</literal>. In this case, the original
1529 query trees qualification is different and that results
1530 in the extra query tree:
1532 <programlisting>
1533 INSERT INTO shoelace_log
1534 SELECT shoelace_data.sl_name, 0,
1535 current_user, current_timestamp
1536 FROM shoelace_data
1539 </programlisting>
1541 being generated by the rule. This query tree will surely insert
1542 three new log entries. And that's absolutely correct.
1543 </para>
1545 <para>
1546 Here we can see why it is important that the original query tree
1548 executed first, all the rows would have already been set to zero, so the
1551 </para>
1552 </sect3>
1554 </sect2>
1559 <indexterm zone="rules-update-views"><primary>view</primary><secondary>updating</secondary></indexterm>
1561 <para>
1562 A simple way to protect view relations from the mentioned
1565 to let those query trees get thrown away. So we could create the rules:
1567 <programlisting>
1568 CREATE RULE shoe_ins_protect AS ON INSERT TO shoe
1569 DO INSTEAD NOTHING;
1570 CREATE RULE shoe_upd_protect AS ON UPDATE TO shoe
1571 DO INSTEAD NOTHING;
1572 CREATE RULE shoe_del_protect AS ON DELETE TO shoe
1573 DO INSTEAD NOTHING;
1574 </programlisting>
1576 If someone now tries to do any of these operations on the view
1578 apply these rules. Since the rules have
1580 query trees will be empty and the whole query will become
1581 nothing because there is nothing left to be optimized or
1582 executed after the rule system is done with it.
1583 </para>
1585 <para>
1586 A more sophisticated way to use the rule system is to
1587 create rules that rewrite the query tree into one that
1588 does the right operation on the real tables. To do that
1590 the following rules:
1592 <programlisting>
1593 CREATE RULE shoelace_ins AS ON INSERT TO shoelace
1594 DO INSTEAD
1595 INSERT INTO shoelace_data VALUES (
1596 NEW.sl_name,
1597 NEW.sl_avail,
1598 NEW.sl_color,
1599 NEW.sl_len,
1600 NEW.sl_unit
1601 );
1603 CREATE RULE shoelace_upd AS ON UPDATE TO shoelace
1604 DO INSTEAD
1605 UPDATE shoelace_data
1606 SET sl_name = NEW.sl_name,
1607 sl_avail = NEW.sl_avail,
1608 sl_color = NEW.sl_color,
1609 sl_len = NEW.sl_len,
1610 sl_unit = NEW.sl_unit
1611 WHERE sl_name = OLD.sl_name;
1613 CREATE RULE shoelace_del AS ON DELETE TO shoelace
1614 DO INSTEAD
1615 DELETE FROM shoelace_data
1616 WHERE sl_name = OLD.sl_name;
1617 </programlisting>
1618 </para>
1620 <para>
1623 compute the view rows. This is usually pretty trivial for views on a
1624 single table, but it's a bit tedious for join views such as
1627 <programlisting>
1628 CREATE RULE shoelace_ins AS ON INSERT TO shoelace
1629 DO INSTEAD
1630 INSERT INTO shoelace_data VALUES (
1631 NEW.sl_name,
1632 NEW.sl_avail,
1633 NEW.sl_color,
1634 NEW.sl_len,
1635 NEW.sl_unit
1636 )
1637 RETURNING
1638 shoelace_data.*,
1639 (SELECT shoelace_data.sl_len * u.un_fact
1640 FROM unit u WHERE shoelace_data.sl_unit = u.un_name);
1641 </programlisting>
1646 </para>
1648 <para>
1651 pseudorelations added as extra range table entries to the rewritten
1652 query, rather than old/new rows in the result relation. Thus, for
1658 which might be confusing. To avoid this confusion, and support returning
1660 clause in the rule definition should refer to entries from the result
1663 </para>
1665 <para>
1666 Now assume that once in a while, a pack of shoelaces arrives at
1667 the shop and a big parts list along with it. But you don't want
1669 time. Instead we set up two little tables: one where you can
1670 insert the items from the part list, and one with a special
1671 trick. The creation commands for these are:
1673 <programlisting>
1674 CREATE TABLE shoelace_arrive (
1675 arr_name text,
1676 arr_quant integer
1677 );
1679 CREATE TABLE shoelace_ok (
1680 ok_name text,
1681 ok_quant integer
1682 );
1684 CREATE RULE shoelace_ok_ins AS ON INSERT TO shoelace_ok
1685 DO INSTEAD
1686 UPDATE shoelace
1687 SET sl_avail = sl_avail + NEW.ok_quant
1688 WHERE sl_name = NEW.ok_name;
1689 </programlisting>
1692 the data from the parts list:
1694 <programlisting>
1695 SELECT * FROM shoelace_arrive;
1697 arr_name | arr_quant
1698 ----------+-----------
1699 sl3 | 10
1700 sl6 | 20
1701 sl8 | 20
1702 (3 rows)
1703 </programlisting>
1705 Take a quick look at the current data:
1707 <programlisting>
1708 SELECT * FROM shoelace;
1710 sl_name | sl_avail | sl_color | sl_len | sl_unit | sl_len_cm
1711 ----------+----------+----------+--------+---------+-----------
1720 (8 rows)
1721 </programlisting>
1723 Now move the arrived shoelaces in:
1725 <programlisting>
1726 INSERT INTO shoelace_ok SELECT * FROM shoelace_arrive;
1727 </programlisting>
1729 and check the results:
1731 <programlisting>
1732 SELECT * FROM shoelace ORDER BY sl_name;
1734 sl_name | sl_avail | sl_color | sl_len | sl_unit | sl_len_cm
1735 ----------+----------+----------+--------+---------+-----------
1744 (8 rows)
1746 SELECT * FROM shoelace_log;
1748 sl_name | sl_avail | log_who| log_when
1749 ---------+----------+--------+----------------------------------
1754 (4 rows)
1755 </programlisting>
1756 </para>
1758 <para>
1760 to these results. And the description of the query-tree
1761 transformation will be the last in this chapter. First, there is
1762 the parser's output:
1764 <programlisting>
1765 INSERT INTO shoelace_ok
1766 SELECT shoelace_arrive.arr_name, shoelace_arrive.arr_quant
1767 FROM shoelace_arrive shoelace_arrive, shoelace_ok shoelace_ok;
1768 </programlisting>
1771 into:
1773 <programlisting>
1774 UPDATE shoelace
1775 SET sl_avail = shoelace.sl_avail + shoelace_arrive.arr_quant
1776 FROM shoelace_arrive shoelace_arrive, shoelace_ok shoelace_ok,
1777 shoelace_ok old, shoelace_ok new,
1778 shoelace shoelace
1779 WHERE shoelace.sl_name = shoelace_arrive.arr_name;
1780 </programlisting>
1784 the rule system again, and the second applied rule
1787 <programlisting>
1788 UPDATE shoelace_data
1789 SET sl_name = shoelace.sl_name,
1790 sl_avail = shoelace.sl_avail + shoelace_arrive.arr_quant,
1791 sl_color = shoelace.sl_color,
1792 sl_len = shoelace.sl_len,
1793 sl_unit = shoelace.sl_unit
1794 FROM shoelace_arrive shoelace_arrive, shoelace_ok shoelace_ok,
1795 shoelace_ok old, shoelace_ok new,
1796 shoelace shoelace, shoelace old,
1797 shoelace new, shoelace_data shoelace_data
1798 WHERE shoelace.sl_name = shoelace_arrive.arr_name
1799 AND shoelace_data.sl_name = shoelace.sl_name;
1800 </programlisting>
1804 But the rule system isn't finished with this step, so it continues
1807 <programlisting>
1808 UPDATE shoelace_data
1809 SET sl_name = s.sl_name,
1810 sl_avail = s.sl_avail + shoelace_arrive.arr_quant,
1811 sl_color = s.sl_color,
1812 sl_len = s.sl_len,
1813 sl_unit = s.sl_unit
1814 FROM shoelace_arrive shoelace_arrive, shoelace_ok shoelace_ok,
1815 shoelace_ok old, shoelace_ok new,
1816 shoelace shoelace, shoelace old,
1817 shoelace new, shoelace_data shoelace_data,
1818 shoelace old, shoelace new,
1819 shoelace_data s, unit u
1820 WHERE s.sl_name = shoelace_arrive.arr_name
1821 AND shoelace_data.sl_name = s.sl_name;
1822 </programlisting>
1825 producing the extra query tree:
1827 <programlisting>
1828 INSERT INTO shoelace_log
1829 SELECT s.sl_name,
1830 s.sl_avail + shoelace_arrive.arr_quant,
1831 current_user,
1832 current_timestamp
1833 FROM shoelace_arrive shoelace_arrive, shoelace_ok shoelace_ok,
1834 shoelace_ok old, shoelace_ok new,
1835 shoelace shoelace, shoelace old,
1836 shoelace new, shoelace_data shoelace_data,
1837 shoelace old, shoelace new,
1838 shoelace_data s, unit u,
1839 shoelace_data old, shoelace_data new
1840 shoelace_log shoelace_log
1841 WHERE s.sl_name = shoelace_arrive.arr_name
1842 AND shoelace_data.sl_name = s.sl_name
1843 AND (s.sl_avail + shoelace_arrive.arr_quant) <> s.sl_avail;
1844 </programlisting>
1846 After that the rule system runs out of rules and returns the
1847 generated query trees.
1848 </para>
1850 <para>
1851 So we end up with two final query trees that are equivalent to the
1854 <programlisting>
1855 INSERT INTO shoelace_log
1856 SELECT s.sl_name,
1857 s.sl_avail + shoelace_arrive.arr_quant,
1858 current_user,
1859 current_timestamp
1860 FROM shoelace_arrive shoelace_arrive, shoelace_data shoelace_data,
1861 shoelace_data s
1862 WHERE s.sl_name = shoelace_arrive.arr_name
1863 AND shoelace_data.sl_name = s.sl_name
1864 AND s.sl_avail + shoelace_arrive.arr_quant <> s.sl_avail;
1866 UPDATE shoelace_data
1867 SET sl_avail = shoelace_data.sl_avail + shoelace_arrive.arr_quant
1868 FROM shoelace_arrive shoelace_arrive,
1869 shoelace_data shoelace_data,
1870 shoelace_data s
1871 WHERE s.sl_name = shoelace_arrive.sl_name
1872 AND shoelace_data.sl_name = s.sl_name;
1873 </programlisting>
1875 The result is that data coming from one relation inserted into another,
1876 changed into updates on a third, changed into updating
1877 a fourth plus logging that final update in a fifth
1878 gets reduced into two queries.
1879 </para>
1881 <para>
1882 There is a little detail that's a bit ugly. Looking at the two
1884 relation appears twice in the range table where it could
1885 definitely be reduced to one. The planner does not handle it and
1886 so the execution plan for the rule systems output of the
1890 Nested Loop
1891 -> Merge Join
1892 -> Seq Scan
1893 -> Sort
1894 -> Seq Scan on s
1895 -> Seq Scan
1896 -> Sort
1897 -> Seq Scan on shoelace_arrive
1898 -> Seq Scan on shoelace_data
1899 </literallayout>
1901 while omitting the extra range table entry would result in a
1904 Merge Join
1905 -> Seq Scan
1906 -> Sort
1907 -> Seq Scan on s
1908 -> Seq Scan
1909 -> Sort
1910 -> Seq Scan on shoelace_arrive
1911 </literallayout>
1913 which produces exactly the same entries in the log table. Thus,
1914 the rule system caused one extra scan on the table
1916 necessary. And the same redundant scan is done once more in the
1918 that all possible at all.
1919 </para>
1921 <para>
1922 Now we make a final demonstration of the
1924 Say you add some shoelaces with extraordinary colors to your
1925 database:
1927 <programlisting>
1930 </programlisting>
1932 We would like to make a view to check which
1934 The view for this is:
1936 <programlisting>
1937 CREATE VIEW shoelace_mismatch AS
1938 SELECT * FROM shoelace WHERE NOT EXISTS
1939 (SELECT shoename FROM shoe WHERE slcolor = sl_color);
1940 </programlisting>
1942 Its output is:
1944 <programlisting>
1945 SELECT * FROM shoelace_mismatch;
1947 sl_name | sl_avail | sl_color | sl_len | sl_unit | sl_len_cm
1948 ---------+----------+----------+--------+---------+-----------
1951 </programlisting>
1952 </para>
1954 <para>
1955 Now we want to set it up so that mismatching shoelaces that are
1956 not in stock are deleted from the database.
1958 we don't delete it directly. Instead we create one more view:
1960 <programlisting>
1961 CREATE VIEW shoelace_can_delete AS
1962 SELECT * FROM shoelace_mismatch WHERE sl_avail = 0;
1963 </programlisting>
1965 and do it this way:
1967 <programlisting>
1968 DELETE FROM shoelace WHERE EXISTS
1969 (SELECT * FROM shoelace_can_delete
1970 WHERE sl_name = shoelace.sl_name);
1971 </programlisting>
1973 The results are:
1975 <programlisting>
1976 SELECT * FROM shoelace;
1978 sl_name | sl_avail | sl_color | sl_len | sl_unit | sl_len_cm
1979 ---------+----------+----------+--------+---------+-----------
1989 (9 rows)
1990 </programlisting>
1991 </para>
1993 <para>
1995 in total uses 4 nesting/joined views, where one of them
1996 itself has a subquery qualification containing a view
1997 and where calculated view columns are used,
1998 gets rewritten into
1999 one single query tree that deletes the requested data
2000 from a real table.
2001 </para>
2003 <para>
2004 There are probably only a few situations out in the real world
2005 where such a construct is necessary. But it makes you feel
2006 comfortable that it works.
2007 </para>
2008 </sect2>
2010 </sect1>
2018 </indexterm>
2023 </indexterm>
2025 <para>
2027 rule system, other tables/views than those used in the original
2028 query get accessed. When update rules are used, this can include write access
2029 to tables.
2030 </para>
2032 <para>
2033 Rewrite rules don't have a separate owner. The owner of
2034 a relation (table or view) is automatically the owner of the
2035 rewrite rules that are defined for it.
2037 behavior of the default access control system. With the exception of
2040 all relations that are used due to rules get checked against the
2041 privileges of the rule owner, not the user invoking the rule.
2042 This means that, except for security invoker views, users only need the
2043 required privileges for the tables/views that are explicitly named in
2044 their queries.
2045 </para>
2047 <para>
2048 For example: A user has a list of phone numbers where some of
2049 them are private, the others are of interest for the assistant of the office.
2050 The user can construct the following:
2052 <programlisting>
2053 CREATE TABLE phone_data (person text, phone text, private boolean);
2054 CREATE VIEW phone_number AS
2055 SELECT person, CASE WHEN NOT private THEN phone END AS phone
2056 FROM phone_data;
2057 GRANT SELECT ON phone_number TO assistant;
2058 </programlisting>
2060 Nobody except that user (and the database superusers) can access the
2066 Since the user is the owner of
2069 privileges and the query is permitted. The check for accessing
2071 against the invoking user, so nobody but the user and the
2072 assistant can use it.
2073 </para>
2075 <para>
2076 The privileges are checked rule by rule. So the assistant is for now the
2077 only one who can see the public phone numbers. But the assistant can set up
2078 another view and grant access to that to the public. Then, anyone
2080 What the assistant cannot do is to create a view that directly
2081 accesses <literal>phone_data</literal>. (Actually the assistant can, but it will not work since
2082 every access will be denied during the permission checks.)
2083 And as soon as the user notices that the assistant opened
2084 their <literal>phone_number</literal> view, the user can revoke the assistant's access. Immediately, any
2085 access to the assistant's view would fail.
2086 </para>
2088 <para>
2089 One might think that this rule-by-rule checking is a security
2090 hole, but in fact it isn't. But if it did not work this way, the assistant
2092 copy the data to there once per day. Then it's the assistant's own data and
2093 the assistant can grant access to everyone they want. A
2095 If someone you trust does the thing above, it's time to
2097 </para>
2099 <para>
2100 Note that while views can be used to hide the contents of certain
2101 columns using the technique shown above, they cannot be used to reliably
2102 conceal the data in unseen rows unless the
2104 the following view is insecure:
2105 <programlisting>
2106 CREATE VIEW phone_number AS
2107 SELECT person, phone FROM phone_data WHERE phone NOT LIKE '412%';
2108 </programlisting>
2109 This view might seem secure, since the rule system will rewrite any
2113 with 412 are wanted. But if the user can create their own functions,
2114 it is not difficult to convince the planner to execute the user-defined
2116 For example:
2117 <programlisting>
2118 CREATE FUNCTION tricky(text, text) RETURNS bool AS $$
2119 BEGIN
2121 RETURN true;
2122 END;
2123 $$ LANGUAGE plpgsql COST 0.0000000000000000000001;
2125 SELECT * FROM phone_number WHERE tricky(person, phone);
2126 </programlisting>
2131 prevented from defining new functions, built-in functions can be used in
2132 similar attacks. (For example, most casting functions include their
2133 input values in the error messages they produce.)
2134 </para>
2136 <para>
2137 Similar considerations apply to update rules. In the examples of
2138 the previous section, the owner of the tables in the example
2143 write log entries will still be executed successfully, and that
2144 other user could see the log entries. But they could not create fake
2145 entries, nor could they manipulate or remove existing ones. In this
2146 case, there is no possibility of subverting the rules by convincing
2147 the planner to alter the order of operations, because the only rule
2150 </para>
2152 <para>
2153 When it is necessary for a view to provide row-level security, the
2155 the view. This prevents maliciously-chosen functions and operators from
2156 being passed values from rows until after the view has done its work. For
2157 example, if the view shown above had been created like this, it would
2158 be secure:
2159 <programlisting>
2160 CREATE VIEW phone_number WITH (security_barrier) AS
2161 SELECT person, phone FROM phone_data WHERE phone NOT LIKE '412%';
2162 </programlisting>
2164 far worse than views created without this option. In general, there is
2165 no way to avoid this: the fastest possible plan must be rejected
2166 if it may compromise security. For this reason, this option is not
2167 enabled by default.
2168 </para>
2170 <para>
2171 The query planner has more flexibility when dealing with functions that
2173 include many simple, commonly used operators, such as many equality
2174 operators. The query planner can safely allow such functions to be evaluated
2175 at any point in the query execution process, since invoking them on rows
2176 invisible to the user will not leak any information about the unseen rows.
2177 Further, functions which do not take arguments or which are not passed any
2178 arguments from the security barrier view do not have to be marked as
2180 from the view. In contrast, a function that might throw an error depending
2181 on the values received as arguments (such as one that throws an error in the
2182 event of overflow or division by zero) is not leakproof, and could provide
2183 significant information about the unseen rows if applied before the security
2184 view's row filters.
2185 </para>
2187 <para>
2188 For example, an index scan cannot be selected for queries on security
2189 barrier views (or tables with row-level security policies) if an
2191 operator family of the index, but its underlying function is not marked
2194 meta-command is useful to list operator families and determine which of
2195 their operators are marked as leakproof.
2196 </para>
2198 <para>
2199 It is important to understand that even a view created with the
2201 in the limited sense that the contents of the invisible tuples will not be
2202 passed to possibly-insecure functions. The user may well have other means
2203 of making inferences about the unseen data; for example, they can see the
2205 queries against the view. A malicious attacker might be able to infer
2206 something about the amount of unseen data, or even gain some information
2207 about the data distribution or most common values (since these things may
2208 affect the run time of the plan; or even, since they are also reflected in
2209 the optimizer statistics, the choice of plan). If these types of "covert
2210 channel" attacks are of concern, it is probably unwise to grant any access
2211 to the data at all.
2212 </para>
2213 </sect1>
2218 <para>
2221 command it receives. This is simple enough when there are no rules
2222 involved, but what happens when the query is rewritten by rules?
2223 </para>
2225 <para>
2226 Rules affect the command status as follows:
2228 <itemizedlist>
2229 <listitem>
2230 <para>
2232 the originally given query will be executed, and its command
2233 status will be returned as usual. (But note that if there were
2235 will have been added to the original query. This might reduce the
2236 number of rows it processes, and if so the reported status will
2237 be affected.)
2238 </para>
2239 </listitem>
2241 <listitem>
2242 <para>
2244 the original query will not be executed at all. In this case,
2245 the server will return the command status for the last query
2247 unconditional) and is of the same command type
2250 meeting those requirements is added by any rule, then the
2251 returned command status shows the original query type and
2252 zeroes for the row-count and OID fields.
2253 </para>
2254 </listitem>
2255 </itemizedlist>
2256 </para>
2258 <para>
2260 that sets the command status in the second case, by giving it the
2261 alphabetically last rule name among the active rules, so that it
2262 gets applied last.
2263 </para>
2264 </sect1>
2272 </indexterm>
2277 </indexterm>
2279 <para>
2280 Many things that can be done using triggers can also be
2282 rule system. One of the things that cannot be implemented by
2283 rules are some kinds of constraints, especially foreign keys. It is possible
2285 if the value of a column does not appear in another table.
2286 But then the data is silently thrown away and that's
2287 not a good idea. If checks for valid values are required,
2288 and in the case of an invalid value an error message should
2289 be generated, it must be done by a trigger.
2290 </para>
2292 <para>
2293 In this chapter, we focused on using rules to update views. All of
2294 the update rule examples in this chapter can also be implemented
2296 triggers is often easier than writing rules, particularly if complex
2297 logic is required to perform the update.
2298 </para>
2300 <para>
2301 For the things that can be implemented by both, which is best
2302 depends on the usage of the database.
2303 A trigger is fired once for each affected row. A rule modifies
2304 the query or generates an additional query. So if many
2305 rows are affected in one statement, a rule issuing one extra
2306 command is likely to be faster than a trigger that is
2307 called for every single row and must re-determine what to do
2308 many times. However, the trigger approach is conceptually far
2309 simpler than the rule approach, and is easier for novices to get right.
2310 </para>
2312 <para>
2313 Here we show an example of how the choice of rules versus triggers
2314 plays out in one situation. There are two tables:
2316 <programlisting>
2317 CREATE TABLE computer (
2318 hostname text, -- indexed
2319 manufacturer text -- indexed
2320 );
2322 CREATE TABLE software (
2323 software text, -- indexed
2324 hostname text -- indexed
2325 );
2326 </programlisting>
2328 Both tables have many thousands of rows and the indexes on
2331 that reference a deleted computer. The trigger would use this command:
2333 <programlisting>
2334 DELETE FROM software WHERE hostname = $1;
2335 </programlisting>
2337 Since the trigger is called for each individual row deleted from
2340 parameter. The rule would be written as:
2342 <programlisting>
2343 CREATE RULE computer_del AS ON DELETE TO computer
2344 DO DELETE FROM software WHERE hostname = OLD.hostname;
2345 </programlisting>
2346 </para>
2348 <para>
2349 Now we look at different types of deletes. In the case of a:
2351 <programlisting>
2352 DELETE FROM computer WHERE hostname = 'mypc.local.net';
2353 </programlisting>
2356 command issued by the trigger would also use an index scan (also fast).
2357 The extra command from the rule would be:
2359 <programlisting>
2360 DELETE FROM software WHERE computer.hostname = 'mypc.local.net'
2361 AND software.hostname = computer.hostname;
2362 </programlisting>
2364 Since there are appropriate indexes set up, the planner
2365 will create a plan of
2368 Nestloop
2369 -> Index Scan using comp_hostidx on computer
2370 -> Index Scan using soft_hostidx on software
2371 </literallayout>
2373 So there would be not that much difference in speed between
2374 the trigger and the rule implementation.
2375 </para>
2377 <para>
2378 With the next delete we want to get rid of all the 2000 computers
2381 is:
2383 <programlisting>
2384 DELETE FROM computer WHERE hostname >= 'old'
2385 AND hostname < 'ole'
2386 </programlisting>
2388 The command added by the rule will be:
2390 <programlisting>
2392 AND software.hostname = computer.hostname;
2393 </programlisting>
2395 with the plan
2398 Hash Join
2399 -> Seq Scan on software
2400 -> Hash
2401 -> Index Scan using comp_hostidx on computer
2402 </literallayout>
2404 The other possible command is:
2406 <programlisting>
2407 DELETE FROM computer WHERE hostname ~ '^old';
2408 </programlisting>
2410 which results in the following executing plan for the command
2411 added by the rule:
2414 Nestloop
2415 -> Index Scan using comp_hostidx on computer
2416 -> Index Scan using soft_hostidx on software
2417 </literallayout>
2419 This shows, that the planner does not realize that the
2424 in the regular-expression version of the command. The trigger will
2425 get invoked once for each of the 2000 old computers that have to be
2426 deleted, and that will result in one index scan over
2429 commands that use indexes. And it depends on the overall size of
2431 sequential scan situation. 2000 command executions from the trigger over the SPI
2432 manager take some time, even if all the index blocks will soon be in the cache.
2433 </para>
2435 <para>
2436 The last command we look at is:
2438 <programlisting>
2439 DELETE FROM computer WHERE manufacturer = 'bim';
2440 </programlisting>
2442 Again this could result in many rows to be deleted from
2444 through the executor. The command generated by the rule will be:
2446 <programlisting>
2447 DELETE FROM software WHERE computer.manufacturer = 'bim'
2448 AND software.hostname = computer.hostname;
2449 </programlisting>
2451 The plan for that command will again be the nested loop over two
2454 <programlisting>
2455 Nestloop
2456 -> Index Scan using comp_manufidx on computer
2457 -> Index Scan using soft_hostidx on software
2458 </programlisting>
2460 In any of these cases, the extra commands from the rule system
2461 will be more or less independent from the number of affected rows
2462 in a command.
2463 </para>
2465 <para>
2466 The summary is, rules will only be significantly slower than
2467 triggers if their actions result in large and badly qualified
2468 joins, a situation where the planner fails.
2469 </para>
2470 </sect1>
2472 </chapter>